Skip to main content

SMTP (Simple Mail Transfer Protocol) Pentesting - Port 25



 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS) 

 Connect


We can use Telnet to connect to the remote server. Here is a command using Telnet:




telnet example.com 25

Enumeration

Identifying a SMTP Server


You can use Nmap to check if there's an Telnet server on a target host like this:




nmap -p25,465,587 -sV -Pn target.com


Additional Nmap commands for enumeration

nmap --script smtp-brute -p 25,465,587 "target-ip"
nmap --script smtp-commands -p 25,465,587 "target-ip"
nmap --script smtp-enum-users -p 25,465,587 "target-ip"
nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip"
nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip"
nmap --script smtp-* -p 25,465,587 "target-ip"


Enumerate Users

Nmap has a script for SMTP user enumeration



nmap -p25 --script smtp-enum-users.nse target.com


DNS Mail Exchange (MX) Record Enumeration


We can use the dig tool to find out the mail servers (MX servers) of a domain. This tool sends a DNS query and returns the list of MX servers.




dig +short mx example.com

Information Disclosure with NTLM Auth


Some SMTP servers with NTLM Authentication enabled can disclose sensitive information, like Windows Server version and internal IP, if Anonymous Logon is allowed.


nmap -p25 --script smtp-ntlm-info --script-args smtp-ntlm-info.fingerprint=on target.com

Attack Vectors

Open Relay Exploit

SMTP Open Relay occurs when the SMTP server is configured to accept and transfer messages on the network that were neither for nor from local users.


Here is a simple example of how to test for open relay:


telnet target.com 25
MAIL FROM:<test@example.com>
RCPT TO:<test2@anotherexample.com>
DATA
Subject: Test open relay
Test message
.
QUIT

SMTP User Enum- Default kali tools



# VRFY - check if the user exists in the SMTP server
smtp-user-enum -M VRFY -u "username" -t "target-ip"
smtp-user-enum -M VRFY -U usernames.txt -t "target-ip"

# RCPT - check if the user is allowed to receive mails in the SMTP server
smtp-user-enum -M RCPT -u "username" -t "target-ip"
smtp-user-enum -M RCPT -U usernames.txt -t "target-ip"

# EXPN - reveal the actual email address
smtp-user-enum -M EXPN -u "username" -t "target-ip"
smtp-user-enum -M EXPN -D "hostname" -U usernames.txt -t "target-ip"






STARTTLS
# port 25
openssl s_client -starttls smtp -connect "target-ip":25
# Port 465
openssl s_client -crlf -connect "target-ip":465
# Port 587
openssl s_client -starttls smtp -crlf -connect "target-ip":587


Others

# process remote queue
etrn example.com

# list the mailing list
expn example.com

Send Mails from External
swaks is a swiss army knife for SMTP.

swaks --to remote-user@example.com --from local-user@"local-ip" --server mail.example.com --body "hello"

# --attach: Attach a file
swaks --to remote-user@example.com --from local-user@"local-ip" --server mail.example.com --body "hello" --attach @evil.docx


Start SMTP Server

# -n: No setuid
# -c: Classname
sudo python3 -m smtpd -n -c DebuggingServer 10.0.0.1:25


Labels:

Comments

Post a Comment

Popular posts from this blog

Powershell Automation Basics - Part 1

Pentest Notes: PowerShell Automation - Basics Pentest Notes: PowerShell Automation - Basics These notes cover PowerShell automation for penetration testing, focusing on practical applications and techniques. What is PowerShell? A powerful scripting language and command-line shell built on the .NET framework, heavily integrated with Windows. Ideal for system administration and automation, making it a valuable tool for pentesters. Why PowerShell for Pentesting? Native to Windows: Pre-installed on most Windows systems. Object-oriented: Allows for complex data manipulation and interaction with APIs. Access to .NET Framework: Enables interaction with a vast library of classes and functions. Remoting capabilities: Execute commands on remote systems. Bypass security restrictions: Can be used to circumvent some security measures if not properly configured. Basic Syntax Cmdlets: Commands in PowerShell (e.g., Get-Process , Get-Service , Get-ChildItem ). P...
Post a Comment
Read more

DNS Pentest - Port 53

Recon Banner Grabbing - Identify DNS Server Versions # Use dig to determine DNS server versions dig version.bind CHAOS TXT @DNS # Alternatively, use nmap script to grab the banner nmap --script dns-nsid <DNS_IP> # Alternatively, use telnet to grab the banner nc -nv -u <DNS_IP> 53 DNS Server Discovery # Using dig dig NS <target-domain> # Using nslookup nslookup -type=NS <target-domain> Enumeration Using DNS enum dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN> Using dig # Query DNS records dig hackviser.com # Query specific type of DNS records (e.g., A record) dig A hackviser.com # Perform a reverse DNS lookup dig -x <IP_ADDRESS> # Query a specific DNS server dig @<DNS_SERVER_IP> hackviser.com Using nslookup # Perform DNS queries nslookup hackviser.com # Query a specific type of DNS record (e.g., MX record) nslookup -type=MX hackviser.com # Query a specific DNS server nslookup ha...
Post a Comment
Read more

SQLDB Pentest

Pivoting for Red Teamers SQL Database & SQL Injection Pentesting Cheat Sheet SQL databases store crucial application data, and misconfigurations can make them vulnerable to SQL Injection (SQLi) attacks. This guide covers database enumeration, privilege escalation, and SQL injection techniques. Step 1: Identifying SQL Database Type Check the database type by sending payloads in the input fields or URL: ' OR 1=1 -- (MySQL, PostgreSQL, MSSQL) ' UNION SELECT 1,2,3 -- (Check column count) ' AND 1=CONVERT(int,@@version) -- (MSSQL Test) Observe the error messages for database identification. Step 2: Enumerating Database Tables & Columns Use SQL queries to extract database structure. For MySQL: SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE(); SELECT column_name FROM information_schema.columns WHERE table_name='user...
Post a Comment
Read more