diff --git a/boefjes/boefjes/plugins/kat_microsoft_open_relay_spoofing_vulnerability/__init__.py b/boefjes/boefjes/plugins/kat_microsoft_open_relay_spoofing_vulnerability/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/boefjes/boefjes/plugins/kat_microsoft_open_relay_spoofing_vulnerability/boefje.json b/boefjes/boefjes/plugins/kat_microsoft_open_relay_spoofing_vulnerability/boefje.json new file mode 100644 index 00000000000..8b69d6b0b2e --- /dev/null +++ b/boefjes/boefjes/plugins/kat_microsoft_open_relay_spoofing_vulnerability/boefje.json @@ -0,0 +1,13 @@ +{ + "id": "microsoft-spoofing-open-relay", + "name": "Microsoft Open Relay Spoofing Vulnerability", + "description": "This boefje checks the provided hostname is vulnerable to Microsoft Open Relay Spoofing Vulnerability.", + "consumes": [ + "Hostname" + ], + "environment_keys": [ + "MICROSOFT_MAILSERVER_IP", + "RECIPIENT_EMAIL" + ], + "scan_level": 2 +} diff --git a/boefjes/boefjes/plugins/kat_microsoft_open_relay_spoofing_vulnerability/main.py b/boefjes/boefjes/plugins/kat_microsoft_open_relay_spoofing_vulnerability/main.py new file mode 100644 index 00000000000..f6bd74cf4c3 --- /dev/null +++ b/boefjes/boefjes/plugins/kat_microsoft_open_relay_spoofing_vulnerability/main.py @@ -0,0 +1,53 @@ +import json +import logging +from ipaddress import ip_address +from os import getenv + +import telnetlib + +from boefjes.job_models import BoefjeMeta + +SMTP_PORT = 25 +TIMEOUT = 5 + + +def run(boefje_meta: BoefjeMeta) -> list[tuple[set, bytes | str]]: + mailserver_ip = getenv("MICROSOFT_MAILSERVER_IP") + recipient_email = getenv("RECIPIENT_EMAIL") + hostname = boefje_meta.arguments["input"]["name"] + + telnet = telnetlib.Telnet(mailserver_ip, SMTP_PORT) + + telnet.read_until(b"220", timeout=TIMEOUT) + telnet.write(b"HELO example.com\r\n") + telnet.read_until(b"250", timeout=TIMEOUT) + + mail_from = f"MAIL FROM:spoofed@{hostname}\r\n" + telnet.write(mail_from.encode()) + telnet.read_until(b"250", timeout=TIMEOUT) + + rcpt_to = f"RCPT TO:{recipient_email}\r\n" + telnet.write(rcpt_to.encode()) + telnet.read_until(b"250", timeout=TIMEOUT) + + telnet.write(b"DATA\r\n") + telnet.read_until(b"354", timeout=TIMEOUT) # 354 indicates that the server is ready to receive data + + data = ( + f"From:Spoofed Email \r\n" + f"To:My Name <{recipient_email}>\r\n" + f"Subject:Example Spoofing Mail\r\n" + "\r\n" + "Are you reading this mail? Then you are vulnerable to spoofing.\r\n" + "\r\n" + ".\r\n" + ) + telnet.write(data.encode()) + + response = telnet.read_until(b"250", timeout=TIMEOUT) + results = response.decode() + + telnet.write(b"quit\r\n") + telnet.close() + + return [(set(), json.dumps(results))] diff --git a/boefjes/boefjes/plugins/kat_microsoft_open_relay_spoofing_vulnerability/schema.json b/boefjes/boefjes/plugins/kat_microsoft_open_relay_spoofing_vulnerability/schema.json new file mode 100644 index 00000000000..072b3e26536 --- /dev/null +++ b/boefjes/boefjes/plugins/kat_microsoft_open_relay_spoofing_vulnerability/schema.json @@ -0,0 +1,22 @@ +{ + "title": "Arguments", + "type": "object", + "properties": { + "MICROSOFT_MAILSERVER_IP": { + "title": "Microsoft Mailserver IP", + "maxLength": 128, + "type": "string", + "description": "An IP address of the Microsoft mailserver to check for open relay spoofing vulnerability. Use hostname:mail.messaging.microsoft.com country:\"NL\" in Shodan to find a suitable IP address." + }, + "RECIPIENT_EMAIL": { + "title": "Recipient Email", + "maxLength": 128, + "type": "string", + "description": "An email address to send a test email to check for open relay spoofing vulnerability." + } + }, + "required": [ + "MICROSOFT_MAILSERVER_IP", + "RECIPIENT_EMAIL" + ] +}