25 - SMTP
Introduction
Port: 25 (TCP)
The Simple Mail Transfer Protocol (SMTP) is a standard protocol is a network protocol used for the exchange of e-mail messages between computers. However, SNMP stands between POP3 and IMAP protocols because it is the only protocol capable of sending emails.
Enumeration
As a starting point, you can use the SMTP scripts in order to gather further information like:
Basic user enumeration
Supported SMTP commands (You can also use the
HELPcommand)NetBios, DNS and OS version.
Checks for some vulnerabilities
Alternatively, you can use Metasploit to gather the SMTP version with the following payload.
User enumeration
There are at least three commands that can be used for user enumeration:
VRFY: Used to verify if a certain user is known to the SMTP-server
EXPN: Used to reveal the actual email address(es) of an alias
RCPT TO: A needed command to specify to whom the email should be sent
The main difference between VRFY and EXPN, and "RCPT TO" is that with the formers, you enter the command alongside the account, name, alias or email address you want to check, obtaining a 25X response if the account exists else a 550. In contrast, the latter requires you to write a whole email to work.
Finally, as an alternative, you can use the SMTP Metasploit module to enumerate users.
Writing emails
If you have access to a company's SMTP email server, you can try to send emails to its employees in order to perform phishing or spoofing attacks.
If you want to avoid writing all those lines, you can write a simple command, thanks to the SWAKS tool.
References
Last updated