what have i found?
Results 1 to 8 of 8

Thread: what have i found?

  1. #1

    Lightbulb what have i found?

    i was poking around on this site..trying to find possible exploits(before anyone starts flaming, i was given permission to do so). anyway, i was playing around with the smtp on port 25 and i created a log of what i had made..the log is below..after the log, i stated what i had concluded and my general questions..
    ----------------

    220 websvr.txxx.org ESMTP Service (Microsoft Exchange Internet Mail Service 5.5.2653.13) ready

    ehlo txxx.org
    250-websvr.txxx.org Hello [my ip address]
    250-XEXCH50
    250-HELP
    250-ETRN
    250-DSN
    250-SIZE 0
    250-AUTH LOGIN
    250-AUTH=LOGIN
    auth login
    334 VXNLcm5hbWU6
    auth=login
    501 garbled Base64 data
    auth Username:
    504 Authentication mechanism unsupported
    auth VXNLcm5hbWU6
    504 Authentication mechanism unsupported
    help
    214-Commands:
    214- HELO MAIL RCPT DATA RSET
    214- NOOP QUIT HELP VRFY ETRN
    214- XEXCH50 STARTTLS AUTH
    214 End of HELP info
    ---------------------------------
    it gave me the garbled Base64 data and i used a decryptor to decipher it. it came out only to say, ' Username:' what is the purpose of having this encrypted in the first place? it seems invaluable. it couldnt be a password could it?? however, i tried this on other sites and i could not use the two commands: 'auth login' and 'auth=login' . the access was restricted. is there a possible hole here? i have tried mr.google and could not find anything....the command 'auth login' would lead me to believe it had something to do with the postmasters login, but it seemed irrelavent. thanks for your time, i am grateful to listen to any possible ideas that it may be.

  2. #2
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    auth=login
    501 garbled Base64 data
    it was expecting a base64 encoded response (in this case the '=' is an illegal character).

    it came out only to say, ' Username:' what is the purpose of having this encrypted in the first place
    it's just a prompt, there really not a big security issue with it being encoded instead of encrypted - as far as why even bother...? without researching it, my guess would be it's either a standard for this method of authentication or just another microsoft quirk/perk (take your pick).

    is there a possible hole here?
    considering you have the ability to login - sure. considering it's microsoft and you'll be creating a luid with a successful login - you bet. but it's actually intended as a preventative mechanism against anonymous usage (typically where relaying and spam comes from).
    -droby10

  3. #3
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    What exactly are you trying to do? Log into an SMTP server? I didn't think you could "log" into an SMTP server -- per se. SMTP servers are for sending email. The only commands that the service should require are the HELO, MAIL TO, RCPT, and DATA. The server you're connecting to (websvr.txxx.org) probably is simply not configured to block email relay requests. Most mail servers are configured to block any attempts to send mail (and possibly other commands) unless you are connected to the same subnet as the mail server. This prevents malicious individuals from using your mail server for spam, or for anonymizing.
    At least, that's how I understand it.
    /* You are not expected to understand this. */

  4. #4
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    with esmtp you can restrict the ability to send with a valid login.
    -droby10

  5. #5
    a few questions from the replies you gave. you said here that:

    auth=login
    501 garbled Base64 data
    --it was expecting a base64 encoded response (in this case the '=' is an illegal character). --
    all i used was one of the commands given to me at the beginning.


    and then your response to this:

    is there a possible hole here?
    --considering you have the ability to login - sure. considering it's microsoft and you'll be creating a luid with a successful login - you bet. but it's actually intended as a preventative mechanism against anonymous usage (typically where relaying and spam comes from).---
    how do i have the ability to login? all i have is something that says username: is that like a backdoor?

    and this statement:
    "with esmtp you can restrict the ability to send with a valid login."
    that you gave, all you would need would be a username/password to shutdown the mail sending completly? that seems like a hazard..thanks for your time

  6. #6
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    all i used was one of the commands given to me at the beginning.
    in your original dialog you issued the auth login command, the response to that was:
    334 VXNLcm5hbWU6
    which is the username prompt. it was expecting a response rather than another command.


    how do i have the ability to login? all i have is something that says username: is that like a backdoor?
    not a backdoor - just an authentication mechanism. it's no different in purpose than say BASIC authentication on a web server. it simply identifies you as a user on the system.


    all you would need would be a username/password to shutdown the mail sending completly? that seems like a hazard
    as far as i know there are not any official management commands available through esmtp. although, i'm sure someone has implemented it somewhere. the reason for requiring a username and password are not to manage the service but to be able to send mail through it. in this way unauthorized user's can't use the service for spam or relaying purposes.
    -droby10

  7. #7
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    as far as i know there are not any official management commands available through esmtp.
    Try typing HELP at the prompt after you connect. If ESMTP is anything like standard unix SMTP, then it will list all the available commands for you.

    In fact, one of the RED HAT machines that I connect to occasionally uses ESTMP....here's what I got when I typed HELP:

    214-2.0.0 This is sendmail version 8.11.2
    214-2.0.0 Topics:
    214-2.0.0 HELO EHLO MAIL RCPT DATA
    214-2.0.0 RSET NOOP QUIT HELP VRFY
    214-2.0.0 EXPN VERB ETRN DSN AUTH
    214-2.0.0 STARTTLS
    214-2.0.0 For more info use "HELP <topic>".
    214-2.0.0 To report bugs in the implementation send email to
    214-2.0.0 sendmail-bugs@sendmail.org.
    214-2.0.0 For local information send email to Postmaster at your site.
    214 2.0.0 End of HELP info
    Everything In caps are commands.
    /* You are not expected to understand this. */

  8. #8
    i showed all the commands i got in my log when i used help....look closely . thanks fellas for your answers..i appreciate it

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •