🔬SMTP Enum

Previous🔬MYSQL Enum NextVulnerability Assessment

Last updated 2 years ago

Was this helpful?

🔬SMTP Enum

SMTP (Simple Mail Transfer Protocol) - a communication protocol used for the transmission of email.

Default SMTP TCP port is 25.

sudo nmap -p25 -sV -sC -O <TARGET_IP>

Lab 1

🔬
Target IP: 192.63.243.3
Enumeration of server

ip -br -c a
	eth1@if130369 UP 192.63.243.2/24

Target IP is 192.8.3.3

nmap -sV -script banner 192.63.243.3

25/tcp open  smtp    Postfix smtpd
|_banner: 220 openmailbox.xyz ESMTP Postfix: Welcome to our mail server.
MAC Address: 02:42:C0:3F:F3:03 (Unknown)
Service Info: Host:  openmailbox.xyz

📌 SMTP server name and banner are:
Server: Postfix
Banner: openmailbox.xyz ESMTP Postfix: Welcome to our mail server.

Fetch the hostname using nc(netcat)

nc 192.63.243.3 25

220 openmailbox.xyz ESMTP Postfix: Welcome to our mail server.

📌 SMTP server hostname is openmailbox.xyz

Check if admin and commander user exists

nc 192.63.243.3 25

VRFY admin@openmailbox.xyz
	252 2.0.0 admin@openmailbox.xyz
# Yes "admin" exists

VRFY commander@openmailbox.xyz
	550 5.1.1 <commander@openmailbox.xyz>: Recipient address rejected: User unknown in local recipient table
# No "commander" doesn't exist

Check supported commands/capabilities using telnet

telnet 192.63.243.3 25

HELO attacker.xyz
	250 openmailbox.xyz
EHLO attacker.xyz
    250-openmailbox.xyz
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250-DSN
    250 SMTPUTF8

📌 Supported commands/capabilities are

smtp-user-enum - tool for enumerating OS-level user account via the SMTP service

Use smtp-user-enum to find common usernames from specified wordlist

smtp-user-enum -U /usr/share/commix/src/txt/usernames.txt -t 192.63.243.3

📌 There are 8 users present on the server, from the above wordlist:
admin
administrator
mail
postmaster
root
sales
support
www-data

Use msfconsole to find common usernames from specified wordlist

service postgresql start && msfconsole -q

search type:auxiliary name:smtp
use auxiliary/scanner/smtp/smtp_enum
options
set RHOSTS 192.63.243.3
exploit

[+] 192.63.243.3:25 - 192.63.243.3:25 Users found: , admin, administrator, backup, bin, daemon, games, gnats, irc, list, lp, mail, man, news, nobody, postmaster, proxy, sync, sys, uucp, www-data

📌 There are 20 users present on the server, from the /usr/share/metasploit-framework/data/wordlists/unix_users.txt wordlist.

Connect to SMTP service using telnet and send a fake mail to root user.

telnet 192.63.243.3 25

HELO attacker.xyz
mail from: admin@attacker.xyz
rcpt to: root@openmailbox.xyz
data
Subject: Hello Root
Hello,
This is a fake mail sent using telnet command.
From admin
.

Send a fake mail to root user using sendemail command

sendemail -f admin@attacker.xyz -t root@openmailbox.xyz -s 192.63.243.3 -u Fakemail -m "Hi root, a fake mail from admin" -o tls=no

Previous🔬MYSQL Enum NextVulnerability Assessment

Last updated 2 years ago

Was this helpful?

SMTP (Simple Mail Transfer Protocol) - a communication protocol used for the transmission of email.

Default SMTP TCP port is 25.

sudo nmap -p25 -sV -sC -O <TARGET_IP>

Lab 1

🔬
Target IP: 192.63.243.3
Enumeration of server

ip -br -c a
	eth1@if130369 UP 192.63.243.2/24

Target IP is 192.8.3.3

nmap -sV -script banner 192.63.243.3

25/tcp open  smtp    Postfix smtpd
|_banner: 220 openmailbox.xyz ESMTP Postfix: Welcome to our mail server.
MAC Address: 02:42:C0:3F:F3:03 (Unknown)
Service Info: Host:  openmailbox.xyz

📌 SMTP server name and banner are:
Server: Postfix
Banner: openmailbox.xyz ESMTP Postfix: Welcome to our mail server.

Fetch the hostname using nc(netcat)

nc 192.63.243.3 25

220 openmailbox.xyz ESMTP Postfix: Welcome to our mail server.

📌 SMTP server hostname is openmailbox.xyz

Check if admin and commander user exists

nc 192.63.243.3 25

VRFY admin@openmailbox.xyz
	252 2.0.0 admin@openmailbox.xyz
# Yes "admin" exists

VRFY commander@openmailbox.xyz
	550 5.1.1 <commander@openmailbox.xyz>: Recipient address rejected: User unknown in local recipient table
# No "commander" doesn't exist

Check supported commands/capabilities using telnet

telnet 192.63.243.3 25

HELO attacker.xyz
	250 openmailbox.xyz
EHLO attacker.xyz
    250-openmailbox.xyz
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250-DSN
    250 SMTPUTF8

📌 Supported commands/capabilities are

smtp-user-enum - tool for enumerating OS-level user account via the SMTP service

Use smtp-user-enum to find common usernames from specified wordlist

smtp-user-enum -U /usr/share/commix/src/txt/usernames.txt -t 192.63.243.3

📌 There are 8 users present on the server, from the above wordlist:
admin
administrator
mail
postmaster
root
sales
support
www-data

Use msfconsole to find common usernames from specified wordlist

service postgresql start && msfconsole -q

search type:auxiliary name:smtp
use auxiliary/scanner/smtp/smtp_enum
options
set RHOSTS 192.63.243.3
exploit

[+] 192.63.243.3:25 - 192.63.243.3:25 Users found: , admin, administrator, backup, bin, daemon, games, gnats, irc, list, lp, mail, man, news, nobody, postmaster, proxy, sync, sys, uucp, www-data

📌 There are 20 users present on the server, from the /usr/share/metasploit-framework/data/wordlists/unix_users.txt wordlist.

Connect to SMTP service using telnet and send a fake mail to root user.

telnet 192.63.243.3 25

HELO attacker.xyz
mail from: admin@attacker.xyz
rcpt to: root@openmailbox.xyz
data
Subject: Hello Root
Hello,
This is a fake mail sent using telnet command.
From admin
.

Send a fake mail to root user using sendemail command

sendemail -f admin@attacker.xyz -t root@openmailbox.xyz -s 192.63.243.3 -u Fakemail -m "Hi root, a fake mail from admin" -o tls=no