When I talk with customers some are pleasantly surprised about the amount of control and customization they have with Impact. With all the modules being developed in Python Impact offers the ability to both customize existing modules and create new functionality from scratch. While we strive to provide all the functionality our customers need, there are times when a customer needs to "tweak" the product for their environment. Recently a customer asked about our capability to test for SMTP Open Relays, we didn’t have that capability so he decided to write one himself. I got to chat with him about that process.
Q Could you introduce yourself and give us a little bit of your background?
My name is Kenny Herold, I am employed as a penetration tester; prior to that I worked as level 2 support personnel in the communications technology area for 4 years. Specifically I was involved in managing the e-mail, anti-spam and anti-malware initiatives, maintenance, solutions, etc. This is where my curiosity and interest in security was born.
Q What type of testing do you do with Impact?
I have done some wireless network analysis with Core Impact, but primarily infrastructure and/or web application type engagements. It is something I use in every engagement I have where applicable.
Q What was the problem you were trying to solve?
Given my background in the e-mail security space I knew that one of the biggest problems can originate from having open mail relays that are internal or external (DMZ public internet exposure) to your environment. I wanted to find some way to identify to what extent the open mail relays may present real risk. If you have an open mail relay internally that allows emails to be send from external recipients to external recipients and the downstream SMTP server trusts that other mail server, you end up with a situation where you can spoof outside parties (for this particular example). This can have devastating effects from a brand and/or financial perspective depending on the motives of the malicious user.
Q Can you give us a high level of what your module does, and the effort it took to create?
The module, when directed at a server with port 25 open accepting SMTP connections will attempt to send every combination of internal and external "from" and "to" to determine if the server is an open relay accepting connections from an internal address that has not been “blessed” in some way in the configuration to communicate with it via SMTP. To identify each e-mail that is sent out externally there is information included in the body of the message that is a one-way hash that can be compared to what is output from the module to determine in which situations an e-mail was successfully sent out. This is to protect the information of the internal ip addresses. The amount of effort was negligible; I built into the existing code structure.
Q Had you done a lot of coding in Python prior to this?
Python is something a lot of people (IT security) have talked about prior to my writing this module. I would say that I’ve done enough scripting in Perl and also as a result of my background education know enough to analyze code, see what needs modifications, and make adjustments within the Core Impact framework that has been established for modules. I myself could not have written the module from scratch without more time.
Q People always ask us what sites they should be visiting etc. to stay current on security, what are your favorites?
And of course various feeds of security experts.
The file can be retrieved from here and should be copied to the %appdata%\UserModules folder on your Impact machine. Once copied there either issue the ‘Reload’ command from the Modules dropdown menu or restart the Impact service. The new module ‘SMTP Open Relay Checker’ will be in the ‘Information gathering’ folder and avalaible to be run against any SMTP server in the workspace to determine if any type of relaying is possible.
Is this module useful, would you suggest any tweaks? Do you have a module of your own you would like to highlight? Drop me a line and let me know.