SMTP Information gathering Lluis Mora, Neutralbit - - PowerPoint PPT Presentation

smtp information gathering
SMART_READER_LITE
LIVE PREVIEW

SMTP Information gathering Lluis Mora, Neutralbit - - PowerPoint PPT Presentation

Apr 06, 2023 352 likes •594 views

SMTP Information gathering Lluis Mora, Neutralbit llmora@neutralbit.com Black Hat Europe Amsterdam, NL // March 2007 sec urityinno vatio n Introduction E-mail is present in nearly every organization We all understand how it works

slide-1
SLIDE 1

SMTP Information gathering

Lluis Mora, Neutralbit llmora@neutralbit.com

Black Hat Europe Amsterdam, NL // March 2007

sec urityinno vatio n

slide-2
SLIDE 2

www.neutralbit.com

SMTP Information gathering

Introduction

  • E-mail is present in nearly every organization
  • We all understand how it works

– How envelope and headers work – How it can be spoofed – How it can be read in transit – What a message looks like – What to say and what to keep to ourselves

  • But what does a message tell about its sender?
slide-3
SLIDE 3

www.neutralbit.com

SMTP Information gathering

SMTP Control information

  • What makes SMTP messages so interesting?
  • Control information is embedded in the message

– Some headers are mandatory, others can be stripped – All of them usually end up stored in the mailbox

  • Mailing list archives

– Public logs of our communications – Stored over the years – The ultimate SMTP information gatherer source!

slide-4
SLIDE 4

www.neutralbit.com

SMTP Information gathering

SMTP Network mapping

  • Received headers: an advanced “record route”

– Probably the most well-known information gathering aspect of SMTP – Mandatory, per RFC2821: each node adds its header, no one touches the headers – Used to prevent mail loops and debug delivery – Strip with caution

slide-5
SLIDE 5

www.neutralbit.com

SMTP Information gathering

SMTP Network mapping (II)

  • Each relay adds

– IP address of sending gateway – FQDN of receiving server – Transfer protocol – MTA server software – Timestamp, including time zone

Recei ved: f r om r el ay. exam pl e. com ( 201. 20. 51. 192) by neut r al bi t . com ( Post f i x) wi t h ESM TP i d 35B83500EC f or <l l m

  • r a@

neut r al bi t . com >; M

  • n, 15 M

ay 2006 20: 26: 52 +0000 ( UTC)

slide-6
SLIDE 6

www.neutralbit.com

SMTP Information gathering

SMTP Network mapping (III)

  • Not a traceroute…

– SMTP path, not at the IP level

  • … but has its own advantages

– Allows us to peek behind NAT and firewalls – Point-to-point relaying – It is initiated by the victim, part of the communication

  • Not rocket science

– Everybody knows about them, but are we conscious of what they tell about us?

slide-7
SLIDE 7

www.neutralbit.com

SMTP Information gathering

SMTP Network mapping (IV)

  • Corporate IP subnetting

– Received header addresses are not translated – Internal IP addressing scheme – Type of connection to the internet

Recei ved: f r om sm t p. exam pl e. com ( 6. Net - 45- 12- 192. dynam i cI P dynam i cI P. exam pl e. net [ 192. 12. 45. 6] ) by m ai l . exam pl e. or g ( Post f i x) wi t h ESM TP i d 0AB0E147B1 Recei ved: f r om sm t p. exam pl e. com ( sm t p. exam pl e. com [ 172. 18. 5. 21

  • 172. 18. 5. 21] )

by m

  • x1. exam

pl e. com ( 8. 11. 6/ 8. 11. 6) wi t h ESM TP i d i 82sokwi s; Recei ved: f r om vai o ( 172. 16. 1. 100

  • 172. 16. 1. 100)

by sm t p. exam pl e. com ( Post f i x) wi t h ESM TP i d i 82shwk;

slide-8
SLIDE 8

www.neutralbit.com

SMTP Information gathering

SMTP Network mapping (V)

  • Corporate Internet access policies

– Centralized Internet access? – Each location has a public connection?

