If you can see this check that

Main Page

Email Forging

Email Forging


In this short tutorial we will forge some emails and analyse them

Question 1: Setup Sendmail

Some initial configuration of the virtual machine is required.

First find out your hostname by running the command "hostname". It is probably something like "host-1-1.linuxzoo.net".

Edit the file "/etc/mail/local-host-names" and at the end of this file on a line on its own insert the hostname from above in full in this file on a line of its own. Save the file.

Restart the sendmail serice by doing

service sendmail restart

Tests - not attempted
Hostname in local-host-names UNTESTED

Question 2: Telnet line

We are going to forge an email to ourselves.

Using the IP number of localhost, what would be the telnet command needed to telnet to the SMTP port of localhost? This is case-sensitive and space-sensitive.
Telnet command:

Tests - not attempted
Telnet Command UNTESTED

Question 3: Use the telnet command

Use this telnet command (and use QUIT in the telnet session) to test the connection. The sendmail client should identify itself with a string "Sendmail Version/Version;". What is the version of sendmail?
Sendmail version:

Tests - not attempted
x word count to file UNTESTED

Question 4: Envelope Information

We want to forge an email and make it appear that: (1) The sending server is "juggling.com", (2) the email is coming from "dave@rocketman.com", and (3) the email is going to "root@YOURHOST" (where YOURHOST is the hostname you have already discovered for your own virtual machine).

So what are those fields in this case?
Type first? (hint - the helo):
Type second? (hint - from who):
Type third? (hint - to who):

Remember to include the entire line you would type in SMTP. Case and space sensitive, so always use lowercase in answering.

Tests - not attempted

Question 5: Forge an email

Use the above information to send an email. Use all the details from above. In the email body (the data section) send the following:

From: me@thegovernment.com
To: you@thepeople.com
Date: today
Subject: stupid

Please send me your bank details.

After the body remember to end the block with ".", then end the session with "quit".

Note if you had to attempt this multiple times you need to make sure that their is only 1 email in root's mailbox and that the one which is there is the one you are forging. To delete extra ones do "mail", then type the number of the one you dont want (e.g. "1"), then type "d" to delete it. To go back to the list of emails (if you have to deal with lots of them" type "h", and to quit type "q".

Tests - not attempted
Email envelope detected in log UNTESTED
Email path includes juggling.com UNTESTED

Question 6: Hidden Path

Run the command:

grep -A 2 "Received:" /var/spool/mail/root
This gives the line with the "Received:" on it, as well as the next 2 lines. This shows the mail path. Here it is clear that "juggling.com" would have an IP number, but the IP number in the path (on line 1 in the square brackets) is not right. Thus it is forged. In linux the dig command will give you the IP.

Validate this by entering the IP number of juggling.com
IP of juggling.com?

Tests - not attempted
IP of juggling.com UNTESTED

Question 7: Better Forgery

Repeat the forged email exercise, but this time include one fake hop. Use the grep information to make the hop identical to the last one, except this time replace with the juggling.com IP and replace the hostname "localhost" with "email.juggling.com". MAKE SURE THAT ALL OTHER EMAIL HAVE BEEN DELETED from root's mailbox.

Tests - not attempted
Only 1 email in mailbox UNTESTED
Email envelope detected in log UNTESTED
Email path includes juggling.com UNTESTED
2 Received hops in email UNTESTED
Fake hop looks good UNTESTED

Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7 | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2014 Gordon Russell. All rights reserved.