STATEMENT
声明
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,雷神众测及文章作者不为此承担任何责任。
雷神众测拥有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经雷神众测允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
NO.1 SMTP
简单邮件传输协议(Simple Mail Transfer Protocol,SMTP)是在Internet传输电子邮件的事实标准。
SMTP是一个相对简单的基于文本的协议。在其之上指定了一条消息的一个或多个接收者(在大多数情况下被确认是存在的),然后消息文本会被传输。可以很简单地通过telnet程序来测试一个SMTP服务器。SMTP使用TCP端口25。要为一个给定的域名决定一个SMTP服务器,需要使用MX (Mail eXchange) DNS。
——摘自 百度百科
原理
使用 SMTP RCPT TO:返回250状态码,证明邮箱地址存在;返回550状态码,证明邮箱地址不存在。
注意
有些邮箱服务设置为Catch-all,这意味该域名下的每个邮箱地址,都会被认为是存在的。
Catch-all
Catch-all邮箱:全域设置 (以该邮箱为后缀的任何邮箱名,该邮箱服务器都会接收)
例如这个域microsci.com,会设置一个Catch-all邮箱地址如: [email protected],该地址可以用来接收拼错或者无效的来自microsci.com域的邮箱。
如[email protected]是不存在无效的账户。当给这个邮箱[email protected]发邮件时,由于[email protected]邮箱不存在就会把邮件自动转到[email protected] (Catch-all邮箱里)。
这样的话,就造成检测该域的邮箱都是通过的。因为该域的邮箱会接受该域下的所有邮箱。然而也有这样的情况,收件人邮件服务器可能会默默地放弃该邮件或事后发送退回邮件。
[ 如何配置catch-all,官网文档 配置 catch-all 邮箱 ]
https://docs.microsoft.com/zh-cn/previous-versions/office/exchange-server-2010/bb691132(v=exchg.141
NO.2 验证过程
查找MX记录
nslookup -type=MX mail.com找到两条MX记录,SMTP服务器的地址分别为:
mail.commail exchanger = 10 mx2.mail.com.
mail.commail exchanger = 10 mx.mail.com.
建立连接
SMTP默认是TCP端口25,使用telnet命令进行TCP的连接。
❯ telnet mx.mail.com 25Trying 180.xx.xx.199...Connected to mx.mail.com.Escape character is '^]'.220 mx.mail.com ESMTP
响应码220,证明连接成功。
HELO/EHLO
向服务器表明邮件发送的服务器
❯ HELO mx.mail.com250 mx.mail.com❯ EHLO mx.mail.com250-mx.mail.com250-8BITMIME250-SIZE 68157440250 STARTTLS
响应码250,证明成功。
MAIL FROM
表明发件人
❯ MAIL FROM:<[email protected]>250 sender <[email protected]> ok
RCPT TO
如果 RCPT TO 的响应码是250或者251都表示邮件地址存在,如果响应码是5xx,则表明邮件地址不存在,如果是4xx则代表无法确认。
❯ MAIL FROM:<[email protected]>250 sender <[email protected]> ok❯ RCPT TO:<[email protected]>250 recipient <[email protected]> ok❯ RCPT TO:<[email protected]>550 # 5.1.0 Address rejected.