Recei ved: f r om m

  • x1. uk. exam

pl e. com ( [ 195. 166. 192. 8] ) by vger . ker nel . or g Fr om : John Doe <j doe@

  • uk. exam

pl e. com > Recei ved: f r om sm t p. de. exam pl e. com ( [ 32. 1. 120. 11] ) by vger . ker nel . or g Fr om : Pam Pl i nas <ppl i nas@

  • de. exam

pl e. com >

slide-9
SLIDE 9

www.neutralbit.com

SMTP Information gathering

SMTP Network mapping (VI)

  • Server fingerprinting

– Software and versions – Location based on time zones

Recei ved: f r om m

  • x2. exam

pl e. m i l [ 192. 18. 1. 12] by gat ekeeper wi t h PO P3 ( f et chm ai l - 6. 3. 0 f et chm ai l - 6. 3. 0) f or <j doe@ exam pl e. com > ( si ngl e- dr op) ; M

  • n, 02 Jan 2006 14: 43: 41 - 0800
  • 0800

( PST) ( PST) Recei ved: f r om m

  • x1. exam

pl e. m i l ( [ 192. 168. 1. 2] ) by m

  • x2. exam

pl e. m i l wi t h M i cr osof t SM TPSVC( 6. 0. 3790. 211) M i cr osof t SM TPSVC( 6. 0. 3790. 211) ; Tue, 3 Jan 2006 07: 44: 01 +0900 +0900

slide-10
SLIDE 10

www.neutralbit.com

SMTP Information gathering

SMTP Network mapping (VI)

  • Relay link information

– SMTP Link encryption

Recei ved: f r om l appy ( 192. 168. 1. 4) by pub. exam pl e. net ( qm ai l ) wi t h ESM TP I D M G 0007DA ( SSL/ TLS, 3DES, CBC m

  • de, keysi ze 192 bi t s) ; 8 Sep 2006 16: 40: 03

+0200 Recei ved: f r om [ 24. 26. 7. 196] ( i l m . exam pl e. com [ 24. 26. 7. 196] ) ( usi ng TLSv1 wi t h ci pher DHE- RSA- AES256- SHA ( 256/ 256 bi t s) ) ( No cl i ent cer t i f i cat e r equest ed)

slide-11
SLIDE 11

www.neutralbit.com

SMTP Information gathering

SMTP Network mapping (VII)

  • Graphic representation of SMTP paths

– Definitively flashier than staring at logs – Parsing of “Received” headers is challenging – Absorb more information at once – One image…

  • A few examples

– Data extracted from Linux kernel mailing list – Around 3 months in early 2006

slide-12
SLIDE 12

www.neutralbit.com

SMTP Information gathering

SMTP Network mapping (VIII)

spot the telecommuters …

slide-13
SLIDE 13

www.neutralbit.com

SMTP Information gathering

SMTP Network mapping (VII)

… target selection?

slide-14
SLIDE 14

www.neutralbit.com

SMTP Information gathering

SMTP Network mapping (IX)

where is wally?

slide-15
SLIDE 15

www.neutralbit.com

SMTP Information gathering

Client fingerprinting

  • Based on a different set of headers

– User-Agent – X-Mailer – X-MIME-OLE

  • Excellent level of details

– Down to the patch level

  • Not used for anything else
slide-16
SLIDE 16

www.neutralbit.com

SMTP Information gathering

Client fingerprinting (II)

