SMTP Enumeration (Port 25)

Quick Intro

Used to send, receive, and relay outgoing emails
Used port 25
Main attacks are user enumeration and using an open relay to send spam

NSE

nmap 192.168.1.101 --script=smtp* -p 25

nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip

User Enumeration

smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip

for server in $(cat smtpmachines); do echo "******************" $server "*****************"; smtp-user-enum -M VRFY -U userlist.txt -t $server;done #for multiple servers
# For multiple servers

Connection

telnet $ip 25

Command to check if a user exists

VRFY root

Command to ask the server if a user belongs to a mailing list

EXPN root

Brute Force

hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V

Python Script for SMTP Bruteforce:

#!/usr/bin/python

import socket
import sys

if len(sys.argv) != 3:
        print("Usage: vrfy.py <username> <target_ip>")
        sys.exit(0)

# Create a Socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Connect to the Server
ip = sys.argv[2]
connect = s.connect((ip,25))

# Receive the banner
banner = s.recv(1024)

print(banner)

# VRFY a user
user = (sys.argv[1]).encode()
s.send(b'VRFY ' + user + b'\r\n')
result = s.recv(1024)

print(result)

# Close the socket
s.close()

Send email using netcat

http://www.microhowto.info/howto/send_an_email_using_netcat.html

PreviousOracle (Port 1521)NextNFS Enumeration (Port 111, 2049)

Last updated 1 year ago