How Hackers Capture SMTP Authentication Password

In my previous article, we have seen how an attacker can hack a network printer and use the SMTP server to relay spam emails.

If your organization uses an open SMTP relay without authentication, it is easier for the attacker to send spam emails.

If your organization uses an SMTP server that requires authentication to relay email, it will be harder for the attacker to exploit it. Harder but not impossible.

In this article, I will show how a hacker could capture the password required for SMTP authentication.

The Steps

Let’s take the case of a multifunction printer that sends a scanned document to the user’s email box. In the printer’s configuration panel, the administrator will fill in the required information for the SMTP server, including the credentials.

The hacker who has access to the printer’s configuration web interface will replace the SMTP server’s IP address with its machine’s IP address on which he has set up a mail server.

When the printer sends a document to a user’s mailbox, it first tries to authenticate on the SMTP server by sending the username and password. But instead of sending the credentials to the SMTP server, it will send them to the hacker’s mail server.

How To Implement This Attack

First, we must set up an Email server on a Kali Linux machine.

Good news: Kali Linux comes with the Exim4 mail server installed. If not, you can install it "sudo apt-get install exim4"

the first step is to edit the Exim configuration file "sudo dpkg-reconfigure exim4-config"

Enter the System mail name (e.g., acme.com). Choose any name; it doesn’t matter, as you will not use this email server for sending emails.

Enter the IP addresses you want the server to listen for incoming SMTP connections.

Keep the field blank and hit Enter to continue.

Keep the field blank and hit Enter to continue.

Select “No” and press “Enter”

Select “mbox format in /var/mail/”

Select <No>

Once the Exim4 server is configured, we need to edit the “/etc/exim4/exim4.conf.template” to allow the server to accept non-TLS passwords. This will allow the printer to send the password in clear text.

Add the following line at the beginning of the file;

AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = true

To enable plaintext authentication, comment out the following lines:

# plain_server:
#   driver = plaintext
#  public_name = PLAIN
#   server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
#  server_set_id = $auth2
#  server_prompts = :
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
#   .endif        

Next, you need to restart the exim4 service to reflect the changes:

sudo /etc/init.d/exim4 restart        

Your Exim4 server is now ready to receive connections.

One more step we need to do is to run Wireshark or TShark (if you run a non-graphic version of Kali) to intercept the communication between the printer and the Exim4 server.

Run the following commands:

sudo -i        

sudo tshark -i eth0 -f "tcp port smtp" -w /home/capture/smtp.pcap        

In some multifunction printers, you can send a test email to check if the SMTP configuration works. If so, do that test to allow TShark to capture the packets.

If the printer doesn’t have such a test option, you must wait till someone scans and sends a document to its email address. In this case, the user will never receive the scanned document and will call the IT service for support.

If the IT team discovers the configuration change by checking the multifunction printer, they will investigate the case and may discover your maneuver.

If you’re doing a penetration test, you must be careful with this technique not to disrupt the organization’s services.

Open the pcap file in Wireshark.

The password will be displayed in Base64 format.

To decode the password, you can use any base64 decoder: