Authentication Capture: SMTP - Metasploit


This page contains detailed information about how to use the auxiliary/server/capture/smtp metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Authentication Capture: SMTP
Module: auxiliary/server/capture/smtp
Source code: modules/auxiliary/server/capture/smtp.rb
Disclosure date: -
Last modification time: 2020-07-11 17:30:06 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module provides a fake SMTP service that is designed to capture authentication credentials.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/server/capture/smtp
msf auxiliary(smtp) > show targets
    ... a list of targets ...
msf auxiliary(smtp) > set TARGET target-id
msf auxiliary(smtp) > show options
    ... show and set options ...
msf auxiliary(smtp) > exploit

Knowledge Base

Vulnerable Application

This module creates a mock SMTP server which accepts credentials or unauthenticated email before throwing a 503 error.

Verification Steps

  1. Start msfconsole
  2. Do: use auxiliary/server/capture/smtp
  3. Do: run

Scenarios

Testing Script

The following script should test the following:

  1. Auth Plain
  2. Auth Login
  3. Auth CRAM-MD5
  4. Sending an email w/o auth

  5. RSET is implemented (https://github.com/rapid7/metasploit-framework/issues/11980)

    require 'net/smtp'
require 'socket'

puts 'Testing: plain'
begin
  Net::SMTP.start('127.0.0.1', 25, 'localhost', 'username_plain', 'password_plain', :plain)
rescue => e
  puts "Error: #{e}"
end

puts 'Testing: login'
begin
  Net::SMTP.start('127.0.0.1', 25, 'localhost', 'username_login', 'password_login', :login)
rescue => e
  puts "Error: #{e}"
end

puts 'Testing: cram md5'
begin
  Net::SMTP.start('127.0.0.1', 25, 'localhost', 'username_cram', 'password_cram', :cram_md5)
rescue => e
  puts "Error: #{e}"
end

puts 'Testing: DATA'
begin
  Net::SMTP.start('127.0.0.1') do |smtp|
    smtp.send_message 'test', '[email protected]', '[email protected]'
  end
rescue => e
  puts "Error: #{e}"
end

# test for https://github.com/rapid7/metasploit-framework/issues/11980
puts 'Testing: RSET during DATA'
begin
  t = TCPSocket.open('127.0.0.1', 25)
  t.gets
  t.print("EHLO localhost \r\n")
  t.gets
  t.print("MAIL FROM:\r\n")
  t.gets
  t.print("MAIL TO:\r\n")
  t.gets
  t.print("DATA\r\n")
  t.gets
  t.print("RSET\r\n")
  puts "  Response: #{t.gets.chop}"
rescue => e
  puts "Error: #{e}"
end

puts 'Testing: RSET during middle of DATA'
begin
  t = TCPSocket.open('127.0.0.1', 25)
  t.gets
  t.print("EHLO localhost \r\n")
  t.gets
  t.print("MAIL FROM:\r\n")
  t.gets
  t.print("MAIL TO:\r\n")
  t.gets
  t.print("DATA\r\n")
  t.gets
  t.print("testing a message which gets cancelled\r\n")
  t.print("RSET\r\n")
  puts "  Response: #{t.gets.chop}"
rescue => e
  puts "Error: #{e}"
end

Output from testing script

When this script is run from the Metasploit console, it intermingles with the commands, which is great!

$ sudo ./msfconsole -qx 'use auxiliary/server/capture/smtp; set srvhost 127.0.0.1;run;ruby tools/dev/test_capture_smtp.rb'
srvhost => 127.0.0.1
[*] Auxiliary module running as background job 0.
[*] exec: ruby tools/dev/test_capture_smtp.rb

