SMTP servers like most UNIX services can be accessed using the command line. It’s not always the prettiest way of doing things but very often for basic testing it’s all that is needed. I was recently having problem with my ISP… U-verse! My mail wasn’t getting through their firewall. I was positive that port 25 was being blocked on their side… though they assured me it wasn’t. Sending emails and waiting for them to return from the Internet can be a painstaking process. Additionally it doesn’t give you a whole lot of information on the state of the connection (only that the email got to you or it didn’t)! Using telnet to access your SMTP server provides a lot more information back to the systems administrator! So how is this done?

The first thing you do is open a telnet client and open a connection to the host on port 25

bill@endeavour:~$ telnet mail.randomdog.net 25
Trying 10.0.1.15...
Connected to mail.randomdog.net.
Escape character is '^]'.
220 mail.randomdog.net ESMTP Postfix

This really just opens the connection… now it’s time to start talking to the server. Next you need to let the server know who it’s talking to. The HELO or EHLO (extended SMTP) accomplishes this.

HELO endeavour.randomdog.net
250 mail.randomdog.net

The 250 represents the status response from the server. In this case 250 means that the requested mail action is okay and has been completed. A complete listing of status response can be found at:

http://www.greenend.org.uk/rjk/2000/05/21/smtp-replies.html

or you can download a copy I grabbed from AnswersThatWork.

Next up… Let’s start writing an email. The SMTP command to do this is:

MAIL FROM: will@randomdog.net
250 2.1.0 Ok

Then we need to tell the server which account we want the email to be delivered to.

RCPT TO: bill@randomdog.net
250 2.1.5 Ok

Next let’s start composing our email. To begin with we must send the DATA command.

DATA
354 End data with .

While not exactly SMTP commands one could use:

Subject:
Cc:
Reply-To:

to send some header information. I’m going to set up a subject line.

subject:Telnet SMTP Commands

After setting up the header info… I can begin to type my email.

This is a demo of using telnet to send emails directly from an SMTP server.

To tell the mail server that you have completed the message enter a single “.” on a line on it’s own.

.
250 2.0.0 Ok: queued as 4A8D7C4B2CE

The server responded back that it accepted the message and has queued it for delivery.

Finally we’re going to want to close the connection nice and neatly… So we would issue the QUIT command.

QUIT
221 2.0.0 bye
Connection closed by foreign host.

NOTE: One could simplify the testing a bit after opening a connection with the server by issuing the VRFY command. This command is used to verify that an account is valid user on that server.

VRFY bill
252 2.0.0.bill

The 252 status response means that the user account appears to be valid but could not be verified.

The young man knows the rules, but the old man knows the exceptions.

- Oliver Wendell Holmes

The way email works can be a bit complicated. There are many components and services used to transfer your email to the intended recipients inbox. Part of the complication comes from the fact that the email service daemon actually has multiple sub-processes that handle the forwarding of email messages. Let’s walk through how email gets from your machine to the person you are writing to.

The process starts with an email client or MUA (mail user agent). Common email clients include Outlook, Entourage, Apple Mail and Thunderbird. The MUA then sends the message to the SMTP server configured for the mail account that you are currently using.

The first service to handle your email is the mail submission agent (or MSA). This service merely accepts the message from the client. It will do some authentication/authorization checking to make sure that the client is actually allowed to use this server. This is a “security” feature to prevent open relays.

From there the MSA passes your message to the MTA (or mail transfer agent). The MTA is responsible for forwarding the email to the server handling the recipients domain… the part of an email address on the right of @ symbol. The MTA does this by using DNS to perform an MX (or mail exchange record) lookup to find out where to send email for the recipient’s domain. Once the host that handles the recipient’s domain has been targeted the MTA sends the message to that mail server.

The MSA on the recipients email server will then determine whether there is a valid account on the system for the intended recipient. The MSA will also perform a few other checks on the incoming email based on certain rules that the mail administrator has put into place. One such rule could be that the server will not pass emails with attachments. If the server determines that the incoming email violates the rule set or that the intended recipient is not valid on that system, the MSA will send back an error notification (or a bounce) to the email’s originator. Once the email is accepted, the message is passed to the MDA (or mail delivery agent). The MDA stores the message until the recipient “picks-up” their mail.

