Hi fellas,
Let me introduce you my last tool, ORFinder
ORFinder claims to be able to find any smtp services, exposed over the internet, vulnerable to open relay attack.
Such attack relies on the fact that the sender / receiver addresses are not checked by the underlying mail server, allowing to perform phishing attacks or any kind of fraud. Which could be valuable for any OPSEC.
DISCLAIMER: I’m not responsible for misuse or for any damage that you may cause! You agree that you use this software at your own risk.
Note: The usage of a VPN could disrupt the tool behaviors. Stay tuned for updates
How it works
Here is, in a few lines, the tool workflow:
Get IP ranges according to the given country code
For each IP
Check if the smtp service is running
if True
Check if the service is vulnerable to open relay attack
Pretty straightforward, isn’t it ?
Usage
Build
To build the container, just use this command:
docker build -t orfinder .
Docker will download the Debian image and then execute the installation steps.
Be patient, the process can be quite long the first time.
Run
Once the build process is over, get and enjoy your new open relay scanner !
docker run -it --rm orfinder -c COUNTRY_CODE
Don’t forget to regularly pull this repository for updates.
FAQ
Here is a few questions that you guys asked me on IRC.
How did you get the IP ranges of a given country ?
I advise you to check the Loader I don’t want to disclose the source here to avoid Google indexing.
How did you detect open services ?
The detection is performed through a simple TCP SYN scan.
How did you detect if a given service is vulnerable ?
Once the TCP connection established with the target, I send the following commands and check the return value.
HELO domain.com
MAIL FROM: [email protected]
RCPT TO: [email protected]
If each of those commands return 250, it means that the service is potentially vulnerable to open relay attacks. I said potentially cause, some mail servers implement security measures that cannot be detected without being, prior, root .
Consequently, a manual check should be done once the vulnerable service has been detected.
Is it safe to use ?
TCP SYN scan is, probably, the stealthiest way to perform port scanning. Moreover, our requests should be drowned by the bots scanning the internet constantly.
Upstream, the vulnerability check, instantiate a TCP connection with the target. For privacy reasons, I chose to proxify each request made through TOR not to disclose the end user identity.
Last words
Contributions are welcome if you have ideas to enhance this tool
I hope you enjoyed your reading.
Best,
Nitrax