Over the weekend, we were setting up a virtual range for our upcoming class this weekend and was testing a mail server. I was connecting via telnet to the mail server when I realized it has been a while since I’ve had time to play around with SMTP. You may remember the good ole days where you can connect to pretty much any mail server (like Gmail) with telnet and spoof emails to your friends from whoever you want. Back then, I never realized that you could actually send attachments directly through the telnet connection. It’s not super involved, but it is not the most intuitive thing to do. So below is not the most practical thing ever, but it’s fun. If you ever do find a mail server with port 25 open during an engagement, you can use this to send malicious documents that will avoid most spam filters.
So first things first, we need a mail server with port 25 open. Setting up a mail server is a bit of a process and outside of the scope of this article. The same goes for setting up outlook, so I am just going to assume you have access from this point forward. Now, let’s use Nmap to scan our range and see what our very insecure mail server looks like.
Now we will need to connect via telnet, which is simply telnet <ip address> 25. Once in, we use ehlo to kick things off:
From here, we need to set who our mail will be from. One of the fun things about this is that we can make the email come from anyone as long as we use the proper email format. This includes both real users and non-existent users. If we use a real user, the recipient can actually reply to them, and it will properly send an email back to them. So we use mail from: <email> to set who the email will be from and then rcpt to: <email> to set who we are sending it to.
Story Time: I once knew a guy that tried to spoof an email from a 3-star general to his buddy to mess with him because he was taking the general’s daughter out on a date. Well, they screwed up their friend’s email address and the email bounced back to the general… so heed the cautionary tale and triple check your recipient’s email spelling.
The next step is to start building out the email. We use data to enter into the next part of building the email. We add the subject by typing Subject: <Subject> and hit enter. From here, if we leave a blank line between the subject and what we type next, we will enter into the body of the email. This would let us send just a plain text email and until this weekend what I had always just done when playing with telnet. However, if we think about it, we send attachments using SMTP all the time. So how do we do that?
It turns out that it’s pretty simple. We just need to add some MIME headers and add the file as a base64 encoded string. Some quick googling on how to send an email with an attachment through telnet got me to this article, but they are sending a JPG and I figured that we would need different headers to send a macro-enabled document. I did 10 minutes of googling and couldn’t find a good list of MIME headers for different types of files (if anyone knows of one please comment and leave a link for everyone). Instead, I decided to just send myself an email with Gmail and inspect the headers.
There are a bunch of different sections, but based on that linked article, we know that each of those long string of numbers basically acts as section delineators. For what we are trying to accomplish, we only care about what is in the box above. So now we have the headers we need and add them to our email in telnet.
Now we need to just add the base64 encoded file. Luckily this is really easy with Kali Linux. For our payload, I built a malicious macro using Empire. Our Introduction to Sandbox Evasion and AMSI Bypasses workshop slides have a walkthrough on how to do that starting on slide 92 or you can watch the recording on YouTube. Just a word of warning, Microsoft has gotten pretty good/strict on what they consider a malicious macro. So it can be a pain to get one built that gets passed AV nowadays. Once you have the file on your Kali box, it’s as simple as running base64 <file> and it will dump the base64 file to the command line.
Now we just need to cut and paste it into our telnet session. Just make sure you have an empty line between the last MIME header and the base64 text.
Finally, we just have to add the last string that we copied from the Gmail email to the bottom. Again ensuring that there is an empty line between it and the base64 encoded text. Then we just hit enter . enter and our email is on its way! When it reaches the target, it will look like any other attachment and when it is opened, we will get a call back to our C2 server.
If you are interested in checking out our class this Saturday, June 22 you can use the code: BOBBYDROPTABLES to get 50% off. We will be going through how to emulate threats tailored to customers while exploring various techniques that can be employed at each phase of the attack chain.