SMTP 25

smtp-user-enum

https://github.com/cytopia/smtp-user-enum
pip install smtp-user-enum
smtp-user-enum -U top-usernames-shortlist.txt -U 192.168.86.42 25

NMAP

ls /usr/share/nmap/scripts/ | grep SMTP

SMTP NMAP

nmap –script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1
nc -nvv INSERTIPADDRESS 25
telnet INSERTIPADDRESS 25

Thunderbird

if you find users and a way to login with their passwords into an email server ie;10.10.10.51(HTB’s solidstate machine), then you can download their emails.

Start Thunderbird

thunderbird

add mail clients

  • example you have user mindy discovered on 10.10.10.51 and have her password then add the user with username mindy@10.10.10.51 and enter her password and bypass the exception

  • use “get messages” button to download their emails and read for information

sendEmail

  • use this to send emailwith malicious attachments to discovered user addresses

  • -f is your email(can be faked but best use known domain name)

  • -t discovered user email address

  • -u Subject title

  • -m body of message

  • -a attachment

  • -s Mail server IP

Sending an attachement

sendEmail -f test@contoso.com -t nico@contoso.com -u RTF -m “Please Convert this file” -a test2.rtf -s 10.130.10.77

sendEmail

  • this tool is normally used once i have credentials to a users email

  • Sending attachment with malicious pdf to user using authentication via smtp

  • “-t” is target, “-f” is from aka me, “-xu” is username ot authenticate, “-xp” is password to use, “-s” is server/port default 25, “-u” is subject, “-m” is boxy, “-a” is attachment

sendEmail -t jane@contoso.local -f billy@contoso.local -xu billy@contoso.local -xp P@ssWORD1234 -s 10.131.1.29 -u report -m “my project” -a report.pdf

Telnet SMTP

  • Send commands manually sometimes needed when the tools time out but you verified the server will connect

Check if usernames exist for Sendmail Servers

telnet tophat.acme.local 25

this displays if Root exists and will show an email ie; root@redhat.contoso.com if the mail for tha user is routed thereEXPN root

RCPT method(sendmail servers)

MAIL FROM:test@contoso.local
this will output ok if they existRCPT TO:bob@redhat.contoso.local

PreviousSNMP 161NextVNC - 5800

Last updated

Was this helpful?