NO.3 工具化
Python
Metasploit
开篇提到过 Catch-all 。实际上,MAIL服务器如果做了这种配置,任何邮箱地址通过SMTP这种方法都会校验通过。
可以使用MSF的 auxiliary/scanner/msmail/onprem_enum 模块进行验证,该模块利用OWA (Outlook Webapp)基于时间的用户枚举。
[ 作者文档 onprem_enum.md ]
https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/msmail/onprem_enum.md
NO.4 附: Python代码
# -*- coding: utf-8 -*-import dns.resolverimport argparsefrom socket import *import randomdef ColorPrint(string="", flag="", verbose=""):colors = {u"gray": "2",u"red": "31",u"green": "32",u"yellow": "33",u"blue": "34",u"pink": "35",u"cyan": "36",u"white": "37",}flags = {u"error": "[-] ",u"warning": "[!] ",u"info": "[*] ",u"success": "[+] ",u"debug": ">>> ",u"echo": ">>> "}try:if flag == 'error':print(u"�33[%sm%s%s" % (colors[u"red"], flags[flag], string))if flag =="info":print(u"�33[%sm%s%s" % (colors[u"white"], flags[flag], string))if flag == 'echo' or flag == '' or flag == 0:print(u"�33[%sm%s%s" % (colors[u"white"], flags[flag], string))if flag == 'success':print(u"�33[%sm%s%s" % (colors[u"green"], flags[flag], string))if verbose == 1:if flag == 'warning':print(u"�33[%sm%s%s" % (colors[u"yellow"], flags[flag], string))if flag == 'debug':print(u"�33[%sm%s%s" % (colors[u"white"], flags[flag], string))except:return 0# 第一步: 获取域名MX 记录def DNSQuery(mailaddr):dns_resolver = dns.resolver.Resolver(configure=False)dns_resolver.timeout = 5dns_resolver.lifetime = 5dns_resolver.nameservers = ['119.29.29.29']record = "MX"domain = mailaddr[mailaddr.find(u"@") + 1:]ColorPrint("query MX of DNS for %s" % domain, flag= "echo", verbose=verbose)try:MX = dns_resolver.resolve(domain, record)m = random.randint(0, len(MX))mx = MX[0].exchangestrMx = str(mx)[:-1]assert strMx != u""except Exception as e:ColorPrint("query MX of %s failed: %s" % (strMx, e), flag="error", verbose=verbose)return 0ColorPrint("MX Server: %s" % strMx, flag="info", verbose=verbose)return strMx# 第二步: 请求mail服务器def smtpsend(server, port=20, mail_rcptTo=""):mailserver = (server, port)clientSocket = socket(AF_INET, SOCK_STREAM)helloDomain = server[server.find(u".") + 1:]mail_from = "[email protected]"ColorPrint("connect to %s:%.f" % (server, port), flag="debug", verbose=verbose)try:clientSocket.connect(mailserver)recv = clientSocket.recv(1024)recv = recv.decode()if recv[0:3] != '220':ColorPrint("info: " + recv, flag="debug", verbose=verbose)return 0except Exception as e:ColorPrint("Error: %s" % e, flag="error", verbose=verbose)ColorPrint("Done. " , flag="info", verbose=verbose)return 0ColorPrint("Message after connection request: n" + recv, flag="debug", verbose=verbose)hello_command = "EHLO %srn" % helloDomainclientSocket.send(hello_command.encode())recv1 = clientSocket.recv(1024)recv1 = recv1.decode()ColorPrint("Message after EHLO command:n" + recv1, flag="debug", verbose=verbose)if recv1[:3] != '250':ColorPrint("250 reply not received from server." + recv1, flag="error", verbose=verbose)return 0mail_from_command = "MAIL FROM:<%s>rn" % mail_fromclientSocket.send(mail_from_command.encode())recv2 = clientSocket.recv(1024)recv2 = recv2.decode()ColorPrint("After MAIL FROM command: " + recv2, flag="debug", verbose=verbose)rcptTo = "RCPT TO:<%s>rn" % mail_rcptToclientSocket.send(rcptTo.encode())recv3 = clientSocket.recv(1024)recv3 = recv3.decode()if recv3[:3] == '550':ColorPrint("Account: %s does not exist." % mail_rcptTo, flag="error", verbose=verbose)ColorPrint("Done. ", flag="info", verbose=verbose)return 0ColorPrint("Account: %s exists." % mail_rcptTo, flag="success", verbose=verbose)ColorPrint("After RCPT TO command: %s" % recv3, flag="debug", verbose=verbose)quit = "QUITrn"clientSocket.send(quit.encode())recv4 = clientSocket.recv(1024)clientSocket.close()ColorPrint("Done. " , flag="info", verbose=verbose)return mail_rcptToif __name__ == "__main__":'''port = 25verbose = False # 详细输出,可输出debug信息mailaddr = "[email protected]" # 需要验证的邮箱地址mail_rcptTo = mailaddrserver = DNSQuery(mailaddr)smtpsend(server, port, mail_rcptTo)'''parser = argparse.ArgumentParser()parser.add_argument("-e", "--email",help="Verification Email Address.", required=True)parser.add_argument("-s", "--server",help="Smtp Server.")parser.add_argument("-p", "--port",help="Smtp Server Port.", default=25, type=int)parser.add_argument("-v", "--verbose",help="verbose info (choice in [True, False])", default=False, type=bool)args = parser.parse_args()port = args.portverbose = args.verbosemailaddr = args.emailmail_rcptTo = mailaddrserver = args.serverif server == None:server = DNSQuery(mailaddr)smtpsend(server, port, mail_rcptTo)
RECRUITMENT
招聘启事
END
长按识别二维码关注我们
本文始发于微信公众号(雷神众测):验证Exchange邮箱用户是否存在
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论