SMTP中继/转发

SMTP转发/中继

设置一个中继邮件服务器

我要设置一个邮件服务器,稍后会将它用作SMTP中继服务器。首先在数据海洋中创建一个水滴一般的Ubuntu。

系统中已经安装了Postfix MTA

1
apt-get install postfix

在安装postfix的同时,我将邮箱名设置为nodspot.com。在安装完成之后,可使用如下命令进行检查/更改

1
2
cat /etc/mailname
nodspot.com

DNS记录

nodspot.com的NDS记录可以像如下这样更新

一个指向Ubuntu点的记录

测试邮件服务器

一旦postfix和DNS记录被设置好,我们就可以使用如下命令测试邮件服务器

1
telnet mail.nodspot.com 25

如果成功的话会有如下显示

我们可以通过发送一个真实邮件来进一步测试邮件服务器

1
2
3
4
sendmail mantvydo@gmail.com
yolo
,
.

邮件很快就发送到了我的邮箱

…带有如下信息头 - 正如预期的那样。注意在这一点上信息头中的源IP是我的Ubuntu IP 206.189.221.162

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Delivered-To: mantvydo@gmail.com
Received: by 2002:a81:1157:0:0:0:0:0 with SMTP id 84-v6csp5026946ywr;
Tue, 2 Oct 2018 12:22:38 -0700 (PDT)
X-Google-Smtp-Source: ACcGV62oH69fwYnfV1zg+o+jbTpjQIzIzASmjoIsXbbfvdevE0LlkY32jflNS/acOtNBXiwzxYxP
X-Received: by 2002:a62:6547:: with SMTP id z68-v6mr17716388pfb.20.1538508158395;
Tue, 02 Oct 2018 12:22:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538508158; cv=none;
d=google.com; s=arc-20160816;
b=FpEgLAICLn66cI+DDvpIsStUrReQ8fArcreT7FyS8SYcFQXFiK44HDcxwVHXCA8Xxb
fUl+3HcerQEznHZMttZ4pZIMbN18pJS08wzuZdOlhGKAA2JSTkxGd+1PhJwDe1SFTYZc
NoARSHL9opemJKg5YqZNjSTDSTfk/QqaCbq7mQL9LAwCKzanGSNR/R/28WymYrdRACOR
GSmDCVvPaUaoemIP8+GwXkfU5Gkk49+F7t9Jbg23HKKq/YOhwF3ryeOEVfn74bhtZIkM
QcUzWn5WSL0lIm0nbd2t7677/wcabOg0TCoZj1IHg+I7yLXE7+QZOYX1TguKu16oZeqt
mTIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=from:date:message-id;
bh=VSFU9fKoMQMmtQzPFdmefDuA+phTpwZXd9k5xGRzwRs=;
b=VZ2vHjhPUSs17PXAUDyjYzm0w5sdQYqFx7h9iirh/BF1krrl3MQg4QAgfeo0py9qZH
Xf8/9HmNe1pIgxnZiiZJeVijXeSHCIB4XkG4HYFJY2m/gQ9oZ4JSMfX/Kiw/CXEmbt71
YP5S7yQKQNkHw24XnP3WUeDDQ7XvENEfPIS+LlCVtQOPT8fM9TAWQReKz06idynolfhR
7P73wH8igwPea7586wdhSOtDYCURSMKTNVb8yP2eEPNBlP2u2jUrFImG2D2/lke4O6Iu
7zu96tCYEY9FVG11dPFheKlMjvMoL4rqPSAQ3zty4Cbi4Vy2Is6f/VF8AYZ34i0FJooj
eEkw==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) smtp.mailfrom=root@nodspot.com
Return-Path: <root@nodspot.com>
Received: from ubuntu-s-1vcpu-1gb-sfo2-01 ([206.189.221.162])
by mx.google.com with ESMTP id 38-v6si3160283pgr.237.2018.10.02.12.22.38
for <mantvydo@gmail.com>;
Tue, 02 Oct 2018 12:22:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) client-ip=206.189.221.162;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) smtp.mailfrom=root@nodspot.com
Received: by ubuntu-s-1vcpu-1gb-sfo2-01 (Postfix, from userid 0) id DC6DD3F156; Tue,
2 Oct 2018 19:22:37 +0000 (UTC)
Message-Id: <20181002192237.DC6DD3F156@ubuntu-s-1vcpu-1gb-sfo2-01>
Date: Tue,
2 Oct 2018 19:22:31 +0000 (UTC)
From: root <root@nodspot.com>

yolo
,

设置源邮件服务器

我们需要将之前设置好的源邮件服务器设置为中继服务器。为了实现这一目的,我安装了postfix邮件服务器。

下一件事是修改/etcpostfix/main.cf并设置relayhost=nodspot.com,这会让攻击系统发出的邮件先传送到nodspot.com有邮件服务器