The last part of the delivery of email happens once again when the recipient’s email client collects their email from the mail server. This is handled one of two ways. The first is through the IMAP protocol. The benefit of using IMAP is it allows for the centralization of email. Mail actually resides on a server and then the end user can access it from multiple machines. The other protocol that is used for the delivery of email is POP. The benefit of using POP is mostly on the server side. POP downloads messages to the local machine and then deletes the record form the server keeping storage demands to a minimum.

SMTP (or Simple Mail Transfer Protocol) is the service that handles the sending of email. This protocol runs on port 25. For the most part this is a server-to-server protocol though it is possible to telnet into the service to send emails directly. It uses a number of sub-processes (MSA, MTA, MX exchanger, MDA) to make sure the mail gets to the right place (domain & account).

IMAP (or Internet Message Access Protocol) is one of two protocols that handles the delivery of email to clients. It usually runs on port 143 but this can be changed to allow for obscuring this service by running it on a different port. The downside to this is the client application needs to be manually configured to be made aware of the port change. It can also be to use SSL certs to secure the transmission of data. Secure IMAP runs on port 993 by default. The benefit of using IMAP is it allows for the centralization of email. Mail actually resides on a server and then the end user can access it from multiple machines.

POP (or Post Office Protocol) is the other protocol that handles the delivery of mail to clients. Once again it usually runs on the well-known port of 110 but that can be changed. It too allows for the use of SSL certs and when configure that way it will usually run on port 995. The benefit of using POP is mostly on the server side. POP downloads messages to the local machine and then deletes the record from the mail server keeping storage demands to a minimum.

A Buffer Overflow vulnerability is one in which the programmer of an application does not properly allocate enough memory for a given input. In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory (Wikipedia.org, 2010). This could lead to any number of problems… simple application instability, complete application crashes or in the worst case, a crash that returns a shell prompt allowing direct access to the box. In practice, a hacker could craft an input string that overflows the buffer and executes something like cmd.exe.

So how does one go about performing such deeds of electronic mischief?

1. Start by recon’ing a site. We do this with NMAP or something like Nessus. We find a machine that is running a piece of software that has a known vulnerability for the version of the software it is running.

2. Next we put together a payload. This is an input string that will exceed the input buffer. Theirs is a bit of work that goes into this and for the script kiddies out there… there are many websites and videos that step on through putting together the attack. A real simple buffer overflow is demonstrated in this video on You Tube.

http://www.youtube.com/watch?v=ZZ0LVAFIDrA

Once the buffer overflow is successfully performed you should be returned to a shell prompt. The prompt will have the same privileges as that of the application that was compromised.

Resources:

Various, (2010), Buffer overflow, Retrieved on August 22nd, 2010 from http://en.wikipedia.org/wiki/Buffer_overflow

and you’re serious about your Internet service with Static IPs don’t do it!

Software applications are complicated things. Developers need to think about what the application is supposed to do… then write code to make it happen. They need to anticipate how the end-user is going use the application and how the application could be misused. Trying to understand all possible scenarios is nearly impossible and added to that large monolithic applications may have many different coders working on it at any given time. This leads to situations where defects (or bugs) crop into applications. It is these bugs that hackers look to exploit! Very often it is in the form of a buffer overflow attacks that leads to the compromising of an application and depending on the crash… to root access to the box.

I have always said that with the iPhone’s popularity exploits will come… and they have! Apple has tried very hard to lock down the iPhone so that it can’t be used on other carrier’s networks and so applications can only be loaded via the iTunes Music Store. Apple has in many ways crippled it’s own phone. Apple said that the original iPhone 2G could capture video… It can! It said that it couldn’t be used to tether a laptop to the Internet… It can! Why because AT&T wanted to prevent their network from collapsing under the load of this Smartphone. Additionally, it didn’t want to lose the revenue stream by cannibalizing its mobile broadband market. Many people saw this as an unfair business practice and sort to find ways of breaking these locks to allow unrestricted access to the phone.

