Home
Welcome!
Who's that Chuck? [FR]
Articles
Computer forensics [FR]
Virtual-to-Remote Physical [FR]
Promethee, educ. intranet [FR]
Frenzy, live mini CD [FR]
Open/Closed source sec. [FR]
Installing FreeBSD 5 [FR]
Powered by Unknown! [FR]
FreeBSD / Nmap (1/2) [FR]
FreeBSD / Nmap (2/2) [FR]
telnetd [FR]
ftpd [FR]
Apache [FR]
Bind [FR]
Lukemftpd [FR]
OpenSSH [FR]
PHP [FR]
Qpopper [FR]
Sendmail [FR]
Sendmail / Smtpscan [FR]
Sendmail / Smtpmap [FR]
Work in progress:
Fingerprints analyzers [FR]
Software
Ports [FR]
HeV project
Links
BSD sites in french [FR]
BSD systems list [FR]
Projects of the month [FR]
Search
with 
Powered by Unknown !
Sendmail contre Smtpmap
Dans cet article, nous examinons une technique rapide pour contrer l'analyseur d'empreintes réseau Smtpmap (cet outil ayant recours à un jeu de 73 tests, je déclare forfait pour faire une analyse pas à pas !).
Afin de mieux comprendre l'influence du paramétrage de Sendmail sur l'empreinte déterminée par Smtpmap, j'ai réinitialisé à blanc le paramètre "PrivacyOptions" (normalement positionné à "authwarnings,noexpn,novrfy" sur le Sendmail 8.12.6 du FreeBSD 5.0-RC1 sur lequel j'ai réalisé les tests). On obtient alors le résultat suivant :
# smtpmap -v localhost smtp-map 0.8 Scanning localhost ( [ 127.0.0.1 ] ) 100 % done scan The scanned fingerprints are : VERSION=220 herisson.maison ESMTP Sendmail 8.12.6/8.12.6; Sat, 28 Dec 2002 19:32:52 +0100 (CET) FP_RETURN=2217,2198,13304,2217,3868,11404,5997,72789,2978,2975,3379,3541,8057,4112,1568,630, 4098,1568,4095,1568,5716,1568,1950,2187,1568,5750,2187,1568,5342,2187,1568,1655,3248,1950, 1568,3248,2898,42434,2217,31210,4054,13412,2187,16877,1568,1950,9592,1568,4832,630,4108,4502, 5344,1568,2187,5064,2187,2187,1568,1950,3815,1568,3868,2549,2780,1568,3015,3248,3234,1655, 3215,5481,3929 VERSION=220 herisson.maison ESMTP Sendmail 8.12.6/8.12.6; Sat, 28 Dec 2002 19:32:52 +0100 (CET) FP_RFC=30705,0,3929,6066,0,0,3215,9332,10773,12305,4137,0,0,4978,16808,0 VERSION=220 herisson.maison ESMTP Sendmail 8.12.6/8.12.6; Sat, 28 Dec 2002 19:32:52 +0100 (CET) FP_CONF=501,550,214,501,250,214,214,214,500,500,500,500,214,502,250,250,502,250,502,250,553, 250,503,503,250,553,503,250,553,503,250,250,502,503,250,502,500,214,501,214,501,214,503,214, 250,503,214,250,214,250,214,501,553,250,503,553,503,503,250,503,250,250,250,250,550,250,500, 502,502,250,454,214,221 According to Configuration Fingerprinting the server matches the following : Version Probability Sendmail 8.12.1 99.4768 % Sendmail 8.11.6+3.4W/8.11.3 NetBSD 93.6761 % Sendmail 8.9.1 BSD 89.8772 % According to RFC Fingerprinting the server matches the following : Version Probability Sendmail 8.12.1 98.1267 % Sendmail 8.10.1 97.1535 % Sendmail 8.12.3 96.2343 % Sendmail 8.11.6+3.4W/8.11.3 NetBSD 96.1089 % According to Overall Fingerprinting the server matches the following : Version Probability Sendmail 8.12.1 99.2036 % Sendmail 8.11.6+3.4W/8.11.3 NetBSD 96.0081 % Sendmail 8.12.2/3 (test1) 92.2407 % Note: If the banner says something slightly different than smtpmap, but the main release number, then the version in the banner is usually correct. If you know the name of the SMTP server you just scanned, please contribute to this program by sending the whole output with -v and name of the server software to : plasmahh@gmx.net Best would be some additional information about the server configuration and perhaps even what server it was, if its accesible from the internet |
Tous les tests reposant sur l'utilisation du domaine "myhost.domain.com" avec la commande EHLO initiale (ce domaine est codé en dur dans le code source du produit), il est (pour le moment :-)) très simple de contrecarrer Smtpmap.
A l'aide d'un patch, il est possible de déconnecter Smtpmap dès présentation de ce domaine et de journaliser la tentative de balayage :
# cd /usr/src # patch < sendmail-antiscan.patch # cd usr.sbin/sendmail # make clean # make depend # make # make install # sh /etc/rc.sendmail stop # sh /etc/rc.sendmail start |
La réponse de Sendmail à Smtpmap devient alors :
# smtpmap -v -v localhost smtp-map 0.8 Scanning localhost ( [ 127.0.0.1 ] ) Connection Data : port 25 socket 6 target localhost RECV "220 herisson.maison ESMTP Sendmail 8.12.6/8.12.6; Sat, 28 Dec 2002 23:39:24 +0100 (CET) " SEND EHLO myhost.domain.com RECV "550 smtpmap denied; closing connection " SEND EXPN Disconnection detected, trying to reconnect RECV 1.35135 % SEND EXPN all Disconnection detected, trying to reconnect RECV 2.7027 % SEND HELP EXPN Disconnection detected, trying to reconnect RECV 4.05405 % SEND VRFY Disconnection detected, trying to reconnect too much disconnects detected, aborting this scan Error scanning host localhost Note: If the banner says something slightly different than smtpmap, but the main release number, then the version in the banner is usually correct. If you know the name of the SMTP server you just scanned, please contribute to this program by sending the whole output with -v and name of the server software to : plasmahh@gmx.net Best would be some additional information about the server configuration and perhaps even what server it was, if its accesible from the internet |
Derniers avertissements
Notez que l'identification du serveur reste toujours possible par le biais de ses messages de réponse SMTP (l'outil smtpmap tenant compte de manière rudimentaire de leurs spécificités). Un complément possible consisterait à réaliser un patch facilitant la modification de tous ces messages...
Version française
| Legal information [FR]
| About us [FR]
| Manifesto [FR]
| Privacy & usage charter [FR]
| Contact us
| Comments on this page ]