search

envelope-openSMTP Pentesting Notes

hashtag
Protocol Overview

hashtag
Basic Information

  • Port: TCP 25 (default), TCP 587 (submission), TCP 465 (SMTPS)

  • Protocol Type: Application layer, client-server protocol

  • Purpose: Email transmission between servers and clients

  • Security: Base protocol is cleartext, can be encrypted with TLS

hashtag
Protocol Components

  1. Mail Transfer Components

    • MUA (Mail User Agent): Email client

    • MTA (Mail Transfer Agent): Server handling email routing

    • MSA (Mail Submission Agent): Initial mail acceptance

    • MDA (Mail Delivery Agent): Final delivery handler

  2. Connection Types

    • Plain SMTP (Port 25)

    • SMTP with STARTTLS (Port 587)

    • SMTPS (Port 465)

hashtag
Initial Enumeration

hashtag
Port Scanning

hashtag
Authentication Testing

hashtag
Testing Anonymous Access

hashtag
Testing Open Relay

hashtag
User Enumeration

hashtag
VRFY Command

hashtag
EXPN Command

hashtag
RCPT TO Method

hashtag
Common NSE Scripts

hashtag
Brute Force Attacks

hashtag
Using Hydra

hashtag
Using Metasploit

hashtag
SMTP Commands Reference

Command
Description
Example

HELO/EHLO

Initiate session

HELO domain.com

AUTH PLAIN

Authentication

AUTH PLAIN base64(creds)

MAIL FROM

Set sender

MAIL FROM: [email protected]envelope

RCPT TO

Set recipient

RCPT TO: [email protected]envelope

DATA

Start email content

DATA

RSET

Reset session

RSET

VRFY

Verify user

VRFY username

EXPN

Expand mailing list

EXPN listname

QUIT

End session

QUIT

hashtag
Configuration Files

hashtag
Server Configuration

  • Postfix: /etc/postfix/main.cf

  • Sendmail: /etc/mail/sendmail.cf

  • Exim: /etc/exim4/exim4.conf

hashtag
Security Files

  • TLS Configuration: Often in main config

  • Access Controls: /etc/postfix/access

  • Relay Permissions: Defined in main configuration

hashtag
Common Vulnerabilities

  1. Misconfiguration:

    • Open relay

    • Weak authentication

    • Unencrypted transmission

    • User enumeration enabled

  2. Version-specific:

    • Known CVEs

    • Default credentials

    • Buffer overflows

    • Command injection

  3. Authentication Issues:

    • Clear-text authentication

    • Weak credentials

    • User enumeration

    • Missing rate limiting

hashtag
Post Exploitation

hashtag
Information Gathering

  • Enumerate valid users

  • Map internal network

  • Gather email addresses

  • Identify mail servers

  • Check for sensitive data

hashtag
Privilege Escalation

  • Check for writeable directories

  • Test for command injection

  • Look for misconfigured permissions

  • Search for credentials in configs

hashtag
Response Codes

Code
Meaning

220

Service ready

250

Requested action completed

354

Start mail input

421

Service not available

450

Mailbox busy

500

Syntax error

550

Action not taken

hashtag
Best Practices for Pentesting

  1. Initial Reconnaissance:

    • Identify SMTP service version

    • Test for open relay

    • Check for user enumeration

    • Banner grab for information

  2. Deep Enumeration:

    • Run vulnerability scans

    • Test authentication methods

    • Check relay configurations

    • Test for user enumeration

    • Verify TLS/SSL setup

  3. Documentation:

    • Record all findings

    • Note server configuration

    • Document vulnerabilities

    • Save evidence for reporting

  4. Risk Assessment:

    • Evaluate impact of findings

    • Consider data sensitivity

    • Assess exploitation potential

    • Recommend mitigations

hashtag
Additional Tools

  1. Swaks:

  2. smtp-user-enum:

  3. Sendemail:

  4. Metasploit Modules:

    • smtp_version

    • smtp_enum

    • smtp_relay

PreviousIMAP/POP3 Pentesting NotesNextDNS Pentesting Notes