Jailbreaking is a process that allows iPad, iPhone and iPod Touch users to run third-party unsigned code on their devices by unlocking the operating system and allowing the user root access (Wikipedia.org, 2010). Jailbreaking the phone takes advantage of un-patched security holes within the iOS. The jailbreaking of iPhones has been a cat and mouse game between hackers and Apple. Apple patches the phone and the hacker set off looking for new vulnerabilities to exploit. Apple recently release iOS4 that set the ball in motion once again to find a new exploit to unlock the phones. The Jailbreak that worked against iOS 4 was particularly problematic in that it exploited vulnerability in the displaying of PDFs on the devices. These specially crafted PDFs could be sitting out on the Internet and when the Safari browser tries to display the PDF… a buffer overflow condition happens and the phone is then “rooted.”

The vulnerability is caused by a flaw in the FreeType font engine… which is called upon when displaying a PDF with embedded fonts. A full description of the bug can be gotten by googling CVE-2010-1797. Apple’s information regarding the flaw cab be found in it’s update info at http://support.apple.com/kb/HT4291

CVE-ID: CVE-2010-1797
FreeType

Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later,
iOS 2.1 through 4.0 for iPod touch (2nd generation) and later

Impact: Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution

Description: A stack buffer overflow exists in FreeType’s handling of CFF opcodes. Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution. This issue is addressed through improved bounds checking.

It is so easy to exploit this vulnerability in fact that individuals have taken to Jailbreaking iPhone in many Apple stores. They merely visit the website JailbreakMe.com and leave a trail of jailbroken iPhone in their wake! In an effort to thwart the Jailbreaking of phone in their stores, Apple has had to set up a DNS forward for the site until they had a patch for the vulnerability. Apple released a fix for FreeType 2 CFF font stack corruption vulnerability August 11th (on of the fastest turn around times for an iOS patch).

Jailbreaking one’s iPhone will void Apple’s product warranty though it is a simple task to restore the phone to a factory “new” default.

NOTE: You need to remember to restore a jailbroken phone before bringing it to an Apple store for repair.

The Library of Congress is required to revise Digital Millennium Copyright Act (DMCA) rules every 3 years. On July 26th, 2010, issues it’s update to the DMCA and made it legal for iPhone owners to jailbreak their phones. Corynne McSherry, a senior staff attorney for the Electronic Frontier Foundation, (a San Francisco-based privacy-rights group) had this to say about the ruling.

“Now people can go ahead and fix their phones and jailbreak them so they can run all sorts of different applications,” “They can make full use of the phone they bought without some kind of legal liability hanging over their head. (Bloomberg.com, 2010)”

It should be noted that the Electronic Frontier Foundation is the advocacy group that initiated that petitioned with the Library of Congress for this ruling said.

Resources:

Shields, T. & Satariano, A., (2010, Jul 26th), `Jailbreaking’ of IPhones to Add Apps Backed by U.S. Retrieved on August 13th, 2010 from http://www.bloomberg.com/news/2010-07-26/apple-iphone-users-have-u-s-blessing-to-jailbreak-add-own-applications.html

Various, (2010, August 13th), iOS Jailbreaking, Retrieved on August 13th, 2010 from http://en.wikipedia.org/wiki/IOS_jailbreaking

Netstat is one of those applications that users take for granted… It’s there, we use it for some basic things and then we move on. It provides some very useful information about the state of network connections on a host. Right off the bat, most people know about netstat –a. It provides a pretty comprehensive look at network connections as well as UNIX domain socket connections and the processes that are using those sockets. Typical output looks similar to this:


