SMTP Pentesting

SMTP (Simple Mail Transfer Protocol) Pentesting

It is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS).

Enumeration

nmap --script smtp-brute -p 25,465,587 <target-ip>
nmap --script smtp-commands -p 25,465,587 <target-ip>
nmap --script smtp-enum-users -p 25,465,587 <target-ip>
nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 <target-ip>
nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 <target-ip>
nmap --script smtp-* -p 25,465,587 <target-ip>

MX Domains

dig mx example.com

Users

# VRFY - check if the user exists in the SMTP server
smtp-user-enum -M VRFY -u <username> -t <target-ip>
smtp-user-enum -M VRFY -U usernames.txt -t <target-ip>

# RCPT - check if the user is allowed to receive mails in the SMTP server
smtp-user-enum -M RCPT -u <username> -t <target-ip>
smtp-user-enum -M RCPT -U usernames.txt -t <target-ip>

# EXPN - reveal the actual email address
smtp-user-enum -M EXPN -u <username> -t <target-ip>
smtp-user-enum -M EXPN -D <hostname> -U usernames.txt -t <target-ip>

STARTTLS

# port 25
openssl s_client -starttls smtp -connect <target-ip>:25
# Port 465
openssl s_client -crlf -connect <target-ip>:465
# Port 587
openssl s_client -starttls smtp -crlf -connect <target-ip>:587

Connect

nc <target-ip> 25
# or
telnet <target-ip> 25

Commands

Commands are not case sensitive.

HELO - Identify SMTP Server

helo example.com

EHLO - List all supported enhanced functions

ehlo example.com

8BITMIME - allow to send 8-bit data
AUTH - authentication for the SMTP connection
CHUNKING - transfer chunks of data
DSN (Delivery Status Notifications) - notify delivery status
ENHANCEDSTATUSCODES - allow to show more details of the status
ETRN - process remote queue
EXPN - expand mailing list
HELP - help about commands
PIPELINING - allow the multiple commands
SIZE - maximum message size that can be received
SMTPUTF8 -
STARTTLS - communicate with TLS
SEND - send message to terminal
TURN - swap client and server
VRFY - check if the user exists in the SMTP server

The AUTH LOGIN command allows us to login. We need to input username/password in Base64. Here is the example:

AUTH LOGIN
334 VXNlcm5hbWU6 # Base64-encoded "username:"
dGVzdA== # Base64-encoded "test"
334 UGFzc3dvcmQ6 # Base64-encoded "password:"
cGFzc3dvcmQ= # Base64-encoded "password"

Messages

# 1. check if the user exists
vrfy <username>
vrfy root

# 2. set the address of the mail sender
mail from: <username>
mail from: root
mail from: sender@example.com

# 3. set the address of the mail recipient
rcpt to: <username>
rcpt to: root
rcpt to: recipient@example.com

# 4. send data of message (the message end with ".")
data
subject: Test Mail
This is a test mail.
.

Others

# process remote queue
etrn example.com

# list the mailing list
expn example.com

Send Mails from External

swaks is a swiss army knife for SMTP.

swaks --to remote-user@example.com --from local-user@<local-ip> --server mail.example.com --body "hello"

# --attach: Attach a file
swaks --to remote-user@example.com --from local-user@<local-ip> --server mail.example.com --body "hello" --attach @evil.docx

Start SMTP Server

# -n: No setuid
# -c: Classname
sudo python3 -m smtpd -n -c DebuggingServer 10.0.0.1:25

PreviousReceive Email as Another Address NextCouchDB Pentesting

Last updated 1 month ago

hashtagSMTP (Simple Mail Transfer Protocol) Pentesting

hashtagEnumeration

hashtagMX Domains

hashtagUsers

hashtagSTARTTLS

hashtagConnect

hashtagCommands

hashtagHELO - Identify SMTP Server

hashtagEHLO - List all supported enhanced functions

hashtagAuth Login

hashtagMessages

hashtagOthers

hashtagSend Mails from External

hashtagStart SMTP Server