Day 47 comes with an introduction for SMTP Injections!
Couple weeks ago while looking for more resources to learn, I came across a “SMTP Injection”, while looking for more resources and options to learn, I found diverse resources, but nothing better than this write up. Therefore, for the sake of learning I’ll be explaining SMTP injection. Thanks to Zohar Shachar for making an undersandable write up.
Back to some terms
The SMTP injection was found in Gsuite which is a poweful account administration tool which allows to control anything related to users and the organization. Ok, we know what Gsuite is, but what the hell is SMTP? Simply, SMTP is a simple, text based protocol that does not enforce authentication which allows to send emails. Depending on the SMTP server, it has some parameters that allow to send emails such as:
SMTP FROM: firstname.lastname@example.org SMTP TO: Victim@gmail.com DATA: bcc: email@example.com Send me all your money!!
That’s an example on how people would send emails with SMTP. It’s not just that simple tho! The server might try to verify if you actually own the domain where you actually are trying to send the emails. Therefore it depends purely in the service.