设置中继邮件服务器
我将设置一个邮件服务器,该服务器稍后将用作 SMTP 中继服务器。首先,在 Digital Ocean 中创建了一个新的 Ubuntu Droplet:
Postfix MTA 安装在droplet上,并带有:
apt-get install postfix
在postfix安装期间,我设置为邮件名称。安装后,可以在此处检查/更改:nodspot.com
root@ubuntu-s-1vcpu-1gb-sfo2-01:~# cat /etc/mailname
nodspot.com
DNS 记录
nodspot.com 的 DNS 记录必须按如下方式更新:
测试邮件服务器
安装postfix并配置DNS记录后,我们可以通过以下方式测试邮件服务器是否正在运行:
telnet mail.nodspot.com 25
如果成功,您应该看到如下内容:
我们可以通过尝试发送实际的电子邮件来进一步测试邮件服务器是否正常工作,如下所示:
root@ubuntu-s-1vcpu-1gb-sfo2-01:~# sendmail mantvydo@gmail.com
yolo
,
.
很快,这封电子邮件就来到了我的 gmail:
...使用以下标头 - 全部按预期进行。请注意,此时标头中看到的原始 IP 是我的快速 IP 206.189.221.162:
Delivered-To: mantvydo@gmail.com
Received: by 2002:a81:1157:0:0:0:0:0 with SMTP id 84-v6csp5026946ywr;
Tue, 2 Oct 2018 12:22:38 -0700 (PDT)
X-Google-Smtp-Source: ACcGV62oH69fwYnfV1zg+o+jbTpjQIzIzASmjoIsXbbfvdevE0LlkY32jflNS/acOtNBXiwzxYxP
X-Received: by 2002:a62:6547:: with SMTP id z68-v6mr17716388pfb.20.1538508158395;
Tue, 02 Oct 2018 12:22:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538508158; cv=none;
d=google.com; s=arc-20160816;
b=FpEgLAICLn66cI+DDvpIsStUrReQ8fArcreT7FyS8SYcFQXFiK44HDcxwVHXCA8Xxb
fUl+3HcerQEznHZMttZ4pZIMbN18pJS08wzuZdOlhGKAA2JSTkxGd+1PhJwDe1SFTYZc
NoARSHL9opemJKg5YqZNjSTDSTfk/QqaCbq7mQL9LAwCKzanGSNR/R/28WymYrdRACOR
GSmDCVvPaUaoemIP8+GwXkfU5Gkk49+F7t9Jbg23HKKq/YOhwF3ryeOEVfn74bhtZIkM
QcUzWn5WSL0lIm0nbd2t7677/wcabOg0TCoZj1IHg+I7yLXE7+QZOYX1TguKu16oZeqt
mTIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=from:date:message-id;
bh=VSFU9fKoMQMmtQzPFdmefDuA+phTpwZXd9k5xGRzwRs=;
b=VZ2vHjhPUSs17PXAUDyjYzm0w5sdQYqFx7h9iirh/BF1krrl3MQg4QAgfeo0py9qZH
Xf8/9HmNe1pIgxnZiiZJeVijXeSHCIB4XkG4HYFJY2m/gQ9oZ4JSMfX/Kiw/CXEmbt71
YP5S7yQKQNkHw24XnP3WUeDDQ7XvENEfPIS+LlCVtQOPT8fM9TAWQReKz06idynolfhR
7P73wH8igwPea7586wdhSOtDYCURSMKTNVb8yP2eEPNBlP2u2jUrFImG2D2/lke4O6Iu
7zu96tCYEY9FVG11dPFheKlMjvMoL4rqPSAQ3zty4Cbi4Vy2Is6f/VF8AYZ34i0FJooj
eEkw==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) smtp.mailfrom=root@nodspot.com
Return-Path: <root@nodspot.com>
Received: from ubuntu-s-1vcpu-1gb-sfo2-01 ([206.189.221.162])
by mx.google.com with ESMTP id 38-v6si3160283pgr.237.2018.10.02.12.22.38
for <mantvydo@gmail.com>;
Tue, 02 Oct 2018 12:22:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) client-ip=206.189.221.162;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) smtp.mailfrom=root@nodspot.com
Received: by ubuntu-s-1vcpu-1gb-sfo2-01 (Postfix, from userid 0) id DC6DD3F156; Tue,
2 Oct 2018 19:22:37 +0000 (UTC)
Message-Id: <20181002192237.DC6DD3F156@ubuntu-s-1vcpu-1gb-sfo2-01>
Date: Tue,
2 Oct 2018 19:22:31 +0000 (UTC)
From: root <root@nodspot.com>
yolo
,
设置始发邮件服务器
我们需要设置原始邮件服务器,该服务器将使用我们之前设置的服务器作为中继服务器。为了实现这一点,在我的攻击机器上,我安装了postfix邮件服务器。