X- M ai l er : M i cr osof t O f f i ce O ut l ook, Bui l d 11. 0. 5510 User - Agent : Thunder bi r d 1. 5. 0. 7 ( W i ndows/ 20060909) X- M ai l er : Col dFusi on M X Appl i cat i on Ser ver X- M i m eO LE: Pr oduced By M i cr osof t M i m eO LE V6. 00. 2900. 2962 X- M ai l er : Evol ut i on 2. 2. 3 ( 2. 2. 3- 4. f c4) X- M ai l er : i Pl anet M essenger Expr ess 5. 2 Pat ch 2 ( bui l t Jul 14 2004) X- M ai l er : Lot us Not es Rel ease 5. 0. 6a Januar y 17, 2001 User - Agent : Squi r r el M ai l / 1. 4. 3a User - Agent : W ander l ust / 2. 12. 0 ( Your W i l dest Dr eam s) SEM I / 1. 14. 6 ( M ar uoka) FLI M / 1. 14. 7 APEL/ 10. 6 M ULE XEm acs/ 21. 5 ( bet a21) ( cor n) ( +CVS- 20050720) ( i 386- suse- l i nux)

slide-17
SLIDE 17

www.neutralbit.com

SMTP Information gathering

Client application usage

  • Long term analysis

– If we get access to a long stretch of messages – Plot client mailers over time… – … then add mailer release dates

slide-18
SLIDE 18

www.neutralbit.com

SMTP Information gathering

Client application usage (II)

  • Organization trend analysis

– With enough e-mails, we can find out details about the

  • rganization policies

– Patching policies – Application usage – Security gaps – Policy exceptions …maybe not just for SMTP servers?

slide-19
SLIDE 19

www.neutralbit.com

SMTP Information gathering

Usage trends

  • Other interesting facts can be guessed

– Same e-mail address + alternating mailers + multiple IP addresses → multiple locations (home / work?) – Same e-mail address + same mailer + multiple IP addresses → take the laptop home – Various e-mail domains + same mailer + same IP address → non-corporate mail at work – Changing “Date” time zones → user on the go?

slide-20
SLIDE 20

www.neutralbit.com

SMTP Information gathering

Other interesting headers

  • Indirect sources of information

– Implementation differences

  • Ordering of headers
  • Quoted replies

– Custom X-Headers

  • X-Originating-IP, etc.
  • Antivirus / Antispam

– Message contents

  • User data
  • Encoding data

Subj ect : Re: [ RELEASE 4] Test i ng pat ch #49192 Dat e: Tue, 21 Feb 2006 10: 21: 14 +0100 X- O r i gi nat i ng- I P: 10. 2. 1. 122 X- Vi r us- Scanned: by am avi sd- new- 20030616- p10 ( Debi an) X- Spam

  • Checker - Ver si on: Spam

Assassi n 3. 0. 2 ( 2004- 11- 1 X- Spam

  • St at us: No, scor e=- 1. 4 r equi r ed=2. 0
slide-21
SLIDE 21

www.neutralbit.com

SMTP Information gathering

Other interesting headers (II)

  • Indirect sources of information

– Encoded data in unsuspecting headers

M essage- I D: <Pi ne. LNX. 4. 21. 0611280421440. 26304- 100000@ exam pl e. or g> M essage- I D: <1103. 203. 41. 53. 196. 1128283359. squi r r el @ m ai l . exam pl e. com > M essage- I D: <11363603. 1154544476739. JavaM ai l . r oot @

  • as. exam

pl e. net > Cont ent - Type: m ul t i par t / m i xed; boundar y=Appl e- M ai l - 1— 944594902

slide-22
SLIDE 22

www.neutralbit.com

SMTP Information gathering

Conclusions

  • Strip unneeded information at border gateways whenever

possible

  • Find out what has already leaked and fix it
  • Analysis relies on client provided data, handle with care
slide-23
SLIDE 23

Thank you!

Lluis Mora llmora@neutralbit.com

World Trade Center - Edificio Sur, 2ª Planta, Moll de Barcelona, Barcelona, E-08039 Spain T: +34 933 443 224 - F: +34 933 443 299 – info@neutralbit.com – http://www.neutralbit.com