If you can see this check that

Main Page

Week 4B - Forging Emails


Forged Emails

User:
Password:

In this short tutorial we will forge some emails and analyse them

Question 1: Email Server Running

Before you start you must be running a mail server. In Kali, the server to use is exim4. Start this service by typing

service exim4 start

Tests - not attempted
Service running UNTESTED

Question 2: Local delivery

You are sending emails to ourselves. Find out what you hostname is by running "hostname".

What is your hostname?
hostname:

Tests - not attempted
Hostname is right UNTESTED

Question 3: Telnet line

We are going to forge an email to ourselves.

Using the normal IP number of localhost, what would be the telnet command needed to telnet to the SMTP port of localhost? This is case-sensitive and space-sensitive. Use only numerical IP and port.
Telnet command:

Tests - not attempted
Telnet Command UNTESTED

Question 4: Use the telnet command

Use this telnet command (and use QUIT in the telnet session) to test the connection. The MTA (Mail Transport Agent) server should identify itself with a string "ESMTP MTANAME Version". What is the version of the MTA?
MTA version:

Tests - not attempted
MTA version UNTESTED

Question 5: Envelope Information

We want to forge an email and make it appear that: (1) The sending server is "juggling.com", (2) the email is coming from "dave@rocketman.com", and (3) the email is going to "root@YOURHOST" (where YOURHOST is the hostname you have already discovered for your own virtual machine).

So what are those fields in this case?
Type first? (hint - the helo):
Type second? (hint - from who):
Type third? (hint - to who):

Remember to include the entire line you would type in SMTP. Case and space sensitive, so always use lowercase in answering.

Tests - not attempted
HELO UNTESTED
from UNTESTED
to UNTESTED

Question 6: Forge an email

Use the above information to send an email. Use all the details from above. In the email body (the data section) send the following:

From: me@thegovernment.com
To: you@thepeople.com
Date: today
Subject: stupid

Please send me your bank details.
Boss
.

After the body remember to end the block with ".", then end the session with "quit".

In Kali, mail for "root" actually goes to a user called "mail". To read the mail for "mail", do:

su mail -c mail
To delete mail, do "d 1" where "1" is the number of the mail to delete. Do "1" to read email number 1. Do "h" to see the emails which can be written. Press "q" to actually delete email "It does not get deleted till you q out of mail".

Note: make sure that their is only 1 email in the mailbox and that the one which is there is the one you are forging. Remember to "q" out of mail.

Tests - not attempted
Email envelope detected in log UNTESTED
Email path includes juggling.com UNTESTED
BODY From is ok UNTESTED
BODY To is ok UNTESTED

Question 7: Hidden Path

Run the command:

grep -A 5 "Received:" /var/spool/mail/mail
This gives the line with the "Received:" on it, as well as the next 2 lines. This shows the mail path. Here it is clear that "juggling.com" would have an IP number, but the IP number in the path (on line 1 in the square brackets) is the IP of localhost and not of juggling.com. Thus it is forged. In linux the dig command will give you the IP.

Validate this by entering the IP number of juggling.com
IP of juggling.com?

Tests - not attempted
IP of juggling.com UNTESTED

Question 8: Better Forgery

Repeat the forged email exercise, but this time include one fake hop. Use the grep information to make the hop identical to the last one, except this time replace 127.0.0.1 with the juggling.com IP and replace the hostname "localhost" with "email.juggling.com". MAKE SURE THAT ALL OTHER EMAIL HAVE BEEN DELETED from root's mailbox.

So if the header was:

Received: from localhost ([::1] helo=juggling.com)
        by host-19-17.linuxzoo.net with smtp (Exim 4.80)
        (envelope-from <dave@rocketman.com>)
        id 1WIgrz-00021U-Ge
        for root@host-19-17.linuxzoo.net; Wed, 26 Feb 2014 15:58:09 +0000
Then you would use this whole entry, but replace [::1] with [fakeIP] (i.e. the ip of the real juggling.com) and "from localhost" with "email.juggling.com".

Tests - not attempted
Only 1 email in mailbox UNTESTED
Email envelope detected in log UNTESTED
Email path includes juggling.com UNTESTED
BODY From is ok UNTESTED
BODY To is ok UNTESTED
2 Received hops in email UNTESTED
Fake hop looks good UNTESTED


Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7 | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2014 Gordon Russell. All rights reserved.