当这些都被设置完病重启postfix服务器之后,我们可以尝试从攻击系统尝试发送测试邮件

如果你没有收到邮件,确保你的中继服务器没有对你的攻击系统设置了拒绝访问。如果你发现你的邮件在攻击系统上被延迟,就像下面这样,这正是发生了上述的情况

一旦延迟问题被解决,我们就可以再次测试并看到一个成功的中继

这次信息头长这样

注意我们这次如何观察原始主机的详细信息,例如主机名和IP地址。这是我们不想要的,我们需要将这些信息移除。

在Postfix中移除头部敏感信息

我们需要在中继服务器上改变一些配置,这是为了在发出的邮件中移除信息头。

首先我们在服务器上穿件一个文件包含用于搜索我们想要删除的头部信息的正则表达式。

1
2
3
4
5
#/etc/postfix/header_checks
/^Received:.*/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^Mime-Version:/ IGNORE

接下来我们需要修改/etc/postfix/master.cf 让它包含-o header_checks=regexp:/etc/postfix/header_checks

这会让你的postfix服务器在发出的邮件中移除符合正则表达式搜索结果的头部信息。

保存修改后的配置并重启postfix服务器

1
2
postmap /etc/postfix/header_check
postfix reload

现在从攻击系统上在此发送测试邮件并再次检查这封邮件的头部信息

注意如何删除收到的邮件中暴露原始机器( 攻击机 )的头部信息,这正是我们想要实现的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Delivered-To: mantvydo@gmail.com
Received: by 2002:a81:1157:0:0:0:0:0 with SMTP id 84-v6csp5668508ywr;
Wed, 3 Oct 2018 03:47:35 -0700 (PDT)
X-Google-Smtp-Source: ACcGV614wuffoVOsvFkTPPxCiRj0hgFwTIH7y3B4ziIaXfogLFjsoiFyYOdNVChhr+oRcL1axO+a
X-Received: by 2002:a17:902:a9cc:: with SMTP id b12-v6mr988630plr.198.1538563655360;
Wed, 03 Oct 2018 03:47:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538563655; cv=none;
d=google.com; s=arc-20160816;
b=qhbzI+R3vHbkqwp2ALOEQ0ItUXU/fA1kEmYln1dBe0CmLELuIfourst4gZVYiU0tAf
sRx20Z5Vcqvv9w6s6f2gVp6crlOuoX2cSKJCn/HyRYKiDB5aVKpEYTDjQtGEBRLoL9xm
/T8+3PgV6CHy/KowoPeLugKg3t5mIh9pq+Ig8gG+VVKZcFyvUBJa9YEgBgVKcMwew8H6
x8WzIB2zyavpZLnbIi6SrtheYZAeSTMTwXRutqxZl0n4O/iZS4Y+ZVdRlYeXFXFNdtMK
JFaS1XVLR4hYXOzlQT1IC2yeQlqf+Q3FJukmkDlDTgw91ImfZa0HtQYQoo3LwKotp92Q
1HiQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=from:date:message-id;
bh=hZH42YPrA1C1YyKkQ/LM0S6pyh9p5LGmoqE/s4CGGts=;
b=Squ71HtAuuwYHfX+4z63WcgBMoiKbcX5KAQLKwfvlnXuF5QEJNHjfX0GwekViXJIZ5
D2v03648ni6W3/b6uXVoecrtX0MZ9Z/Ck+LxcJRi16toE4QfjR6fhX5l9OSKFjgqkst3
Exk9yB1iiX8IAoIvnSaT0pQ5UzOov5Yneti3HO8QbzeCnT1/HieLwIhB/d+znryw1mTQ
jj/VBlNEGFEJhpXjS7cbQFHQEz3yGl1YTSNB3Kxp9T5a7+ncsW3pOAlfKqNYpVywSlBe
s6OUSTZ/bEwVYP3dv9aHmbpOIV6rC8uPgUlm+SKYtlj9xiR9uXTtj21IbA0F1esFx+Up
jAQw==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) smtp.mailfrom=root@nodspot.com
Return-Path: <root@nodspot.com>
Received: from ubuntu-s-1vcpu-1gb-sfo2-01 ([206.189.221.162])
by mx.google.com with ESMTP id y11-v6si1190446plg.237.2018.10.03.03.47.35
for <mantvydo@gmail.com>;
Wed, 03 Oct 2018 03:47:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) client-ip=206.189.221.162;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) smtp.mailfrom=root@nodspot.com
Message-Id: <20181003104734.1871F42006E@kali>
Date: Wed, 3 Oct 2018 11:47:28 +0100 (BST)
From: root <root@nodspot.com>

removing traces like a sir

本实验不会在被gmail标记为网络钓鱼的电子邮件上生效。这有关于设置DKIM,PTR记录等有关。详情请参考源网页。

本文翻译自https://ired.team/offensive-security/red-team-infrastructure/smtp