The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Enumeration
  • User enumeration
  • Writing emails
  • References
  1. Active
  2. Services

25 - SMTP

Introduction

Port: 25 (TCP)

The Simple Mail Transfer Protocol (SMTP) is a standard protocol is a network protocol used for the exchange of e-mail messages between computers. However, SNMP stands between POP3 and IMAP protocols because it is the only protocol capable of sending emails.

Enumeration

As a starting point, you can use the SMTP scripts in order to gather further information like:

  • Basic user enumeration

  • Supported SMTP commands (You can also use the HELP command)

  • NetBios, DNS and OS version.

  • Checks for some vulnerabilities

sudo nmap -p25 --script="smtp* and not brute" <TARGET>

Alternatively, you can use Metasploit to gather the SMTP version with the following payload.

use auxiliary/scanner/smtp/smtp_version

User enumeration

There are at least three commands that can be used for user enumeration:

  • VRFY: Used to verify if a certain user is known to the SMTP-server

  • EXPN: Used to reveal the actual email address(es) of an alias

  • RCPT TO: A needed command to specify to whom the email should be sent

The main difference between VRFY and EXPN, and "RCPT TO" is that with the formers, you enter the command alongside the account, name, alias or email address you want to check, obtaining a 25X response if the account exists else a 550. In contrast, the latter requires you to write a whole email to work.

[nc -nC <TARGET> <PORT>] | [telnet <TARGET> <PORT>] | [openssl s_client -starttls smtp -connect <TARGET>:587]
EHLO localhost
VRFY root
252 2.0.0 root
VRFY idontexist
550 5.1.1 <idontexist>: Recipient address rejected: User unknown in local recipient table

Finally, as an alternative, you can use the SMTP Metasploit module to enumerate users.

auxiliary/scanner/smtp/smtp_enum

Writing emails

If you have access to a company's SMTP email server, you can try to send emails to its employees in order to perform phishing or spoofing attacks.

mail from: <username@company.com>
rcpt to: <victim1@company.com>, <victim2@company.com>
data
Subject: Not a phishing email

Hello,

Please access this website with your work credentials...

The IT department

.

If you want to avoid writing all those lines, you can write a simple command, thanks to the SWAKS tool.

swaks --to <EMAIL_1>,<EMAIL_2> --from <EMAIL_3> --server <SMTP_IP> [--auth LOGIN --auth-user "<USER>" --auth-password "<PASSWORD>"] [--add-header "MIME-Version: 1.0" --add-header "Content-Type: text/html"] --header "Subject: <Subject>" --body "<a href='https://evil.com'>Microsoft</a>" [ --attach <FILE_PATH>]

sendemail -t <EMAIL_1> -f <EMAIL_2> -s <SMTP_IP>  -u "<subject>" -m "<Message>" [-a <FILE_PATH>]

References

Last updated 17 days ago

Pentest - Everything SMTP
Sending test mails with Swaks