icon

SMTP (Simple Mail Transfer Protocol) Pentesting

Last modified: 2024-09-14

It is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS).

Enumeration

nmap --script smtp-brute -p 25,465,587 <target-ip>
nmap --script smtp-commands -p 25,465,587 <target-ip>
nmap --script smtp-enum-users -p 25,465,587 <target-ip>
nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 <target-ip>
nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 <target-ip>
nmap --script smtp-* -p 25,465,587 <target-ip>

MX Domains

dig mx example.com

Users

# VRFY - check if the user exists in the SMTP server
smtp-user-enum -M VRFY -u <username> -t <target-ip>
smtp-user-enum -M VRFY -U usernames.txt -t <target-ip>

# RCPT - check if the user is allowed to receive mails in the SMTP server
smtp-user-enum -M RCPT -u <username> -t <target-ip>
smtp-user-enum -M RCPT -U usernames.txt -t <target-ip>

# EXPN - reveal the actual email address
smtp-user-enum -M EXPN -u <username> -t <target-ip>
smtp-user-enum -M EXPN -D <hostname> -U usernames.txt -t <target-ip>

STARTTLS

# port 25
openssl s_client -starttls smtp -connect <target-ip>:25
# Port 465
openssl s_client -crlf -connect <target-ip>:465
# Port 587
openssl s_client -starttls smtp -crlf -connect <target-ip>:587

Connect

nc <target-ip> 25
# or
telnet <target-ip> 25

Commands

Commands are not case sensitive.

HELO - Identify SMTP Server

helo example.com

EHLO - List all supported enhanced functions

ehlo example.com
  • 8BITMIME - allow to send 8-bit data
  • AUTH - authentication for the SMTP connection
  • CHUNKING - transfer chunks of data
  • DSN (Delivery Status Notifications) - notify delivery status
  • ENHANCEDSTATUSCODES - allow to show more details of the status
  • ETRN - process remote queue
  • EXPN - expand mailing list
  • HELP - help about commands
  • PIPELINING - allow the multiple commands
  • SIZE - maximum message size that can be received
  • SMTPUTF8 -
  • STARTTLS - communicate with TLS
  • SEND - send message to terminal
  • TURN - swap client and server
  • VRFY - check if the user exists in the SMTP server

Auth Login

The AUTH LOGIN command allows us to login. We need to input username/password in Base64.
Here is the example:

AUTH LOGIN
334 VXNlcm5hbWU6 # Base64-encoded "username:"
dGVzdA== # Base64-encoded "test"
334 UGFzc3dvcmQ6 # Base64-encoded "password:"
cGFzc3dvcmQ= # Base64-encoded "password"

Messages

# 1. check if the user exists
vrfy <username>
vrfy root

# 2. set the address of the mail sender
mail from: <username>
mail from: root
mail from: sender@example.com

# 3. set the address of the mail recipient
rcpt to: <username>
rcpt to: root
rcpt to: recipient@example.com

# 4. send data of message (the message end with ".")
data
subject: Test Mail
This is a test mail.
.

Others

# process remote queue
etrn example.com

# list the mailing list
expn example.com

Send Mails from External

swaks is a swiss army knife for SMTP.

swaks --to remote-user@example.com --from local-user@<local-ip> --server mail.example.com --body "hello"

# --attach: Attach a file
swaks --to remote-user@example.com --from local-user@<local-ip> --server mail.example.com --body "hello" --attach @evil.docx

Start SMTP Server

# -n: No setuid
# -c: Classname
sudo python3 -m smtpd -n -c DebuggingServer 10.0.0.1:25