# SMTP Pentesting ## SMTP (Simple Mail Transfer Protocol) Pentesting It is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS). ### Enumeration ```shellscript nmap --script smtp-brute -p 25,465,587 nmap --script smtp-commands -p 25,465,587 nmap --script smtp-enum-users -p 25,465,587 nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 nmap --script smtp-* -p 25,465,587 ``` #### MX Domains ```shellscript dig mx example.com ``` #### Users ```shellscript # VRFY - check if the user exists in the SMTP server smtp-user-enum -M VRFY -u -t smtp-user-enum -M VRFY -U usernames.txt -t # RCPT - check if the user is allowed to receive mails in the SMTP server smtp-user-enum -M RCPT -u -t smtp-user-enum -M RCPT -U usernames.txt -t # EXPN - reveal the actual email address smtp-user-enum -M EXPN -u -t smtp-user-enum -M EXPN -D -U usernames.txt -t ``` #### STARTTLS ```shellscript # port 25 openssl s_client -starttls smtp -connect :25 # Port 465 openssl s_client -crlf -connect :465 # Port 587 openssl s_client -starttls smtp -crlf -connect :587 ``` ### Connect ```shellscript nc 25 # or telnet 25 ``` ### Commands Commands are not case sensitive. #### HELO - Identify SMTP Server ```shellscript helo example.com ``` #### EHLO - List all supported enhanced functions ``` ehlo example.com ``` * **8BITMIME** - allow to send 8-bit data * **AUTH** - authentication for the SMTP connection * **CHUNKING** - transfer chunks of data * **DSN (Delivery Status Notifications)** - notify delivery status * **ENHANCEDSTATUSCODES** - allow to show more details of the status * **ETRN** - process remote queue * **EXPN** - expand mailing list * **HELP** - help about commands * **PIPELINING** - allow the multiple commands * **SIZE** - maximum message size that can be received * **SMTPUTF8** - * **STARTTLS** - communicate with TLS * **SEND** - send message to terminal * **TURN** - swap client and server * **VRFY** - check if the user exists in the SMTP server #### Auth Login The `AUTH LOGIN` command allows us to login. We need to input `username/password` in **Base64**.\ Here is the example: ```shellscript AUTH LOGIN 334 VXNlcm5hbWU6 # Base64-encoded "username:" dGVzdA== # Base64-encoded "test" 334 UGFzc3dvcmQ6 # Base64-encoded "password:" cGFzc3dvcmQ= # Base64-encoded "password" ``` #### Messages ```shellscript # 1. check if the user exists vrfy vrfy root # 2. set the address of the mail sender mail from: mail from: root mail from: sender@example.com # 3. set the address of the mail recipient rcpt to: rcpt to: root rcpt to: recipient@example.com # 4. send data of message (the message end with ".") data subject: Test Mail This is a test mail. . ``` #### Others ```shellscript # process remote queue etrn example.com # list the mailing list expn example.com ``` ### Send Mails from External [**swaks**](https://github.com/jetmore/swaks) is a swiss army knife for SMTP. ```shellscript swaks --to remote-user@example.com --from local-user@ --server mail.example.com --body "hello" # --attach: Attach a file swaks --to remote-user@example.com --from local-user@ --server mail.example.com --body "hello" --attach @evil.docx ``` ### Start SMTP Server ```shellscript # -n: No setuid # -c: Classname sudo python3 -m smtpd -n -c DebuggingServer 10.0.0.1:25 ```