The BSD mascot drawed by Tatsumi Hosokawa
  Chuck's corner (site title)

Home
  Welcome!
  Who's that Chuck? [FR]

Articles
  Computer forensics [FR]
  Virtual-to-Remote Physical [FR]
  Promethee, educ. intranet [FR]
  Frenzy, live mini CD [FR]
  Open/Closed source sec. [FR]
  Installing FreeBSD 5 [FR]
  Powered by Unknown! [FR]
    FreeBSD / Nmap (1/2) [FR]
    FreeBSD / Nmap (2/2) [FR]
    telnetd [FR]
    ftpd [FR]
    Apache [FR]
    Bind [FR]
    Lukemftpd [FR]
    OpenSSH [FR]
    PHP [FR]
    Qpopper [FR]
    Sendmail [FR]
    Sendmail / Smtpscan [FR]
    Sendmail / Smtpmap [FR]

  Work in progress:
  Fingerprints analyzers [FR]

Software
  Ports [FR]
  HeV project

Links
  BSD sites in french [FR]
  BSD systems list [FR]
  Projects of the month [FR]

Search
  with Google's logo

  on this site:
  
  on BSD contents:
  

Powered by Unknown !

Sendmail

Les serveurs SMTP, tels que Sendmail, affichent spontanément ou à la demande certaines informations sensibles : 

# telnet localhost 25
220 herisson.maison ESMTP Sendmail 8.12.3/8.12.3; Thu, 7 Nov 2002 12:41:31 +0100 (CET)
help
214-2.0.0 This is sendmail version 8.12.3
214-2.0.0 Topics:
214-2.0.0 	HELO	EHLO	MAIL	RCPT	DATA
214-2.0.0 	RSET	NOOP	QUIT	HELP	VRFY
214-2.0.0 	EXPN	VERB	ETRN	DSN	AUTH
214-2.0.0 	STARTTLS
214-2.0.0 For more info use "HELP ".
214-2.0.0 To report bugs in the implementation send email to
214-2.0.0 	sendmail-bugs@sendmail.org.
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
help verb
214-2.0.0 VERB
214-2.0.0 	Go into verbose mode.  This sends 0xy responses that are
214-2.0.0 	not RFC821 standard (but should be)  They are recognized
214-2.0.0 	by humans and other sendmail implementations.
214 2.0.0 End of HELP info
help quit
214-2.0.0 QUIT
214-2.0.0 	Exit sendmail (SMTP).
214 2.0.0 End of HELP info
help control
214-2.0.0 Help for smcontrol:
214-2.0.0 help		This message.
214-2.0.0 restart		Restart sendmail.
214-2.0.0 shutdown	Shutdown sendmail.
214-2.0.0 status		Show sendmail status.
214-2.0.0 memdump		Dump allocated memory list (for debugging only).
214 2.0.0 End of HELP info
quit
221 2.0.0 herisson.maison closing connection

Ces affichages peuvent cependant être débrayés en modifiant la configuration de Sendmail (notamment pour parer à une fuite d'informations en réponse à un courrier destiné à une adresse inconnue) : 

# cd /etc/mail
# cat > helpfile
#vers	2
smtp	Disabled.
^D
# cat > /tmp/freebsd.mc.supp
define(`confSMTP_LOGIN_MSG', `$j server ready at $b')
define(`confRECEIVED_HEADER', `$?sfrom $s $.$?_($?s$|from $.$_)
	$.$?{auth_type}(authenticated$?{auth_ssf} bits=${auth_ssf}$.)
	$.by $j $?r with $r$. id $i$?{tls_version}
	(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify})$.$?u
	for $u; $|;
	$.$b$?g
	(envelope-from $g)$.')
^D
# cat /tmp/freebsd.mc.supp >> freebsd.mc
# rm /tmp/freebsd.mc.supp
# make freebsd.cf
# cp freebsd.cf sendmail.cf
# cat > /tmp/freebsd.submit.mc.supp
define(`confSMTP_LOGIN_MSG', `$j server ready at $b')
define(`confRECEIVED_HEADER', `$?sfrom $s $.$?_($?s$|from $.$_)
	$.$?{auth_type}(authenticated$?{auth_ssf} bits=${auth_ssf}$.)
	$.by $j $?r with $r$. id $i$?{tls_version}
	(version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify})$.$?u
	for $u; $|;
	$.$b')
^D
# cat /tmp/freebsd.submit.mc.supp >> freebsd.submit.mc
# rm /tmp/freebsd.submit.mc.supp
# make freebsd.submit.cf
# cp freebsd.submit.cf submit.cf
# killall -HUP sendmail

