The BSD mascot drawed by Tatsumi Hosokawa
  Chuck's corner (site title)

Home
  Welcome!
  Who's that Chuck? [FR]

Articles
  Computer forensics [FR]
  Virtual-to-Remote Physical [FR]
  Promethee, educ. intranet [FR]
  Frenzy, live mini CD [FR]
  Open/Closed source sec. [FR]
  Installing FreeBSD 5 [FR]
  Powered by Unknown! [FR]
    FreeBSD / Nmap (1/2) [FR]
    FreeBSD / Nmap (2/2) [FR]
    telnetd [FR]
    ftpd [FR]
    Apache [FR]
    Bind [FR]
    Lukemftpd [FR]
    OpenSSH [FR]
    PHP [FR]
    Qpopper [FR]
    Sendmail [FR]
    Sendmail / Smtpscan [FR]
    Sendmail / Smtpmap [FR]


  Work in progress:
  Fingerprints analyzers [FR]

Software
  Ports [FR]
  HeV project

Links
  BSD sites in french [FR]
  BSD systems list [FR]
  Projects of the month [FR]

Search
  with Google's logo

  on this site:
  
  on BSD contents:
  

Powered by Unknown !

Sendmail contre Smtpmap

Dans cet article, nous examinons une technique rapide pour contrer l'analyseur d'empreintes réseau Smtpmap (cet outil ayant recours à un jeu de 73 tests, je déclare forfait pour faire une analyse pas à pas !).

Afin de mieux comprendre l'influence du paramétrage de Sendmail sur l'empreinte déterminée par Smtpmap, j'ai réinitialisé à blanc le paramètre "PrivacyOptions" (normalement positionné à "authwarnings,noexpn,novrfy" sur le Sendmail 8.12.6 du FreeBSD 5.0-RC1 sur lequel j'ai réalisé les tests). On obtient alors le résultat suivant :

# smtpmap -v localhost
smtp-map 0.8

Scanning localhost ( [ 127.0.0.1 ]  )
100 % done scan
The scanned fingerprints are : 
VERSION=220 herisson.maison ESMTP Sendmail 8.12.6/8.12.6; Sat, 28 Dec 2002 19:32:52 +0100 (CET)

FP_RETURN=2217,2198,13304,2217,3868,11404,5997,72789,2978,2975,3379,3541,8057,4112,1568,630,
4098,1568,4095,1568,5716,1568,1950,2187,1568,5750,2187,1568,5342,2187,1568,1655,3248,1950,
1568,3248,2898,42434,2217,31210,4054,13412,2187,16877,1568,1950,9592,1568,4832,630,4108,4502,
5344,1568,2187,5064,2187,2187,1568,1950,3815,1568,3868,2549,2780,1568,3015,3248,3234,1655,
3215,5481,3929
VERSION=220 herisson.maison ESMTP Sendmail 8.12.6/8.12.6; Sat, 28 Dec 2002 19:32:52 +0100 (CET)

FP_RFC=30705,0,3929,6066,0,0,3215,9332,10773,12305,4137,0,0,4978,16808,0
VERSION=220 herisson.maison ESMTP Sendmail 8.12.6/8.12.6; Sat, 28 Dec 2002 19:32:52 +0100 (CET)

FP_CONF=501,550,214,501,250,214,214,214,500,500,500,500,214,502,250,250,502,250,502,250,553,
250,503,503,250,553,503,250,553,503,250,250,502,503,250,502,500,214,501,214,501,214,503,214,
250,503,214,250,214,250,214,501,553,250,503,553,503,503,250,503,250,250,250,250,550,250,500,
502,502,250,454,214,221


According to Configuration Fingerprinting the server matches the following : 
  Version 					Probability
Sendmail 8.12.1                                 99.4768 %
Sendmail 8.11.6+3.4W/8.11.3 NetBSD              93.6761 % 
Sendmail 8.9.1 BSD                              89.8772 % 

According to RFC Fingerprinting the server matches the following : 
  Version 					Probability
Sendmail 8.12.1                                 98.1267 %
Sendmail 8.10.1                                 97.1535 % 
Sendmail 8.12.3                                 96.2343 % 
Sendmail 8.11.6+3.4W/8.11.3 NetBSD              96.1089 % 

According to Overall Fingerprinting the server matches the following : 
  Version 					Probability
Sendmail 8.12.1                                 99.2036 %
Sendmail 8.11.6+3.4W/8.11.3 NetBSD              96.0081 % 
Sendmail 8.12.2/3 (test1)                       92.2407 % 


Note: If the banner says something slightly different than smtpmap,
but the main release number, then the version in the banner is usually correct.

If you know the name of the SMTP server you just scanned, please
contribute to this program by sending the whole output with -v 
and name of the server software to : plasmahh@gmx.net
Best would be some additional information about the server configuration and
perhaps even what server it was, if its accesible from the internet

Tous les tests reposant sur l'utilisation du domaine "myhost.domain.com" avec la commande EHLO initiale (ce domaine est codé en dur dans le code source du produit), il est (pour le moment :-)) très simple de contrecarrer Smtpmap.

A l'aide d'un patch, il est possible de déconnecter Smtpmap dès présentation de ce domaine et de journaliser la tentative de balayage :

# cd /usr/src
# patch < sendmail-antiscan.patch
# cd usr.sbin/sendmail
# make clean
# make depend
# make
# make install
# sh /etc/rc.sendmail stop
# sh /etc/rc.sendmail start

La réponse de Sendmail à Smtpmap devient alors :

# smtpmap -v -v localhost
smtp-map 0.8
Scanning localhost ( [ 127.0.0.1 ]  )
Connection Data : 
port 25
socket 6
target localhost
RECV "220 herisson.maison ESMTP Sendmail 8.12.6/8.12.6; Sat, 28 Dec 2002 23:39:24 +0100 (CET)
"
SEND EHLO myhost.domain.com

RECV "550 smtpmap denied; closing connection
"

SEND EXPN

Disconnection detected, trying to reconnect
RECV 
1.35135 %
SEND EXPN all

Disconnection detected, trying to reconnect
RECV 
2.7027 %
SEND HELP EXPN

Disconnection detected, trying to reconnect
RECV 
4.05405 %
SEND VRFY

Disconnection detected, trying to reconnect
too much disconnects detected, aborting this scan
Error scanning host localhost

Note: If the banner says something slightly different than smtpmap,
but the main release number, then the version in the banner is usually correct.

If you know the name of the SMTP server you just scanned, please
contribute to this program by sending the whole output with -v 
and name of the server software to : plasmahh@gmx.net
Best would be some additional information about the server configuration and
perhaps even what server it was, if its accesible from the internet

Derniers avertissements

Notez que l'identification du serveur reste toujours possible par le biais de ses messages de réponse SMTP (l'outil smtpmap tenant compte de manière rudimentaire de leurs spécificités). Un complément possible consisterait à réaliser un patch facilitant la modification de tous ces messages...


[ French flag Version française | Legal information [FR] | About us [FR] | Manifesto [FR] | Privacy & usage charter [FR] | Contact us | Comments on this page ]
[ FreeBSD ring | Sites list | Go to: previous 5 - previous one - random pick - next one - next 5 ]