Skip to main content

SMTP (Simple Mail Transfer Protocol) Pentesting - Port 25



 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS) 

 Connect


We can use Telnet to connect to the remote server. Here is a command using Telnet:




telnet example.com 25



Enumeration

Identifying a SMTP Server


You can use Nmap to check if there's an Telnet server on a target host like this:




nmap -p25,465,587 -sV -Pn target.com


Additional Nmap commands for enumeration

nmap --script smtp-brute -p 25,465,587 "target-ip"
nmap --script smtp-commands -p 25,465,587 "target-ip"
nmap --script smtp-enum-users -p 25,465,587 "target-ip"
nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip"
nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip"
nmap --script smtp-* -p 25,465,587 "target-ip"




Enumerate Users

Nmap has a script for SMTP user enumeration



nmap -p25 --script smtp-enum-users.nse target.com



DNS Mail Exchange (MX) Record Enumeration


We can use the dig tool to find out the mail servers (MX servers) of a domain. This tool sends a DNS query and returns the list of MX servers.




dig +short mx example.com



Information Disclosure with NTLM Auth


Some SMTP servers with NTLM Authentication enabled can disclose sensitive information, like Windows Server version and internal IP, if Anonymous Logon is allowed.


nmap -p25 --script smtp-ntlm-info --script-args smtp-ntlm-info.fingerprint=on target.com

Attack Vectors

Open Relay Exploit

SMTP Open Relay occurs when the SMTP server is configured to accept and transfer messages on the network that were neither for nor from local users.


Here is a simple example of how to test for open relay:


telnet target.com 25
MAIL FROM:<test@example.com>
RCPT TO:<test2@anotherexample.com>
DATA
Subject: Test open relay
Test message
.
QUIT


SMTP User Enum- Default kali tools



# VRFY - check if the user exists in the SMTP server
smtp-user-enum -M VRFY -u "username" -t "target-ip"
smtp-user-enum -M VRFY -U usernames.txt -t "target-ip"

# RCPT - check if the user is allowed to receive mails in the SMTP server
smtp-user-enum -M RCPT -u "username" -t "target-ip"
smtp-user-enum -M RCPT -U usernames.txt -t "target-ip"

# EXPN - reveal the actual email address
smtp-user-enum -M EXPN -u "username" -t "target-ip"
smtp-user-enum -M EXPN -D "hostname" -U usernames.txt -t "target-ip"




STARTTLS

# port 25 openssl s_client -starttls smtp -connect "target-ip":25 # Port 465 openssl s_client -crlf -connect "target-ip":465 # Port 587 openssl s_client -starttls smtp -crlf -connect "target-ip":587

Others

# process remote queue etrn example.com # list the mailing list expn example.com Send Mails from External swaks is a swiss army knife for SMTP. swaks --to remote-user@example.com --from local-user@"local-ip" --server mail.example.com --body "hello" # --attach: Attach a file swaks --to remote-user@example.com --from local-user@"local-ip" --server mail.example.com --body "hello" --attach @evil.docx

Start SMTP Server


# -n: No setuid
# -c: Classname
sudo python3 -m smtpd -n -c DebuggingServer 10.0.0.1:25


Comments

Popular posts from this blog

Powershell Automation Basics - Part 1

Pentest Notes: PowerShell Automation - Basics Pentest Notes: PowerShell Automation - Basics These notes cover PowerShell automation for penetration testing, focusing on practical applications and techniques. What is PowerShell? A powerful scripting language and command-line shell built on the .NET framework, heavily integrated with Windows. Ideal for system administration and automation, making it a valuable tool for pentesters. Why PowerShell for Pentesting? Native to Windows: Pre-installed on most Windows systems. Object-oriented: Allows for complex data manipulation and interaction with APIs. Access to .NET Framework: Enables interaction with a vast library of classes and functions. Remoting capabilities: Execute commands on remote systems. Bypass security restrictions: Can be used to circumvent some security measures if not properly configured. Basic Syntax Cmdlets: Commands in PowerShell (e.g., Get-Process , Get-Service , Get-ChildItem ). P...

DNS Pentest - Port 53

Recon Banner Grabbing - Identify DNS Server Versions # Use dig to determine DNS server versions dig version.bind CHAOS TXT @DNS # Alternatively, use nmap script to grab the banner nmap --script dns-nsid <DNS_IP> # Alternatively, use telnet to grab the banner nc -nv -u <DNS_IP> 53 DNS Server Discovery # Using dig dig NS <target-domain> # Using nslookup nslookup -type=NS <target-domain> Enumeration Using DNS enum dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN> Using dig # Query DNS records dig hackviser.com # Query specific type of DNS records (e.g., A record) dig A hackviser.com # Perform a reverse DNS lookup dig -x <IP_ADDRESS> # Query a specific DNS server dig @<DNS_SERVER_IP> hackviser.com Using nslookup # Perform DNS queries nslookup hackviser.com # Query a specific type of DNS record (e.g., MX record) nslookup -type=MX hackviser.com # Query a specific DNS server nslookup ha...

Pivoting Commands

Pivoting for Red Teamers Pivoting in Red Team Operations: A Complete Guide Introduction In a real-world red team operation , gaining initial access is just the beginning. The real challenge is pivoting —the ability to move laterally, escalate privileges, and compromise additional systems within the network. What is Pivoting? Pivoting is a technique used to route traffic through a compromised host to access internal networks that are not directly reachable. Types of Pivoting Network Pivoting : Routes network traffic through a compromised host (e.g., SSH Tunneling, Metasploit, ProxyChains). Port Forwarding : Exposes specific ports from an internal machine to the attacker (e.g., SSH Local Port Forwarding). Step 1: Pivoting Using Metasploit Setting Up a Pivot via Meterpreter meterpreter> backgroun...