6.3.5. SMTP Enumeration

Zaif mail serverlar orqali ham host yoki tarmoq haqida ma’lumot olishimiz mumkin. Simple Mail Transport Protocol (SMTP) ba’zi qiziqarli buyruqlarni qo‘llab-quvvatlaydi, masalan VRFY va EXPN. VRFY so‘rovi serverdan email manzilini tasdiqlashni so‘raydi, EXPN esa pochta ro‘yxati a’zolari haqida so‘raydi. Bu buyruqlar ko‘pincha mail serverdagi mavjud foydalanuvchilarni aniqlashda suiiste’mol qilinadi, bu esa penetration test paytida foydali ma’lumot hisoblanadi. Quyidagi misolga e’tibor bering:

kali@kali:~$ nc -nv 192.168.50.8 25
(UNKNOWN) [192.168.50.8] 25 (smtp) open
220 mail ESMTP Postfix (Ubuntu)
VRFY root
252 2.0.0 root
VRFY idontexist
550 5.1.1 <idontexist>: Recipient address rejected: User unknown in local recipient table
^C

Bu yerda muvaffaqiyatli va xatolik javoblarining qanday farq qilishini ko‘rishimiz mumkin. SMTP server foydalanuvchi mavjudligini osongina tasdiqlayapti. Ushbu usul avtomatlashtirilgan tarzda yaroqli foydalanuvchi nomlarini aniqlashda ishlatilishi mumkin. Endi esa quyidagi Python scriptiga nazar solamiz: bu script TCP socket ochadi, SMTP serverga ulanadi va kiritilgan foydalanuvchi nomiga VRFY buyrug‘ini yuboradi:

#!/usr/bin/python

import socket
import sys

if len(sys.argv) != 3:
        print("Usage: vrfy.py <username> <target_ip>")
        sys.exit(0)

# Socket yaratish
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Serverga ulanadi
ip = sys.argv[2]
connect = s.connect((ip,25))

# Banner qabul qilinadi
banner = s.recv(1024)

print(banner)

# Foydalanuvchini VRFY qilish
user = (sys.argv[1]).encode()
s.send(b'VRFY ' + user + b'\\r\\n')
result = s.recv(1024)

print(result)

# Ulanishni yopish
s.close()

Ushbu scriptni ishga tushirish uchun birinchi argument sifatida tekshiriladigan foydalanuvchi nomi, ikkinchi argument sifatida esa nishon IP manzilini berish kifoya.

kali@kali:~/Desktop$ python3 smtp.py root 192.168.50.8
b'220 mail ESMTP Postfix (Ubuntu)\\r\\n'
b'252 2.0.0 root\\r\\n'

kali@kali:~/Desktop$ python3 smtp.py johndoe 192.168.50.8
b'220 mail ESMTP Postfix (Ubuntu)\\r\\n'
b'550 5.1.1 <johndoe>: Recipient address rejected: User unknown in local recipient table\\r\\n'

Shuningdek, ilgari qilganimiz kabi, Windows 11 mijoz tizimidan ham nishon haqidagi SMTP ma’lumotlarini olishimiz mumkin:

PS C:\\Users\\student> Test-NetConnection -Port 25 192.168.50.8

ComputerName     : 192.168.50.8
RemoteAddress    : 192.168.50.8
RemotePort       : 25
InterfaceAlias   : Ethernet0
SourceAddress    : 192.168.50.152
TcpTestSucceeded : True

Afsuski, Test-NetConnection yordamida biz SMTP xizmatini to‘liq boshqara olmaymiz. Shunga qaramay, agar hali o‘rnatilmagan bo‘lsa, Microsoft’ning Telnet klientini quyidagicha o‘rnatishimiz mumkin:

PS C:\\Windows\\system32> dism /online /Enable-Feature /FeatureName:TelnetClient
...

E’tibor berish kerakki, Telnetni o‘rnatish uchun administrator huquqlari talab etiladi, bu esa past darajadagi foydalanuvchi sifatida ishlayotgan bo‘lsak, muammo tug‘dirishi mumkin. Biroq, boshqa rivojlantirish tizimidagi c:\\windows\\system32\\telnet.exe faylini olib, test qilinayotgan Windows tizimiga ko‘chirish orqali ham foydalanishimiz mumkin.

Test qilinayotgan mashinada Telnet yoqilganidan so‘ng, nishon mashinaga ulanib, Kali’dagi kabi foydalanuvchi aniqlash ishlarini bajarishimiz mumkin.

C:\\Windows\\system32> telnet 192.168.50.8 25
220 mail ESMTP Postfix (Ubuntu)
VRFY goofy
550 5.1.1 <goofy>: Recipient address rejected: User unknown in local recipient table
VRFY root
252 2.0.0 root

Yuqoridagi natija shuni ko‘rsatadiki, agar Kali mavjud bo‘lmasa, buzilgan Windows tizimidan ham foydalanuvchi aniqlash (enumeration) amallarini bajarish mumkin.

Savol:

Walk Through Exercises VM Group 1 virtual mashinalar guruhini yoqing va nishon tarmoq oralig‘ingizda SMTP’ga javob berayotgan tizimlarni aniqlang. Topilgach, Netcat yordamida 25-portga ulanib, root foydalanuvchiga nisbatan VRFY buyrug‘ini yuboring. SMTP server qanday javob kodi qaytardi?