Penetration Testing mailing list archives
Re: Anyone recognises this ?
From: H D Moore <sflist () digitaloffense net>
Date: Wed, 3 Jul 2002 16:56:57 -0500
The banner you see is actually a PIX firewall wrapping the SMTP connection. The goal is to enable only a specific set of commands, thereby protecting the SMTP daemon from any information gathering attacks. There is a bug in some releases which dont accurately maintain the "state" of the SMTP connection and allow for arbitrary commands to be sent to the backend server. You do this by specifying a DATA command before the RCPT TO, followed immediately by the command you want to send. So to fingerprint the backend service, you would send something like this: telnet xxx.xxx.xxx.xxx 25 Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. 220*********************************************0************200************** HELO 250 somehost Ok MAIL FROM: user () example org 250 Ok DATA 503 No recipients: need RCPT HELP 214-Commands: 214- HELO MAIL RCPT DATA RSET 214- NOOP QUIT HELP VRFY ETRN 214- XEXCH50 STARTTLS AUTH 214 End of HELP info 354 Enter mail, end with "." on a line by itself Without that initial "DATA", the HELP command would return an "invalid command" or similar response... The HELP output above would identify this as an Exchange 5.x Internet Mail Service. More information about this bug in particular can be found here: http://online.securityfocus.com/bid/3365 -HD On Wednesday 03 July 2002 12:27, Marco van Berkum wrote:
Can anyone tell me what mailserver this is ? It's running on a Novell machine (hostname has been changed) ws# telnet xxx.xxx.xxx.xxx 25 Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. 220 *********************************************0************200************** ******* helo 250 somehost Ok mail from: marco () obit nl 250 Ok rcpt to: user@somehost 250 Ok data 354 Enter mail, end with "." on a line by itself test . 250 Ok quit 221 somehost Closing transmission channel Connection closed by foreign host.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Anyone recognises this ? Marco van Berkum (Jul 03)
- Re: Anyone recognises this ? H D Moore (Jul 03)
- <Possible follow-ups>
- Re: Anyone recognises this ? Marco van Berkum (Jul 03)