Skip to main content

SMTP (Simple Mail Transfer Protocol) Pentesting - Port 25



 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS) 

 Connect


We can use Telnet to connect to the remote server. Here is a command using Telnet:




telnet example.com 25

Enumeration

Identifying a SMTP Server


You can use Nmap to check if there's an Telnet server on a target host like this:




nmap -p25,465,587 -sV -Pn target.com


Additional Nmap commands for enumeration

nmap --script smtp-brute -p 25,465,587 "target-ip"
nmap --script smtp-commands -p 25,465,587 "target-ip"
nmap --script smtp-enum-users -p 25,465,587 "target-ip"
nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip"
nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip"
nmap --script smtp-* -p 25,465,587 "target-ip"


Enumerate Users

Nmap has a script for SMTP user enumeration



nmap -p25 --script smtp-enum-users.nse target.com


DNS Mail Exchange (MX) Record Enumeration


We can use the dig tool to find out the mail servers (MX servers) of a domain. This tool sends a DNS query and returns the list of MX servers.




dig +short mx example.com

Information Disclosure with NTLM Auth


Some SMTP servers with NTLM Authentication enabled can disclose sensitive information, like Windows Server version and internal IP, if Anonymous Logon is allowed.


nmap -p25 --script smtp-ntlm-info --script-args smtp-ntlm-info.fingerprint=on target.com

Attack Vectors

Open Relay Exploit

SMTP Open Relay occurs when the SMTP server is configured to accept and transfer messages on the network that were neither for nor from local users.


Here is a simple example of how to test for open relay:


telnet target.com 25
MAIL FROM:<test@example.com>
RCPT TO:<test2@anotherexample.com>
DATA
Subject: Test open relay
Test message
.
QUIT

SMTP User Enum- Default kali tools



# VRFY - check if the user exists in the SMTP server
smtp-user-enum -M VRFY -u "username" -t "target-ip"
smtp-user-enum -M VRFY -U usernames.txt -t "target-ip"

# RCPT - check if the user is allowed to receive mails in the SMTP server
smtp-user-enum -M RCPT -u "username" -t "target-ip"
smtp-user-enum -M RCPT -U usernames.txt -t "target-ip"

# EXPN - reveal the actual email address
smtp-user-enum -M EXPN -u "username" -t "target-ip"
smtp-user-enum -M EXPN -D "hostname" -U usernames.txt -t "target-ip"






STARTTLS
# port 25
openssl s_client -starttls smtp -connect "target-ip":25
# Port 465
openssl s_client -crlf -connect "target-ip":465
# Port 587
openssl s_client -starttls smtp -crlf -connect "target-ip":587


Others

# process remote queue
etrn example.com

# list the mailing list
expn example.com

Send Mails from External
swaks is a swiss army knife for SMTP.

swaks --to remote-user@example.com --from local-user@"local-ip" --server mail.example.com --body "hello"

# --attach: Attach a file
swaks --to remote-user@example.com --from local-user@"local-ip" --server mail.example.com --body "hello" --attach @evil.docx


Start SMTP Server

# -n: No setuid
# -c: Classname
sudo python3 -m smtpd -n -c DebuggingServer 10.0.0.1:25


Labels:

Comments

Post a Comment

Popular posts from this blog

Thread Modelling Cheatsheet: Know Your Weaknesses Before Attackers Do!

Threat Modelling Part - 1 What is Threat Modelling?      Threat modelling is the process of identifying, assessing, and mitigating potential security threats before they happen. It helps teams anticipate how systems can be attacked and build defences proactively , not reactively. Key Concepts Threat: Something (like a hacker or malware) that could exploit a weakness. Vulnerability: A flaw in your system that can be exploited. Risk: The chance that a threat will exploit a vulnerability to cause damage. Analogy : Threat = Burglar Vulnerability = Unlocked door Risk = Getting robbed because the door is open in a bad neighborhood  Threat Modelling Process (High-Level) Define the Scope – What systems/apps are you evaluating? Identify Assets – What needs protection? (e.g. data, services) Identify Threats – Think like an attacker. What could go wrong? Analyze Vulnerabilities – What weaknesses exist? Prioritize Ri...
Post a Comment
Read more

DNS Pentest - Port 53

Recon Banner Grabbing - Identify DNS Server Versions # Use dig to determine DNS server versions dig version.bind CHAOS TXT @DNS # Alternatively, use nmap script to grab the banner nmap --script dns-nsid <DNS_IP> # Alternatively, use telnet to grab the banner nc -nv -u <DNS_IP> 53 DNS Server Discovery # Using dig dig NS <target-domain> # Using nslookup nslookup -type=NS <target-domain> Enumeration Using DNS enum dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN> Using dig # Query DNS records dig hackviser.com # Query specific type of DNS records (e.g., A record) dig A hackviser.com # Perform a reverse DNS lookup dig -x <IP_ADDRESS> # Query a specific DNS server dig @<DNS_SERVER_IP> hackviser.com Using nslookup # Perform DNS queries nslookup hackviser.com # Query a specific type of DNS record (e.g., MX record) nslookup -type=MX hackviser.com # Query a specific DNS server nslookup ha...
Post a Comment
Read more