Skip to main content

SMTP (Simple Mail Transfer Protocol) Pentesting - Port 25



 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS) 

 Connect


We can use Telnet to connect to the remote server. Here is a command using Telnet:




telnet example.com 25



Enumeration

Identifying a SMTP Server


You can use Nmap to check if there's an Telnet server on a target host like this:




nmap -p25,465,587 -sV -Pn target.com


Additional Nmap commands for enumeration

nmap --script smtp-brute -p 25,465,587 "target-ip"
nmap --script smtp-commands -p 25,465,587 "target-ip"
nmap --script smtp-enum-users -p 25,465,587 "target-ip"
nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip"
nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip"
nmap --script smtp-* -p 25,465,587 "target-ip"




Enumerate Users

Nmap has a script for SMTP user enumeration



nmap -p25 --script smtp-enum-users.nse target.com



DNS Mail Exchange (MX) Record Enumeration


We can use the dig tool to find out the mail servers (MX servers) of a domain. This tool sends a DNS query and returns the list of MX servers.




dig +short mx example.com



Information Disclosure with NTLM Auth


Some SMTP servers with NTLM Authentication enabled can disclose sensitive information, like Windows Server version and internal IP, if Anonymous Logon is allowed.


nmap -p25 --script smtp-ntlm-info --script-args smtp-ntlm-info.fingerprint=on target.com

Attack Vectors

Open Relay Exploit

SMTP Open Relay occurs when the SMTP server is configured to accept and transfer messages on the network that were neither for nor from local users.


Here is a simple example of how to test for open relay:


telnet target.com 25
MAIL FROM:<test@example.com>
RCPT TO:<test2@anotherexample.com>
DATA
Subject: Test open relay
Test message
.
QUIT


SMTP User Enum- Default kali tools



# VRFY - check if the user exists in the SMTP server
smtp-user-enum -M VRFY -u "username" -t "target-ip"
smtp-user-enum -M VRFY -U usernames.txt -t "target-ip"

# RCPT - check if the user is allowed to receive mails in the SMTP server
smtp-user-enum -M RCPT -u "username" -t "target-ip"
smtp-user-enum -M RCPT -U usernames.txt -t "target-ip"

# EXPN - reveal the actual email address
smtp-user-enum -M EXPN -u "username" -t "target-ip"
smtp-user-enum -M EXPN -D "hostname" -U usernames.txt -t "target-ip"




STARTTLS

# port 25 openssl s_client -starttls smtp -connect "target-ip":25 # Port 465 openssl s_client -crlf -connect "target-ip":465 # Port 587 openssl s_client -starttls smtp -crlf -connect "target-ip":587

Others

# process remote queue etrn example.com # list the mailing list expn example.com Send Mails from External swaks is a swiss army knife for SMTP. swaks --to remote-user@example.com --from local-user@"local-ip" --server mail.example.com --body "hello" # --attach: Attach a file swaks --to remote-user@example.com --from local-user@"local-ip" --server mail.example.com --body "hello" --attach @evil.docx

Start SMTP Server


# -n: No setuid
# -c: Classname
sudo python3 -m smtpd -n -c DebuggingServer 10.0.0.1:25


Comments

Popular posts from this blog

Powershell Automation Basics - Part 1

Pentest Notes: PowerShell Automation - Basics Pentest Notes: PowerShell Automation - Basics These notes cover PowerShell automation for penetration testing, focusing on practical applications and techniques. What is PowerShell? A powerful scripting language and command-line shell built on the .NET framework, heavily integrated with Windows. Ideal for system administration and automation, making it a valuable tool for pentesters. Why PowerShell for Pentesting? Native to Windows: Pre-installed on most Windows systems. Object-oriented: Allows for complex data manipulation and interaction with APIs. Access to .NET Framework: Enables interaction with a vast library of classes and functions. Remoting capabilities: Execute commands on remote systems. Bypass security restrictions: Can be used to circumvent some security measures if not properly configured. Basic Syntax Cmdlets: Commands in PowerShell (e.g., Get-Process , Get-Service , Get-ChildItem ). P...

Pivoting Commands

Pivoting for Red Teamers Pivoting in Red Team Operations: A Complete Guide Introduction In a real-world red team operation , gaining initial access is just the beginning. The real challenge is pivoting —the ability to move laterally, escalate privileges, and compromise additional systems within the network. What is Pivoting? Pivoting is a technique used to route traffic through a compromised host to access internal networks that are not directly reachable. Types of Pivoting Network Pivoting : Routes network traffic through a compromised host (e.g., SSH Tunneling, Metasploit, ProxyChains). Port Forwarding : Exposes specific ports from an internal machine to the attacker (e.g., SSH Local Port Forwarding). Step 1: Pivoting Using Metasploit Setting Up a Pivot via Meterpreter meterpreter> backgroun...

SQLDB Pentest

Pivoting for Red Teamers SQL Database & SQL Injection Pentesting Cheat Sheet SQL databases store crucial application data, and misconfigurations can make them vulnerable to SQL Injection (SQLi) attacks. This guide covers database enumeration, privilege escalation, and SQL injection techniques. Step 1: Identifying SQL Database Type Check the database type by sending payloads in the input fields or URL: ' OR 1=1 -- (MySQL, PostgreSQL, MSSQL) ' UNION SELECT 1,2,3 -- (Check column count) ' AND 1=CONVERT(int,@@version) -- (MSSQL Test) Observe the error messages for database identification. Step 2: Enumerating Database Tables & Columns Use SQL queries to extract database structure. For MySQL: SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE(); SELECT column_name FROM information_schema.columns WHERE table_name='user...