How Shodan Helps me to Find SMTP misconfiguration

7 months ago 37
BOOK THIS SPACE FOR AD
ARTICLE AD

Hello hackers, It’s Milad you may know me as TheSafdari. This is my first Write-Up about how shodan helps me to find a SMTP misconfiguration on BBP program.

The program was a CRM Platform, where Companies can config all incoming messages into one place In another words it was CRM(Customer Relationship Management) All in One Messages.

I’m a Person who does vertical recon (narrow recon), which means, when i take a Target, i’m focusing on main APP and i run subfinder or tools very rarely.As my Stlye, My main Job is to understand the App, not rushing .I belive if you work with a program for a few weeks like normal users,then abuse cases starting coming to you and somthing in your mind says, what happend if i do that. it happening to me allways.It works rally.
For me when Comapny.com is only inscope, it means all assets that Company.com has are inscope too when they can demage Company.

Now without any further informations Let’s Go to The main.

the Program had only Main App inscope.I did lot of tesing.Founded lot of Bugs on It,But few days ago i read a write up about shodan.I just open my shodan account and Use this Dork, which i didn’t do normally !

ssl:company.com

There wasn’t intersting data, but one thing caused my attention. there was an IP with port 25 open . the subdomain of this IP wasn’t resolved to it.It was old data i think.As i researched about port 25 i founded that is a SMTP port. Just connected to It and i runed some SMTP command.The things was you could only send email From & TO emails that are under the company domain (Employees emails).How i Found this ? just by trying :) Important PART

if i was Report this to triage team they may closed my Report as N/A , I needed a Working Proof of Concept that shows it works.
Did i have a email under company.com ? No !
As is Knowed program functions.There was a Function to create a Channel to Forward email from your email Provider to the APP. The flow was like below

Created an Email under company.comIt will gave me a Email like somthing@in.company.comi had to set this email in my email provider to forward my incoming Email to this Email.

Now when i send email to milad@mycompany.com My email provider will forward it to somthing@in.company.com and then i will see what i recive in APP.

I used somthing@in.company.com email to send me from admin using SMTP misconfiguration.The Final Command was this

EHLO X
MAIL FROM:<admin_bugbounty@company.com>
RCPT TO:<somthing@in.company.com>
DATA
Subject: Test Email
From: admin_bugbounty@company.com
To: somthing@in.company.com
This is a test email for PROOF OF CONCEPT .
.
QUIT

An i Got the Email in My Dashboard

Yess That’s it.I have reported to Program.

If you Enjoyed my write-up and want to see more from this hacking style, please support me by following and Sharing it .
You can clap up to 50 times !

Read Entire Article