[*] Started service listener on 127.0.0.1:25 
[*] Server started.
Testing: plain
[*] SMTP: 127.0.0.1:46212 Command: EHLO localhost
[*] SMTP: 127.0.0.1:46212 Command: AUTH PLAIN AHVzZXJuYW1lX3BsYWluAHBhc3N3b3JkX3BsYWlu
[+] SMTP LOGIN 127.0.0.1:46212 username_plain / password_plain
Testing: login
[*] SMTP: 127.0.0.1:46214 Command: EHLO localhost
[*] SMTP: 127.0.0.1:46214 Command: AUTH LOGIN
[*] SMTP: 127.0.0.1:46214 Command: dXNlcm5hbWVfbG9naW4=
[*] SMTP: 127.0.0.1:46214 Command: cGFzc3dvcmRfbG9naW4=
[+] SMTP LOGIN 127.0.0.1:46214 username_login / password_login
Testing: cram md5
[*] SMTP: 127.0.0.1:46216 Command: EHLO localhost
[*] SMTP: 127.0.0.1:46216 Command: AUTH CRAM-MD5
[*] SMTP: 127.0.0.1:46216 Command: dXNlcm5hbWVfY3JhbSA3YjA2NzUyMjVhM2FjMmI5MjMxYzJlOTM5OTg2Y2U0Mg==
Testing: DATA
[+] SMTP LOGIN 127.0.0.1:46216 username_cram / <[email protected]>#7b0675225a3ac2b9231c2e939986ce42
[*] SMTP: 127.0.0.1:46218 Command: EHLO localhost
[*] SMTP: 127.0.0.1:46218 Command: MAIL FROM:
[*] SMTP: 127.0.0.1:46218 Command: RCPT TO:
[*] SMTP: 127.0.0.1:46218 Command: DATA
[*] SMTP: 127.0.0.1:46218 Command: test
.
[*] SMTP: 127.0.0.1:46218 EMAIL: test
[*] SMTP: 127.0.0.1:46218 Command: QUIT
Testing: RSET during DATA
[*] SMTP: 127.0.0.1:46220 Command: EHLO localhost
[*] SMTP: 127.0.0.1:46220 Command: MAIL FROM:
[*] SMTP: 127.0.0.1:46220 Command: MAIL TO:
[*] SMTP: 127.0.0.1:46220 Command: DATA
[*] SMTP: 127.0.0.1:46220 Command: RSET
  Response: 250 OK
Testing: RSET during middle of DATA
[*] SMTP: 127.0.0.1:46222 Command: EHLO localhost
[*] SMTP: 127.0.0.1:46222 Command: MAIL FROM:
[*] SMTP: 127.0.0.1:46222 Command: MAIL TO:
[*] SMTP: 127.0.0.1:46222 Command: DATA
[*] SMTP: 127.0.0.1:46222 Command: testing a message which gets cancelled
RSET
[*] SMTP: 127.0.0.1:46222 EMAIL: testing a message which gets cancelled
  Response: 250 OK
msf5 auxiliary(server/capture/smtp) > creds
Credentials
===========

host       origin     service        public          private                                             realm  private_type        JtR Format
----       ------     -------        ------          -------                                             -----  ------------        ----------
127.0.0.1  127.0.0.1  25/tcp (smtp)  username_cram   <[email protected]>#7b0675225a3ac2b9231c2e939986ce42         Nonreplayable hash  hmac-md5
127.0.0.1  127.0.0.1  25/tcp (smtp)  username_login  password_login                                             Password            
127.0.0.1  127.0.0.1  25/tcp (smtp)  username_plain  password_plain                                             Password            

msf5 auxiliary(server/capture/smtp) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type          Data
 ----                     ----       -------  ----  --------  ----          ----
 2020-04-17 15:11:24 UTC  127.0.0.1                           smtp_message  "testing a message which gets cancelled\r\n"

Cracking Cram-md5 (hmac-md5)

Metasploit currently doesn't have a cracker for hmac-md5, however the output is pre-formatted to JTR standards, and creds -o /tmp/file.jtr will export it correctly for John. It is also possible to export to hashcat format with creds -o /tmp/file.hcat and mode 10200.

user@kali:~/metasploit-framework$ sudo cat /tmp/cram
username_cram:<[email protected]>#7b0675225a3ac2b9231c2e939986ce42
user@kali:~/metasploit-framework$ sudo cat /tmp/wordlist 
password_cram
user@kali:~/metasploit-framework$ sudo john --wordlist=/tmp/wordlist --format=hmac-md5 /tmp/cram
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-MD5 [password is key, MD5 256/256 AVX2 8x3])
Warning: poor OpenMP scalability for this hash type, consider --fork=8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate left, minimum 192 needed for performance.
password_cram    (username_cram)
1g 0:00:00:00 DONE (2020-04-17 11:32) 50.00g/s 50.00p/s 50.00c/s 50.00C/s password_cram
Use the "--show --format=HMAC-MD5" options to display all of the cracked passwords reliably
Session completed

Go back to menu.