creative:~ root# netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 localhost.ldap localhost.62313 ESTABLISHED
tcp4 0 0 localhost.62313 localhost.ldap ESTABLISHED
tcp4 0 0 creative.conair..ssh 192.168.25.215.52345 ESTABLISHED
tcp4 0 0 creative.conair..ldap stdm908.conair.l.55313 ESTABLISHED
tcp4 0 0 *.ldap *.* LISTEN
tcp6 0 0 *.ldap *.* LISTEN
tcp4 0 0 *.ssh *.* LISTEN
tcp4 0 0 creative.conair..ldap stsm022.conair.l.56412 SYN_SENT
tcp4 0 0 localhost.62308 localhost.ldap TIME_WAIT
Active LOCAL (UNIX) domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
ffffff80353eecc0 stream 0 0 ffffff80368898b8 0 0 0 /var/run/ldapi
ffffff8036176f80 stream 0 0 ffffff8036838f80 0 0 0 /var/run/passwordserver
ffffff80353ef740 stream 0 0 0 ffffff80353ef800 0 0 /var/run/mDNSResponder
ffffff80353f0b80 stream 0 0 ffffff80356df8b8 0 0 0 /var/run/vpncontrol.sock
ffffff80353f0d00 stream 0 0 ffffff80356dfaa8 0 0 0 /var/run/portmap.socket
ffffff80353f0a00 dgram 0 0 ffffff80356df6c8 0 0 0 /var/run/syslog


SO let’s take a look at the output for all active Internet connections… Fairly typical! We can see our active Internet connections and our active UNIX domain sockets. I’m going concentrate on the network connections for now. We can gather some basic information but let’s take a more detailed look at the output.

The first column is labeled Proto and it represents which protocol is being used for that particular connection. You can find a listing of possible results by looking through the file /etc/protocols file. In our output we can see that most of the connections are using TCPv4… though if you look closely this machine is also running IPv6 (line 6).

The next two columns represent the amount of bytes that were not accepted by either the local machine or the remote host. The man page for netstat explains Recv-Q and Send-Q as follows:


Recv-Q: The count of bytes not copied by the user program connected to this socket.
Send-Q: The count of bytes not acknowledged by the remote host.


Seeing anything in either column would indicate that there was a problem with the transfer of data between the two machines listed by Local Address and Foreign Address.

NOTE: If it’s not obvious… in the output of netstat each line represents a connection between two machines.

Next up are the columns labeled Local Address and Foreign Address. The data present here is more than simple hostnames or IP addresses. It also provides the Ethernet ports (both ephemeral ports as well as well-known ports) that is beginning utilized for that connection. It is represented as follows:

IP Address.port# or hostname.port#

Looking over at the above output we can gather a lot of information…

1. We can see that this host is serving up LDAP information and is looking at itself to LDAP lookups (lines 1 and 2).

2. We can see that it is running sshd and that the remote host (92.168.25.215) does not have reverse DNS record setup and is using the ephemeral port of 52345 for setting up the connection (line 3).

3. Line 4 is telling us that the machine stdm908.conair.lan is an established connection (see below for information on the state column) that is actively passing data between the two machines.

4. Line 4 is also telling us that stdm908.conair.lan has connected to creative.conair.lan through the specific IP address associated with that hostname. Why? Because netstat will do a reverse lookup and present the hostname wherever possible. Performing an nslookup shows that creative.conair.lan is associated with the IP address of 192.168.171.5. If we turned off hostname lookups in netstat, the output for that connection would read 192.168.171.5.ldap.

5. Lines 5, 6 and 7 indicate that services are listening on all interfaces configured on this machine. Meaning if creative.conair.lan had multiple Ethernet interfaces turned up. It would allow connections to those services from any of the interfaces.

The last column represents the stat of the connection. This column really only becomes important in TCP connections. Remember the UDP is a connectionless protocol, while TCP is connection based. It requires the building up of the connection using the three-way handshake and the tearing down of that same connection. The state represents whether the two machines are communicating or if the services is just waiting for a connection. It can also represent where in the process of building up or tearing down connection the machines are. Possible states include:

ESTABLISHED: The socket has an established connection.

SYN_SENT: The socket is actively attempting to establish a connection.

SYN_RECV: A connection request has been received from the network.

FIN_WAIT1: The socket is closed, and the connection is shutting down.

FIN_WAIT2: Connection is closed, and the socket is waiting for a shutdown from the remote end.

TIME_WAIT: The socket is waiting after close to handle packets still in the network.

