search

SMTP 25

hashtag
smtp-user-enum

https://github.com/cytopia/smtp-user-enum
pip install smtp-user-enum
smtp-user-enum -U top-usernames-shortlist.txt -U 192.168.86.42 25

hashtag
NMAP

ls /usr/share/nmap/scripts/ | grep SMTP

hashtag
SMTP NMAP

nmap –script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1
nc -nvv INSERTIPADDRESS 25
telnet INSERTIPADDRESS 25

hashtag
Thunderbird

if you find users and a way to login with their passwords into an email server ie;10.10.10.51(HTB’s solidstate machine), then you can download their emails.

hashtag
Start Thunderbird

thunderbird

hashtag
add mail clients

  • example you have user mindy discovered on 10.10.10.51 and have her password then add the user with username mindy@10.10.10.51 and enter her password and bypass the exception

  • use “get messages” button to download their emails and read for information

hashtag
sendEmail

  • use this to send emailwith malicious attachments to discovered user addresses

  • -f is your email(can be faked but best use known domain name)

  • -t discovered user email address

  • -u Subject title

  • -m body of message

  • -a attachment

  • -s Mail server IP

Sending an attachement

hashtag
sendEmail

  • this tool is normally used once i have credentials to a users email

  • Sending attachment with malicious pdf to user using authentication via smtp

  • “-t” is target, “-f” is from aka me, “-xu” is username ot authenticate, “-xp” is password to use, “-s” is server/port default 25, “-u” is subject, “-m” is boxy, “-a” is attachment

hashtag
Telnet SMTP

  • Send commands manually sometimes needed when the tools time out but you verified the server will connect

Check if usernames exist for Sendmail Servers

this displays if Root exists and will show an email ie; root@redhat.contoso.com if the mail for tha user is routed thereEXPN root

RCPT method(sendmail servers)

PreviousSNMP 161NextVNC - 5800

Last updated