SMTP Pentesting Notes

Protocol Overview

Basic Information

  • Port: TCP 25 (default), TCP 587 (submission), TCP 465 (SMTPS)

  • Protocol Type: Application layer, client-server protocol

  • Purpose: Email transmission between servers and clients

  • Security: Base protocol is cleartext, can be encrypted with TLS

Protocol Components

  1. Mail Transfer Components

    • MUA (Mail User Agent): Email client

    • MTA (Mail Transfer Agent): Server handling email routing

    • MSA (Mail Submission Agent): Initial mail acceptance

    • MDA (Mail Delivery Agent): Final delivery handler

  2. Connection Types

    • Plain SMTP (Port 25)

    • SMTP with STARTTLS (Port 587)

    • SMTPS (Port 465)

Initial Enumeration

Port Scanning

# Basic scan
nmap -p25,465,587 -sV <target>

# Aggressive scan with scripts
nmap -p25,465,587 -sV -sC -A <target>

# All SMTP scripts
nmap -p25,465,587 --script smtp-* <target>
# Using netcat
nc -vn <target> 25

# Using telnet
telnet <target> 25

# Using openssl for secure ports
openssl s_client -connect <target>:465
openssl s_client -starttls smtp -connect <target>:587

Authentication Testing

Testing Anonymous Access

# Basic SMTP connection
telnet <target> 25
HELO test.com
MAIL FROM: [email protected]
RCPT TO: [email protected]

Testing Open Relay

# Manual testing
telnet <target> 25
HELO test.com
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
DATA
Subject: Test
Testing open relay
.
QUIT

# Using Nmap
nmap -p25 --script smtp-open-relay <target>

User Enumeration

VRFY Command

# Using netcat
nc -nv <target> 25
VRFY root
VRFY admin

# Using script
for user in $(cat users.txt); do echo VRFY $user | nc <target> 25; done

EXPN Command

nc -nv <target> 25
EXPN support-staff
EXPN all-users

RCPT TO Method

MAIL FROM: [email protected]
RCPT TO: [email protected]

Common NSE Scripts

# Run all SMTP scripts
nmap --script smtp-* -p 25,465,587 <target>

# Important individual scripts
nmap -p25 --script smtp-commands <target>     # List supported commands
nmap -p25 --script smtp-enum-users <target>   # Enumerate users
nmap -p25 --script smtp-open-relay <target>   # Test for open relay
nmap -p25 --script smtp-vuln* <target>        # Check vulnerabilities

Brute Force Attacks

Using Hydra

# Basic authentication
hydra -l user -P passwords.txt smtp://<target>

# Using known username list
hydra -L users.txt -P passwords.txt smtp://<target>

# Specific port
hydra -l user -P passwords.txt -s 587 <target> smtp

Using Metasploit

use auxiliary/scanner/smtp/smtp_enum
use auxiliary/scanner/smtp/smtp_version
use auxiliary/scanner/smtp/smtp_relay

SMTP Commands Reference

Command
Description
Example

HELO/EHLO

Initiate session

HELO domain.com

AUTH PLAIN

Authentication

AUTH PLAIN base64(creds)

MAIL FROM

Set sender

MAIL FROM: [email protected]

RCPT TO

Set recipient

RCPT TO: [email protected]

DATA

Start email content

DATA

RSET

Reset session

RSET

VRFY

Verify user

VRFY username

EXPN

Expand mailing list

EXPN listname

QUIT

End session

QUIT

Configuration Files

Server Configuration

  • Postfix: /etc/postfix/main.cf

  • Sendmail: /etc/mail/sendmail.cf

  • Exim: /etc/exim4/exim4.conf

Security Files

  • TLS Configuration: Often in main config

  • Access Controls: /etc/postfix/access

  • Relay Permissions: Defined in main configuration

Common Vulnerabilities

  1. Misconfiguration:

    • Open relay

    • Weak authentication

    • Unencrypted transmission

    • User enumeration enabled

  2. Version-specific:

    • Known CVEs

    • Default credentials

    • Buffer overflows

    • Command injection

  3. Authentication Issues:

    • Clear-text authentication

    • Weak credentials

    • User enumeration

    • Missing rate limiting

Post Exploitation

Information Gathering

  • Enumerate valid users

  • Map internal network

  • Gather email addresses

  • Identify mail servers

  • Check for sensitive data

Privilege Escalation

  • Check for writeable directories

  • Test for command injection

  • Look for misconfigured permissions

  • Search for credentials in configs

Response Codes

Code
Meaning

220

Service ready

250

Requested action completed

354

Start mail input

421

Service not available

450

Mailbox busy

500

Syntax error

550

Action not taken

Best Practices for Pentesting

  1. Initial Reconnaissance:

    • Identify SMTP service version

    • Test for open relay

    • Check for user enumeration

    • Banner grab for information

  2. Deep Enumeration:

    • Run vulnerability scans

    • Test authentication methods

    • Check relay configurations

    • Test for user enumeration

    • Verify TLS/SSL setup

  3. Documentation:

    • Record all findings

    • Note server configuration

    • Document vulnerabilities

    • Save evidence for reporting

  4. Risk Assessment:

    • Evaluate impact of findings

    • Consider data sensitivity

    • Assess exploitation potential

    • Recommend mitigations

Additional Tools

  1. Swaks:

    swaks --to [email protected] --server <target>

  2. smtp-user-enum:

    smtp-user-enum -M VRFY -U users.txt -t <target>
smtp-user-enum -M EXPN -U users.txt -t <target>

  3. Sendemail:

    sendemail -f [email protected] -t [email protected] -s <target>

  4. Metasploit Modules:

    • smtp_version

    • smtp_enum

    • smtp_relay

PreviousIMAP/POP3 Pentesting NotesNextDNS Pentesting Notes