CLOSE: The socket is not being used.

CLOSE_WAIT: The remote end has shut down, waiting for the socket to close.

LAST_ACK: The remote end has shut down, and the socket is closed. Waiting for acknowledgement.

LISTEN: The socket is listening for incoming connections.

CLOSING: Both sockets are shut down but we still don’t have all our data sent.

UNKNOWN: The state of the socket is unknown.

The above was taken from the man page for netstat dated 12/2/2007 as installed on Ubuntu 9.10.

Anyone whose made a serious living at administering computers has heard of the OSI model (or the 7 layer model). It is a networking framework that allows for data to be passed between networks note in such an efficient manner. At the bottom of the model is the hardware layers… It is these layers that actually do the heavy lifting. It is these layers (the data link and physical) that allow for the ones and zeros to be passed between computers. Further up the model are the network, transport and session layers that are ‘logically’ involved with moving the data back and forth. Lastly at the top of the model are the presentation and application layers. The are more protocol (FTP, HTTP, SSH, etc.) specific. Yes I know I’m oversimplifying this!

The OSI model was formulated so that different vendors could concentrate on their areas of expertise and still allow for compatibility. For example, if a vendor is building a network switch it would only really need to deal with layer 1, and 2 (and sometimes 3). Layers 4 and 5 can be considered the network stack. This is usually the job of the OS manufacturer. While vendors that are creating software (such as an FTP client) would only have to deal with upper layers 6, and 7. Yes again I’m oversimplifying this! A really good explanation of what is happening at which layer can be found at http://en.wikipedia.org/wiki/OSI_model.

Data encapsulation is the process of enclosing higher-level protocol information in lower-level protocol information. So in really basic terms, think of it this way… I have a file that I need to get to my profession at school. Using an FTP client I’m taking advantage of Layers 6 & 7. The FTP client then encapsulates the information (the file) and passes it to the operating system which determines how the and where the file should go. So for example since we are transferring a file, we’re going to use TCP to ensure that our file gets to the destination intact. The networking stack of the OS encapsulates the source and destination information and passes the “packet” to the hardware layers. The hardware layer works to pass the ones and zeros that make up my file to the destination host. Once the packets are received on the other side… the layers are stripped off so that ultimately the person on the other side is left with the original file I sent. Which is all I’m really concerned about… getting that file to my professor and him having the ability to read it.

This all being said… the big advantage of data encapsulation is it allows vendors to concentrate on their areas of expertise… software development… hardware development… knowing that vendors specializing in the layers above and below will concentrate of their areas of expertise. The big disadvantage is that it adds overhead! Additionally, not all vendors are equally capable. This could lead to problems in the way information gets from point A to point B.

There are many ways to deal with this…

MD5 hashes… After installing and configuring a clean OS one could go about creating MD5 hash of the install. At a later date one could create a new hash of the OS and compare the two. If there are differences between the 2 hashes then a change has been made and one needs to investigate what has changed. The problem with this method is that many files on a file system can change in a very short period of time. Tracking down those changes could be very time consuming.

Bandwidth Utilization… This method once again requires an initial baseline. Understanding what is normal on a network can be time consuming to begin with. One needs to record and document the changes that happen throughout the course of a business day. First thing in the morning (User’s logging in) or last thing in the day (saving files to a server) could be busy times on a network. An SAP print job that only runs on Thursday afternoons often times will slow a network. One needs to be aware of these things and consider it normal for your network. If one starts to see abnormal utilization it could be the result of multiple machines having been compromised.

Lastly two UNIX binaries can be used to track down Trojan horses! Netstat short for Network Statistics can show the admin with TCP ports are currently being used. Netstat will return which ports are active and which are LISTENING for connections. IT will detail out the state of the port and with processes are actually using the port. PS is another UNIX command that delineates which processes are currently running. Again one must have a firm understanding of which processes should normally be running on a machine. Often an attacker will change out well-known process with compromised versions that content hidden executables. These executables are the Trojans! If you’re seeing multiple instances of a common binary one needs to question why!

Hope this gives some insight into the tracking down of Trojan horses!