Attacking SMTP

SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission. The vulnerabilities in SMTP protocols can allow malicious attackers to spoof the origin of the messages, perform phishing attacks, and even execute code remotely in the system.

Connect

Connect Using Telnet

We can use Telnet to connect to the remote server. Here is a command using Telnet:

telnet example.com 25

Enumeration

Identifying a SMTP Server

You can use Nmap to check if there's an Telnet server on a target host like this:

nmap -p25,465,587 -sV -Pn target.com

Enumerate Users

Nmap has a script for SMTP user enumeration

nmap -p25 --script smtp-enum-users.nse target.com

DNS Mail Exchange (MX) Record Enumeration

We can use the dig tool to find out the mail servers (MX servers) of a domain. This tool sends a DNS query and returns the list of MX servers.

dig +short mx example.com

Information Disclosure with NTLM Auth

Some SMTP servers with NTLM Authentication enabled can disclose sensitive information, like Windows Server version and internal IP, if Anonymous Logon is allowed.

nmap -p25 --script smtp-ntlm-info --script-args smtp-ntlm-info.fingerprint=on target.com

Attack Vectors

Open Relay Exploit

SMTP Open Relay occurs when the SMTP server is configured to accept and transfer messages on the network that were neither for nor from local users.

Here is a simple example of how to test for open relay:

telnet target.com 25
MAIL FROM:<test@example.com>
RCPT TO:<test2@anotherexample.com>
DATA
Subject: Test open relay
Test message
.
QUIT

SMTPTester Tool

which use to test 3 bugs → open relay, user enumerate, spoofing

git clone <https://github.com/xFreed0m/SMTPTester.git>
pip install -r requirements.txt
pip install -r requirements.txt

Post-Exploitation

Common SMTP Commands

Command

Description

Usage

HELO

Identifies the client to the server.

HELO example.com

EHLO

Extended HELLO.

EHLO example.com

MAIL FROM:

Specifies the sender's email address.

MAIL FROM: <sender@example.com>

RCPT TO:

Specifies the recipient's email address.

RCPT TO: <recipient@example.com>

DATA

Indicates the start of the message body.

DATA

RSET

Resets the session.

RSET

NOOP

No operation; used for testing.

NOOP

QUIT

Terminates the session.

QUIT

PreviousLab NextAttacking Common Applications

Last updated 10 months ago

hashtagConnect

hashtagConnect Using Telnet

hashtagEnumeration

hashtagIdentifying a SMTP Server

hashtagEnumerate Users

hashtagDNS Mail Exchange (MX) Record Enumeration

hashtagInformation Disclosure with NTLM Auth

hashtagAttack Vectors

hashtagOpen Relay Exploit

hashtagSMTPTester Tool

hashtagPost-Exploitation

hashtagCommon SMTP Commands