Msfconsole Usage

Here is how the server/capture/smtp auxiliary module looks in the msfconsole:

msf6 > use auxiliary/server/capture/smtp

msf6 auxiliary(server/capture/smtp) > show info

       Name: Authentication Capture: SMTP
     Module: auxiliary/server/capture/smtp
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  ddz <[email protected]>
  hdm <[email protected]>
  h00die

Available actions:
  Name     Description
  ----     -----------
  Capture  Run SMTP capture server

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT  25               yes       The local port to listen on.
  SSL      false            no        Negotiate SSL for incoming connections
  SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)

Description:
  This module provides a fake SMTP service that is designed to capture 
  authentication credentials.

References:
  https://www.samlogic.net/articles/smtp-commands-reference-auth.htm
  tools.ietf.org/html/rfc5321
  http://fehcom.de/qmail/smtpauth.html

Module Options

This is a complete list of options available in the server/capture/smtp auxiliary module:

msf6 auxiliary(server/capture/smtp) > show options

Module options (auxiliary/server/capture/smtp):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  25               yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)

Auxiliary action:

   Name     Description
   ----     -----------
   Capture  Run SMTP capture server

Advanced Options

Here is a complete list of advanced options supported by the server/capture/smtp auxiliary module:

msf6 auxiliary(server/capture/smtp) > show advanced

Module advanced options (auxiliary/server/capture/smtp):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   ListenerComm                     no        The specific communication channel to use for this service
   SSLCipher                        no        String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
   SSLCompression  false            no        Enable SSL/TLS-level compression
   VERBOSE         false            no        Enable detailed status messages
   WORKSPACE                        no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the server/capture/smtp module can do:

msf6 auxiliary(server/capture/smtp) > show actions

Auxiliary actions:

   Name     Description
   ----     -----------
   Capture  Run SMTP capture server

Evasion Options

Here is the full list of possible evasion options supported by the server/capture/smtp auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(server/capture/smtp) > show evasion

Module evasion options:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   TCP::max_send_size  0                no        Maximum tcp segment size.  (0 = disable)
   TCP::send_delay     0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Unknown authentication type string: <ARG>

Here is a relevant code snippet related to the "Unknown authentication type string: <ARG>" error message:

241:	        @state[client][:auth_cram] = true
242:	        @state[client][:auth_cram_challenge] = challenge
243:	        return
244:	      end
245:	      # some other auth we dont understand
246:	      vprint_error("Unknown authentication type string: #{arg}")
247:	      client.put "503 Server Error\r\n"
248:	    else
249:	      vprint_error("Unknown command: #{arg}")
250:	    end
251:	    client.put "503 Server Error\r\n"

503 Server Errorrn

Here is a relevant code snippet related to the "503 Server Errorrn" error message:

242:	        @state[client][:auth_cram_challenge] = challenge
243:	        return
244:	      end
245:	      # some other auth we dont understand
246:	      vprint_error("Unknown authentication type string: #{arg}")
247:	      client.put "503 Server Error\r\n"
248:	    else
249:	      vprint_error("Unknown command: #{arg}")
250:	    end
251:	    client.put "503 Server Error\r\n"
252:

Unknown command: <ARG>

Here is a relevant code snippet related to the "Unknown command: <ARG>" error message:

244:	      end
245:	      # some other auth we dont understand
246:	      vprint_error("Unknown authentication type string: #{arg}")
247:	      client.put "503 Server Error\r\n"
248:	    else
249:	      vprint_error("Unknown command: #{arg}")
250:	    end
251:	    client.put "503 Server Error\r\n"
252:	
253:	  end
254:

503 Server Errorrn

Here is a relevant code snippet related to the "503 Server Errorrn" error message:

246:	      vprint_error("Unknown authentication type string: #{arg}")
247:	      client.put "503 Server Error\r\n"
248:	    else
249:	      vprint_error("Unknown command: #{arg}")
250:	    end
251:	    client.put "503 Server Error\r\n"
252:	
253:	  end
254:	
255:	  def report_cred(opts)
256:	    service_data = {

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • ddz
  • hdm
  • h00die

Version

This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.