Noirchapeau's Gitbook
Noirchapeau
Noirchapeau
  • Welcome to NoirChapeau Gitbook
  • Network Mapping and Security Auditing Tool
  • Footprinting - Enumeration and Information Gathering Notes
    • FTP Pentesting Notes
    • SMB Pentesting Notes
    • SSH Pentesting Notes
    • IPMI Pentesting Notes
    • Oracle TNS Pentesting Notes
    • MSSQL Pentesting Notes
    • MySQL Pentesting Notes
    • SNMP Pentesting Notes
    • IMAP/POP3 Pentesting Notes
    • SMTP Pentesting Notes
    • DNS Pentesting Notes
    • NFS Pentesting Notes
  • Web Reconnaissance Notes
  • Vulnerability Assessment Notes
    • Nessus Vulnerability Scanner Notes
    • OpenVAS (GVM) Vulnerability Scanner Notes
  • File Transfer Techniques for Pentesting
    • Advanced File Transfer Techniques
    • File Transfer Detection & Evasion Techniques
  • Shells & Payloads: Shell Overview
    • Shells & Payloads: Payloads Overview
    • Shells & Payloads: Web Shells Overview
    • Shells & Payloads: Detection & Prevention
  • Metasploit
    • Working with Metasploit Modules
    • Targets and Payloads
    • Encoders & Msfvenom: Advanced Exploitation Techniques
    • Database Management in Metasploit
    • Sessions and Jobs
    • Writing and Importing Custom Modules into Metasploit
    • Firewall and IDS/IPS Evasion
  • Password Attacks
    • Remote Password Attacks
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Files & Archives Cracking
    • Password Management
  • Interacting with Common Services
    • Protocol Specific Attacks
Powered by GitBook
On this page
  • Protocol Overview
  • Basic Information
  • Protocol Components
  • Initial Enumeration
  • Port Scanning
  • Banner Grabbing
  • Authentication Testing
  • Testing Anonymous Access
  • Testing Open Relay
  • User Enumeration
  • VRFY Command
  • EXPN Command
  • RCPT TO Method
  • Common NSE Scripts
  • Brute Force Attacks
  • Using Hydra
  • Using Metasploit
  • SMTP Commands Reference
  • Configuration Files
  • Server Configuration
  • Security Files
  • Common Vulnerabilities
  • Post Exploitation
  • Information Gathering
  • Privilege Escalation
  • Response Codes
  • Best Practices for Pentesting
  • Additional Tools
  1. Footprinting - Enumeration and Information Gathering Notes

SMTP Pentesting Notes

Protocol Overview

Basic Information

  • Port: TCP 25 (default), TCP 587 (submission), TCP 465 (SMTPS)

  • Protocol Type: Application layer, client-server protocol

  • Purpose: Email transmission between servers and clients

  • Security: Base protocol is cleartext, can be encrypted with TLS

Protocol Components

  1. Mail Transfer Components

    • MUA (Mail User Agent): Email client

    • MTA (Mail Transfer Agent): Server handling email routing

    • MSA (Mail Submission Agent): Initial mail acceptance

    • MDA (Mail Delivery Agent): Final delivery handler

  2. Connection Types

    • Plain SMTP (Port 25)

    • SMTP with STARTTLS (Port 587)

    • SMTPS (Port 465)

Initial Enumeration

Port Scanning

# Basic scan
nmap -p25,465,587 -sV <target>

# Aggressive scan with scripts
nmap -p25,465,587 -sV -sC -A <target>

# All SMTP scripts
nmap -p25,465,587 --script smtp-* <target>

Banner Grabbing

# Using netcat
nc -vn <target> 25

# Using telnet
telnet <target> 25

# Using openssl for secure ports
openssl s_client -connect <target>:465
openssl s_client -starttls smtp -connect <target>:587

Authentication Testing

Testing Anonymous Access

# Basic SMTP connection
telnet <target> 25
HELO test.com
MAIL FROM: test@test.com
RCPT TO: admin@target.com

Testing Open Relay

# Manual testing
telnet <target> 25
HELO test.com
MAIL FROM: <attacker@evil.com>
RCPT TO: <victim@target.com>
DATA
Subject: Test
Testing open relay
.
QUIT

