🏠 Home BlogGitHub📚 Buy Me a Book
Edit

🔬SMTP Enum

SMTP (Simple Mail Transfer Protocol) - a communication protocol used for the transmission of email.

Default SMTP TCP port is 25.

sudo nmap -p25 -sV -sC -O <TARGET_IP>

Lab 1

🔬 SMTP - Postfix Recon: Basics

  • Target IP: 192.63.243.3

  • Enumeration of Postfix server

ip -br -c a
	eth1@if130369 UP 192.63.243.2/24

  • Target IP is 192.8.3.3

nmap -sV -script banner 192.63.243.3
25/tcp open  smtp    Postfix smtpd
|_banner: 220 openmailbox.xyz ESMTP Postfix: Welcome to our mail server.
MAC Address: 02:42:C0:3F:F3:03 (Unknown)
Service Info: Host:  openmailbox.xyz

📌 SMTP server name and banner are:

Server: Postfix

Banner: openmailbox.xyz ESMTP Postfix: Welcome to our mail server.

  • Fetch the hostname using nc(netcat)

📌 SMTP server hostname is openmailbox.xyz

  • Check if admin and commander user exists

  • Check supported commands/capabilities using telnet

📌 Supported commands/capabilities are

smtp-user-enum

smtp-user-enum - tool for enumerating OS-level user account via the SMTP service

  • Use smtp-user-enum to find common usernames from specified wordlist

smtp-user-enum

📌 There are 8 users present on the server, from the above wordlist:

admin

administrator

mail

postmaster

root

sales

support

www-data

  • Use msfconsole to find common usernames from specified wordlist

📌 There are 20 users present on the server, from the /usr/share/metasploit-framework/data/wordlists/unix_users.txt wordlist.

Metasploit - auxiliary/scanner/smtp/smtp_enum

  • Connect to SMTP service using telnet and send a fake mail to root user.

telnet 192.63.243.3 25

sendmail

  • Send a fake mail to root user using sendemail command

sendemail
Previous🔬MYSQL EnumNextVulnerability Assessment

Last updated

Was this helpful?