Penetration Testing mailing list archives

Re: Anyone recognises this ?

From: H D Moore <sflist () digitaloffense net>
Date: Wed, 3 Jul 2002 16:56:57 -0500

The banner you see is actually a PIX firewall wrapping the SMTP connection. 
The goal is to enable only a specific set of commands, thereby protecting the 
SMTP daemon from any information gathering attacks. There is a bug in some 
releases which dont accurately maintain the "state" of the SMTP connection 
and allow for arbitrary commands to be sent to the backend server. You do 
this by specifying a DATA command before the RCPT TO, followed immediately by 
the command you want to send. So to fingerprint the backend service, you 
would send something like this:

telnet xxx.xxx.xxx.xxx 25
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.
220*********************************************0************200**************
HELO
250 somehost Ok
MAIL FROM: user () example org
250 Ok
DATA
503 No recipients: need RCPT
HELP
214-Commands:
214-     HELO     MAIL     RCPT     DATA     RSET
214-     NOOP     QUIT     HELP     VRFY     ETRN
214-     XEXCH50  STARTTLS AUTH
214 End of HELP info
354 Enter mail, end with "." on a line by itself

Without that initial "DATA", the HELP command would return an "invalid 
command" or similar response... The HELP output above would identify this as 
an Exchange 5.x Internet Mail Service. More information about this bug in 
particular can be found here:

http://online.securityfocus.com/bid/3365

-HD


On Wednesday 03 July 2002 12:27, Marco van Berkum wrote:

Can anyone tell me what mailserver this is ?
It's running on a Novell machine (hostname has been changed)

ws# telnet xxx.xxx.xxx.xxx 25
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.
220
*********************************************0************200**************
******* helo
250 somehost Ok
mail from: marco () obit nl
250 Ok
rcpt to: user@somehost
250 Ok
data
354 Enter mail, end with "." on a line by itself
test
.
250 Ok
quit
221 somehost Closing transmission channel
Connection closed by foreign host.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Anyone recognises this ? Marco van Berkum (Jul 03)
- Re: Anyone recognises this ? H D Moore (Jul 03)
- <Possible follow-ups>
- Re: Anyone recognises this ? Marco van Berkum (Jul 03)