Skip to content

Latest commit

 

History

History
183 lines (138 loc) · 3.83 KB

smtp-enum.md

File metadata and controls

183 lines (138 loc) · 3.83 KB

🔬SMTP Enum

SMTP (Simple Mail Transfer Protocol) - a communication protocol used for the transmission of email.

Default SMTP TCP port is 25.

sudo nmap -p25 -sV -sC -O <TARGET_IP>

Lab 1

🔬 SMTP - Postfix Recon: Basics

  • Target IP: 192.63.243.3
  • Enumeration of Postfix server
ip -br -c a
	eth1@if130369 UP 192.63.243.2/24
  • Target IP is 192.8.3.3
nmap -sV -script banner 192.63.243.3
25/tcp open  smtp    Postfix smtpd
|_banner: 220 openmailbox.xyz ESMTP Postfix: Welcome to our mail server.
MAC Address: 02:42:C0:3F:F3:03 (Unknown)
Service Info: Host:  openmailbox.xyz

📌 SMTP server name and banner are:

Server: Postfix

Banner: openmailbox.xyz ESMTP Postfix: Welcome to our mail server.

  • Fetch the hostname using nc(netcat)
nc 192.63.243.3 25
220 openmailbox.xyz ESMTP Postfix: Welcome to our mail server.

📌 SMTP server hostname is openmailbox.xyz

  • Check if admin and commander user exists
nc 192.63.243.3 25
VRFY [email protected]
	252 2.0.0 [email protected]
# Yes "admin" exists
VRFY [email protected]
	550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table
# No "commander" doesn't exist
  • Check supported commands/capabilities using telnet
telnet 192.63.243.3 25
HELO attacker.xyz
	250 openmailbox.xyz
EHLO attacker.xyz
    250-openmailbox.xyz
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250-DSN
    250 SMTPUTF8

📌 Supported commands/capabilities are

smtp-user-enum

smtp-user-enum - tool for enumerating OS-level user account via the SMTP service

  • Use smtp-user-enum to find common usernames from specified wordlist
smtp-user-enum -U /usr/share/commix/src/txt/usernames.txt -t 192.63.243.3

smtp-user-enum

📌 There are 8 users present on the server, from the above wordlist:

admin

administrator

mail

postmaster

root

sales

support

www-data

  • Use msfconsole to find common usernames from specified wordlist
service postgresql start && msfconsole -q
search type:auxiliary name:smtp
use auxiliary/scanner/smtp/smtp_enum
options
set RHOSTS 192.63.243.3
exploit
[+] 192.63.243.3:25 - 192.63.243.3:25 Users found: , admin, administrator, backup, bin, daemon, games, gnats, irc, list, lp, mail, man, news, nobody, postmaster, proxy, sync, sys, uucp, www-data

📌 There are 20 users present on the server, from the /usr/share/metasploit-framework/data/wordlists/unix_users.txt wordlist.

Metasploit - auxiliary/scanner/smtp/smtp_enum

  • Connect to SMTP service using telnet and send a fake mail to root user.
telnet 192.63.243.3 25
HELO attacker.xyz
mail from: [email protected]
rcpt to: [email protected]
data
Subject: Hello Root
Hello,
This is a fake mail sent using telnet command.
From admin
.

telnet 192.63.243.3 25

sendmail

  • Send a fake mail to root user using sendemail command
sendemail -f [email protected] -t [email protected] -s 192.63.243.3 -u Fakemail -m "Hi root, a fake mail from admin" -o tls=no

sendemail