# Using Nmap
nmap -p25 --script smtp-open-relay <target>

User Enumeration

VRFY Command

# Using netcat
nc -nv <target> 25
VRFY root
VRFY admin

# Using script
for user in $(cat users.txt); do echo VRFY $user | nc <target> 25; done

EXPN Command

nc -nv <target> 25
EXPN support-staff
EXPN all-users

RCPT TO Method

MAIL FROM: test@test.com
RCPT TO: user@domain.com

Common NSE Scripts

# Run all SMTP scripts
nmap --script smtp-* -p 25,465,587 <target>

# Important individual scripts
nmap -p25 --script smtp-commands <target>     # List supported commands
nmap -p25 --script smtp-enum-users <target>   # Enumerate users
nmap -p25 --script smtp-open-relay <target>   # Test for open relay
nmap -p25 --script smtp-vuln* <target>        # Check vulnerabilities

Brute Force Attacks

Using Hydra

# Basic authentication
hydra -l user -P passwords.txt smtp://<target>

# Using known username list
hydra -L users.txt -P passwords.txt smtp://<target>

# Specific port
hydra -l user -P passwords.txt -s 587 <target> smtp

Using Metasploit

use auxiliary/scanner/smtp/smtp_enum
use auxiliary/scanner/smtp/smtp_version
use auxiliary/scanner/smtp/smtp_relay

SMTP Commands Reference

Command
Description
Example

HELO/EHLO

Initiate session

HELO domain.com

AUTH PLAIN

Authentication

AUTH PLAIN base64(creds)

MAIL FROM

Set sender

RCPT TO

Set recipient

DATA

Start email content

DATA

RSET

Reset session

RSET

VRFY

Verify user

VRFY username

EXPN

Expand mailing list

EXPN listname

QUIT

End session

QUIT

Configuration Files

Server Configuration

  • Postfix: /etc/postfix/main.cf

  • Sendmail: /etc/mail/sendmail.cf

  • Exim: /etc/exim4/exim4.conf

Security Files

  • TLS Configuration: Often in main config

  • Access Controls: /etc/postfix/access

  • Relay Permissions: Defined in main configuration

Common Vulnerabilities

  1. Misconfiguration:

    • Open relay

    • Weak authentication

    • Unencrypted transmission

    • User enumeration enabled

  2. Version-specific:

    • Known CVEs

    • Default credentials

    • Buffer overflows

    • Command injection

  3. Authentication Issues:

    • Clear-text authentication

    • Weak credentials

    • User enumeration

    • Missing rate limiting

Post Exploitation

Information Gathering

  • Enumerate valid users

  • Map internal network

  • Gather email addresses

  • Identify mail servers

  • Check for sensitive data

Privilege Escalation

  • Check for writeable directories

  • Test for command injection

  • Look for misconfigured permissions

  • Search for credentials in configs

Response Codes

Code
Meaning

220

Service ready

250

Requested action completed

354

Start mail input

421

Service not available

450

Mailbox busy

500

Syntax error

550

Action not taken

Best Practices for Pentesting

  1. Initial Reconnaissance:

    • Identify SMTP service version

    • Test for open relay

    • Check for user enumeration

    • Banner grab for information

  2. Deep Enumeration:

    • Run vulnerability scans

    • Test authentication methods

    • Check relay configurations

    • Test for user enumeration

    • Verify TLS/SSL setup

  3. Documentation:

    • Record all findings

    • Note server configuration

    • Document vulnerabilities

    • Save evidence for reporting

  4. Risk Assessment:

    • Evaluate impact of findings

    • Consider data sensitivity

    • Assess exploitation potential

    • Recommend mitigations

Additional Tools

  1. Swaks:

    swaks --to user@domain.com --server <target>

  2. smtp-user-enum:

    smtp-user-enum -M VRFY -U users.txt -t <target>
smtp-user-enum -M EXPN -U users.txt -t <target>

  3. Sendemail:

    sendemail -f from@test.com -t to@test.com -s <target>

  4. Metasploit Modules:

    • smtp_version

    • smtp_enum

    • smtp_relay

PreviousIMAP/POP3 Pentesting NotesNextDNS Pentesting Notes

MAIL FROM:

RCPT TO:

user@dom.com
recv@dom.com