Le serveur se comporte alors comme suit : 

# telnet localhost 25
220 herisson.maison ESMTP server ready at Thu, 7 Nov 2002 13:30:46 +0100 (CET)
help
214-2.0.0 Disabled.
214 2.0.0 End of HELP info
quit
221 2.0.0 herisson.maison closing connection

Derniers avertissements

Notez que l'identification du serveur reste toujours possible par le biais de son implémentation du protocole SMTP (les combinaisons d'en-têtes utilisés en réponse pouvant être assez caractéristiques).

Ce que permet notamment de faire l'application smtpscan : 

# smtpscan localhost
smtpscan version 0.3
Scanning localhost (127.0.0.1) port 25
...............

Result --
451:501:501:250:553:451:503:214:252:502:502:502:502:250:250

No exact match. Nearest matches :
  - Sendmail 8.11.0 (3) (with source email address checking - rbl, ...)
  - Sendmail 8.11.2 (3) (with source email address checking - rbl, ...)
  - Sendmail Switch-2.2.0 (3) (with source email address checking - rbl, ...)
  - Sendmail Switch-2.2.3 (3) (with source email address checking - rbl, ...)
  - Sendmail 8.11.6  (3) (with source email address checking - rbl, ...)
  - Sendmail 8.11.6  (3) (with source email address checking - rbl, ...)
  - Sendmail 8.12.2-8.12.5 (3) (with source email address checking - rbl, ...)
  - Sendmail 8.12.3 (3) (with source email address checking - rbl, ...)
  - Sendmail 8.11.6  (3) (with source email address checking - rbl, ...)
  - Sendmail 8.11.6,8.12.3 (3) (with source email address checking - rbl, ...)
  
  To help improving smtpscan database, if you know which soft is used there,
  please send a mail to zejames@greyhats.org, giving the output of smtpscan -v
  and the remote server version.

Malgré les rejets (code 451) liés au caractère non résolvable de mon domaine de test et même si cela laisse beaucoup de traces dans les fichiers journaux ("/var/log/maillog") : 

Authentication-Warning: herisson.maison: localhost.maison [127.0.0.1] didn't use HELO \
 protocol
ruleset=check_mail, arg1=test@yahoo.com, relay=localhost.maison [127.0.0.1], \
 reject=451 4.1.8 Domain of sender address test@yahoo.com does not resolve
from=test@yahoo.com, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, \
 relay=localhost.maison [127.0.0.1]
localhost.maison [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
lost input channel from localhost.maison [127.0.0.1] to MTA after mail
from=<>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=localhost.maison \
 [127.0.0.1]
ruleset=check_mail, arg1=, \
 relay=localhost.maison [127.0.0.1], reject=451 4.1.8 Domain of sender address \
 impossibleaddress@thisdomaindoesnotandmustnotexists.com does not resolve
from=, size=0, class=0, \
 nrcpts=0, proto=SMTP, daemon=MTA, relay=localhost.maison [127.0.0.1]
ruleset=check_mail, arg1=, relay=localhost.maison [127.0.0.1], \
 reject=451 4.1.8 Domain of sender address test@yahoo.com does not resolve
from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, \
 relay=localhost.maison [127.0.0.1]
localhost.maison [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
localhost.maison [127.0.0.1]: VRFY root [rejected]
localhost.maison [127.0.0.1]: EXPN root [rejected]
localhost.maison [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
localhost.maison [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
localhost.maison [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
localhost.maison [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
localhost.maison [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Dans les suites de cet article, nous examinons comment contrer deux outils de ce type : smtpscan et smtpmap.

[ French flag Version française | Legal information [FR] | About us [FR] | Manifesto [FR] | Privacy & usage charter [FR] | Contact us | Comments on this page ]
[ FreeBSD ring | Sites list | Go to: previous 5 - previous one - random pick - next one - next 5 ]