接下来要做的是修改并设置,这将使来自攻击系统的传出电子邮件首先传输到 nodspot.com 邮件服务器(我们上面设置的服务器):/etc/postfix/main.cfrelayhost=nodspot.com
一旦进行了更改并重新启动了postfix服务器,我们可以尝试从攻击服务器发送测试电子邮件:
如果您没有收到电子邮件,请确保中继服务器没有拒绝攻击计算机的访问。如果您看到您的电子邮件被推迟(在您的攻击机器上)并显示以下消息,这正是正在发生的事情:
一旦继电器问题得到解决,我们可以重复测试并看到一个成功的继电器:
这一次,标头如下所示:
请注意,这次我们是如何观察原始主机的详细信息的,例如主机名和 IP 地址 - 这是不需要的,我们希望编辑该信息。
删除 Postfix 中的敏感标头
我们需要在中继服务器中进行一些配置更改,以便编辑传出电子邮件的标头。
首先,让我们在服务器上创建一个包含正则表达式的文件,这些正则表达式将搜寻要删除的标头
/^Received:.*/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^Mime-Version:/ IGNORE
接下来,我们需要修改以包含以下行:/etc/postfix/master.cf-o header_checks=regexp:/etc/postfix/header_checks
这将告诉 postfix 服务器从与我们上面创建的文件中找到的正则表达式匹配的传出电子邮件中删除标题。
保存更改并重新加载后缀服务器:
postmap /etc/postfix/header_checks
postfix reload
现在再次从攻击计算机发送测试电子邮件,并检查该电子邮件的标头:
请注意,如何删除暴露原始(攻击)机器的标头,这正是我们想要实现的:Received
Delivered-To: mantvydo@gmail.com
Received: by 2002:a81:1157:0:0:0:0:0 with SMTP id 84-v6csp5668508ywr;
Wed, 3 Oct 2018 03:47:35 -0700 (PDT)
X-Google-Smtp-Source: ACcGV614wuffoVOsvFkTPPxCiRj0hgFwTIH7y3B4ziIaXfogLFjsoiFyYOdNVChhr+oRcL1axO+a
X-Received: by 2002:a17:902:a9cc:: with SMTP id b12-v6mr988630plr.198.1538563655360;
Wed, 03 Oct 2018 03:47:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538563655; cv=none;
d=google.com; s=arc-20160816;
b=qhbzI+R3vHbkqwp2ALOEQ0ItUXU/fA1kEmYln1dBe0CmLELuIfourst4gZVYiU0tAf
sRx20Z5Vcqvv9w6s6f2gVp6crlOuoX2cSKJCn/HyRYKiDB5aVKpEYTDjQtGEBRLoL9xm
/T8+3PgV6CHy/KowoPeLugKg3t5mIh9pq+Ig8gG+VVKZcFyvUBJa9YEgBgVKcMwew8H6
x8WzIB2zyavpZLnbIi6SrtheYZAeSTMTwXRutqxZl0n4O/iZS4Y+ZVdRlYeXFXFNdtMK
JFaS1XVLR4hYXOzlQT1IC2yeQlqf+Q3FJukmkDlDTgw91ImfZa0HtQYQoo3LwKotp92Q
1HiQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=from:date:message-id;
bh=hZH42YPrA1C1YyKkQ/LM0S6pyh9p5LGmoqE/s4CGGts=;
b=Squ71HtAuuwYHfX+4z63WcgBMoiKbcX5KAQLKwfvlnXuF5QEJNHjfX0GwekViXJIZ5
D2v03648ni6W3/b6uXVoecrtX0MZ9Z/Ck+LxcJRi16toE4QfjR6fhX5l9OSKFjgqkst3
Exk9yB1iiX8IAoIvnSaT0pQ5UzOov5Yneti3HO8QbzeCnT1/HieLwIhB/d+znryw1mTQ
jj/VBlNEGFEJhpXjS7cbQFHQEz3yGl1YTSNB3Kxp9T5a7+ncsW3pOAlfKqNYpVywSlBe
s6OUSTZ/bEwVYP3dv9aHmbpOIV6rC8uPgUlm+SKYtlj9xiR9uXTtj21IbA0F1esFx+Up
jAQw==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) smtp.mailfrom=root@nodspot.com
Return-Path: <root@nodspot.com>
Received: from ubuntu-s-1vcpu-1gb-sfo2-01 ([206.189.221.162])
by mx.google.com with ESMTP id y11-v6si1190446plg.237.2018.10.03.03.47.35
for <mantvydo@gmail.com>;
Wed, 03 Oct 2018 03:47:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) client-ip=206.189.221.162;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of root@nodspot.com designates 206.189.221.162 as permitted sender) smtp.mailfrom=root@nodspot.com
Message-Id: <20181003104734.1871F42006E@kali>
Date: Wed, 3 Oct 2018 11:47:28 +0100 (BST)
From: root <root@nodspot.com>
removing traces like a sir