🔬SMTP Enum

SMTP (Simple Mail Transfer Protocol) - a communication protocol used for the transmission of email.

Default SMTP TCP port is 25.

sudo nmap -p25 -sV -sC -O <TARGET_IP>

Lab 1

🔬 SMTP - Postfix Recon: Basics

• Target IP: 192.63.243.3

• Enumeration of Postfix server

ip -br -c a
	eth1@if130369 UP 192.63.243.2/24

• Target IP is 192.8.3.3

nmap -sV -script banner 192.63.243.3

25/tcp open  smtp    Postfix smtpd
|_banner: 220 openmailbox.xyz ESMTP Postfix: Welcome to our mail server.
MAC Address: 02:42:C0:3F:F3:03 (Unknown)
Service Info: Host:  openmailbox.xyz

📌 SMTP server name and banner are:

Server: Postfix

Banner: openmailbox.xyz ESMTP Postfix: Welcome to our mail server.

• Fetch the hostname using nc(netcat)

📌 SMTP server hostname is openmailbox.xyz

• Check if admin and commander user exists

• Check supported commands/capabilities using telnet

📌 Supported commands/capabilities are

smtp-user-enum

smtp-user-enum - tool for enumerating OS-level user account via the SMTP service

• Use smtp-user-enum to find common usernames from specified wordlist

📌 There are 8 users present on the server, from the above wordlist:

admin

administrator

mail

postmaster

root

sales

support

www-data

• Use msfconsole to find common usernames from specified wordlist

📌 There are 20 users present on the server, from the /usr/share/metasploit-framework/data/wordlists/unix_users.txt wordlist.

• Connect to SMTP service using telnet and send a fake mail to root user.

sendmail

• Send a fake mail to root user using sendemail command