Attacking SMTP
SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission. The vulnerabilities in SMTP protocols can allow malicious attackers to spoof the origin of the messages, perform phishing attacks, and even execute code remotely in the system.
Connect
Connect Using Telnet
We can use Telnet to connect to the remote server. Here is a command using Telnet:
telnet example.com 25
Enumeration
Identifying a SMTP Server
You can use Nmap to check if there's an Telnet server on a target host like this:
nmap -p25,465,587 -sV -Pn target.comEnumerate Users
Nmap has a script for SMTP user enumeration
nmap -p25 --script smtp-enum-users.nse target.comDNS Mail Exchange (MX) Record Enumeration
We can use the dig tool to find out the mail servers (MX servers) of a domain. This tool sends a DNS query and returns the list of MX servers.
dig +short mx example.com
Information Disclosure with NTLM Auth
Some SMTP servers with NTLM Authentication enabled can disclose sensitive information, like Windows Server version and internal IP, if Anonymous Logon is allowed.
nmap -p25 --script smtp-ntlm-info --script-args smtp-ntlm-info.fingerprint=on target.comAttack Vectors
Open Relay Exploit
SMTP Open Relay occurs when the SMTP server is configured to accept and transfer messages on the network that were neither for nor from local users.
Here is a simple example of how to test for open relay:
telnet target.com 25
MAIL FROM:<test@example.com>
RCPT TO:<test2@anotherexample.com>
DATA
Subject: Test open relay
Test message
.
QUIT
SMTPTester Tool
which use to test 3 bugs → open relay, user enumerate, spoofing
git clone <https://github.com/xFreed0m/SMTPTester.git>
pip install -r requirements.txt
pip install -r requirements.txtPost-Exploitation
Common SMTP Commands
Command
Description
Usage
DATA
Indicates the start of the message body.
DATA
RSET
Resets the session.
RSET
NOOP
No operation; used for testing.
NOOP
QUIT
Terminates the session.
QUIT
Last updated