# SMTP (25, 465) [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## Nmap ``` nmap -Pn -sV -sC -p25,143,110,465,587,993,995 10.129.203.12 ``` [OpenSMTPD](https://www.opensmtpd.org/) up to version 6.6.2: {% embed url="" %} ## Evolution usage {% content-ref url="/pages/mzhufSWULgmjmLkooMmO" %} [IMAP POP3 (110, 143, 993, 995)](/0xss0rz/pentest/protocols/imap-pop3-110-143-993-995.md) {% endcontent-ref %} ## Telnet ### HELO/EHLO ```shell-session 0xss0rz@htb[/htb]$ telnet 10.129.14.128 25 Trying 10.129.14.128... Connected to 10.129.14.128. Escape character is '^]'. 220 ESMTP Server HELO mail1.inlanefreight.htb 250 mail1.inlanefreight.htb EHLO mail1 250-mail1.inlanefreight.htb 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING ``` ### **VRFY** The command `VRFY` can be used to enumerate existing users on the system. ```shell-session 0xss0rz@htb[/htb]$ telnet 10.129.14.128 25 Trying 10.129.14.128... Connected to 10.129.14.128. Escape character is '^]'. 220 ESMTP Server VRFY root 252 2.0.0 root VRFY cry0l1t3 252 2.0.0 cry0l1t3 VRFY testuser 252 2.0.0 testuser VRFY aaaaaaaaaaaaaaaaaaaaaaaaaaaa 252 2.0.0 aaaaaaaaaaaaaaaaaaaaaaaaaaaa ``` ### EXPN `EXPN` is similar to `VRFY`, except that when used with a distribution list, it will list all users on that list. This can be a bigger problem than the `VRFY` command since sites often have an alias such as "all." ```shell-session $ telnet 10.10.110.20 25 Trying 10.10.110.20... Connected to 10.10.110.20. Escape character is '^]'. 220 parrot ESMTP Postfix (Debian/GNU) EXPN john 250 2.1.0 john@inlanefreight.htb EXPN support-team 250 2.0.0 carol@inlanefreight.htb 250 2.1.5 elisa@inlanefreight.htb ``` ### RCPT ```shell-session $ telnet 10.10.110.20 25 Trying 10.10.110.20... Connected to 10.10.110.20. Escape character is '^]'. 220 parrot ESMTP Postfix (Debian/GNU) MAIL FROM:test@htb.com it is 250 2.1.0 test@htb.com... Sender ok RCPT TO:julio 550 5.1.1 julio... User unknown RCPT TO:kate 550 5.1.1 kate... User unknown RCPT TO:john 250 2.1.5 john... Recipient ok ``` ## **User enumeration** ### **Nmap** ``` nmap –script smtp-enum-users.nse 172.16.212.133 ``` ### **Metasploit** ``` auxiliary/scanner/smtp/smtp_enum msf > use auxiliary/scanner/smtp/smtp_version ``` ### **smtp-user-enum** ``` smtp-user-enum -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt 10.129.252.135 25 ``` ``` smtp-user-enum -M VRFY -u users.txt -t 192.168.1.25 ``` We can specify the enumeration mode with the argument `-M` followed by `VRFY`, `EXPN`, or `RCPT`, and the argument `-U` with a file containing the list of users we want to enumerate. Depending on the server implementation and enumeration mode, we need to add the domain for the email address with the argument `-D`. Finally, we specify the target with the argument `-t`. ```shell-session smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7 ``` With exegol ``` [Apr 27, 2024 - 04:22:00 (EDT)] exegol-CPTS /workspace # smtp-user-enum -U username.list 10.129.203.12 25 --domain inlanefreight.htb -m RCPT ``` `smtp-user-enum -U users.list inlanefreight.htb 25 -m RCPT -d 'inlanefreight.htb'` ``` smtp-user-enum -U /usr/share/seclists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt [IP] 25 -m RCPT -d 'domain.com' | grep SUCC ``` ### References {% embed url="" %} ## Brute force login {% content-ref url="/pages/MVyqmv3sDs2l9lDPgHil" %} [SMTP Bruteforce](/0xss0rz/pentest/brute-force/smtp-bruteforce.md) {% endcontent-ref %} ``` hydra -l marlin@inlanefreight.htb -P passwords.list -f 10.129.203.12 smtp ``` ## **Send an Email** ### Telnet ```shell-session 0xss0rz@htb[/htb]$ telnet 10.129.14.128 25 Trying 10.129.14.128... Connected to 10.129.14.128. Escape character is '^]'. 220 ESMTP Server EHLO inlanefreight.htb 250-mail1.inlanefreight.htb 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING MAIL FROM: 250 2.1.0 Ok RCPT TO: NOTIFY=success,failure 250 2.1.5 Ok DATA 354 End data with . From: To: Subject: DB Date: Tue, 28 Sept 2021 16:32:51 +0200 Hey man, I am trying to access our XY-DB but the creds don't work. Did you make any changes there? . 250 2.0.0 Ok: queued as 6E1CF1681AB QUIT 221 2.0.0 Bye Connection closed by foreign host. ``` ### Swaks #### Phishing ``` swaks --to sales@domain.com --from it@domain.com --header "Subject: Credentials / Errors" --body "citrix http://[ATTACKER_IP]/" --server domain.com ``` ``` nc -nlvp Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::80 Ncat: Listening on 0.0.0.0:80 Ncat: Connection from IP. Ncat: Connection from IP:PORT. POST /remote/auth/login.aspx?LoginType=Explicit&user=username&password=passwd&domain=DOMAIN.LOCAL HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Host: 10.10.14.193 Content-Length: 76 Expect: 100-continue Connection: Keep-Alive ``` ## Open Relay ### **Nmap** ```shell-session 0xss0rz@htb[/htb]$ sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-30 02:29 CEST NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 02:29 Completed NSE at 02:29, 0.00s elapsed Initiating ARP Ping Scan at 02:29 Scanning 10.129.14.128 [1 port] Completed ARP Ping Scan at 02:29, 0.06s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 02:29 Completed Parallel DNS resolution of 1 host. at 02:29, 0.03s elapsed Initiating SYN Stealth Scan at 02:29 Scanning 10.129.14.128 [1 port] Discovered open port 25/tcp on 10.129.14.128 Completed SYN Stealth Scan at 02:29, 0.06s elapsed (1 total ports) NSE: Script scanning 10.129.14.128. Initiating NSE at 02:29 Completed NSE at 02:29, 0.07s elapsed Nmap scan report for 10.129.14.128 Host is up (0.00020s latency). PORT STATE SERVICE 25/tcp open smtp | smtp-open-relay: Server is an open relay (16/16 tests) | MAIL FROM:<> -> RCPT TO: | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO:<"relaytest@nmap.scanme.org"> | MAIL FROM: -> RCPT TO:<"relaytest%nmap.scanme.org"> | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO:<"relaytest@nmap.scanme.org"@[10.129.14.128]> | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO:<@[10.129.14.128]:relaytest@nmap.scanme.org> | MAIL FROM: -> RCPT TO:<@ESMTP:relaytest@nmap.scanme.org> | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO: |_ MAIL FROM: -> RCPT TO: MAC Address: 00:00:00:00:00:00 (VMware) NSE: Script Post-scanning. Initiating NSE at 02:29 Completed NSE at 02:29, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B) ``` ### Swaks ```shell-session swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server 10.10.11.213 === Trying 10.10.11.213:25... === Connected to 10.10.11.213. <- 220 mail.localdomain SMTP Mailer ready -> EHLO parrot <- 250-mail.localdomain <- 250-SIZE 33554432 <- 250-8BITMIME <- 250-STARTTLS <- 250-AUTH LOGIN PLAIN CRAM-MD5 CRAM-SHA1 <- 250 HELP -> MAIL FROM: <- 250 OK -> RCPT TO: <- 250 OK -> DATA <- 354 End data with . -> Date: Thu, 29 Oct 2020 01:36:06 -0400 -> To: employees@inlanefreight.com -> From: notifications@inlanefreight.com -> Subject: Company Notification -> Message-Id: <20201029013606.775675@parrot> -> X-Mailer: swaks v20190914.0 jetmore.org/john/code/swaks/ -> -> Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/ -> -> -> . <- 250 OK -> QUIT <- 221 Bye === Connection closed with remote host. ``` ## Resources {% embed url="" %} {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)
## Interesting Books {% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %} [Interesting Books](/0xss0rz/interesting-books.md) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**Nmap Network Scanning**](https://www.amazon.fr/dp/0979958717?tag=0xss0rz-21)\ The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals. * [**The Art of Network Penetration Testing**](https://www.amazon.fr/dp/1617296821)\ A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network. * [**Network Basics for Hackers**](https://www.amazon.fr/dp/B0BS3GZ1R9)\ The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others. ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/smtp-25-465.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.