Pentesting SMTP

SMTP Port 25
SMTP (Simple Mail Transfer Protocol) is a communication protocol used for sending emails between servers. It plays a crucial role in email transmission but lacks built-in encryption, making it a common target for spoofing, relay abuse, and credential harvesting. For penetration testers, SMTP can be exploited to enumerate users, test for open relays, and analyze email security misconfigurations, helping identify vulnerabilities in an organization's mail infrastructure.
Navigation
  • Testing for Open Relay Vulnerabilities
  • Banner Grabbing and Fingerprinting
  • User Enumeration Techniques
  • Exploiting SMTP Misconfigurations
  • Post-Exploitation Strategies

Discovery and Enumeration

The first step in testing an SMTP service is to discover where it exists and how it behaves. You can use several network scanning techniques detailed here to identify potential targets to test for SMTP vulnerabilities.

Scanning for SMTP Services

You can use the Nmap tool to detect SMTP services across a network or specific target.

nmap -p 25,465,587 10.1.1.1          #Scan a single IP for SMTP ports
nmap -p 25,465,587 10.1.1.0/24       #Scan a subnet for SMTP ports
nmap -p 25,465,587 -iL targets.txt   #Scan as file of targets for open SMTP servers
nmap -p 25,465,587 -sV 10.1.1.1      #Identify the SMTP software and version

You can use dig to identify Mail Exchange (MX) records. This tool can help target the correct mail server for further testing.

dig +short mx <target-domain>        #Find the mail servers responsible for a domain

Once you have identified SMTP servers and ports, identifying the SMTP server version and configuration can reveal potential vulnerabilities for exploitation.

Using Telnet

telnet 10.1.1.1 25                               #Connect to the SMTP service on port 25

#Example response:
220 mail.example.com ESMTP Postfix (Ubuntu)

The server hostname is mail.example.com
The mail server software is Postfix
The OS is Ubuntu

Using Netcat

nc -vn 10.1.1.1 25                               #Perform banner grabbing using Netcat

Using Nmap for Fingerprinting

nmap -p 25 --script smtp-strangeport 10.1.1.1    #Detect unusual SMTP behavior
nmap -p 25 --script smtp-ntlm-info 10.1.1.1      #Extract NTLM information

Using Metasploit

Metasploit has an auxiliary scanner to discover SMTP versions.

use auxiliary/scanner/smtp/smtp_version          #SMTP version enumeration
set RHOSTS 10.1.1.1
run

Once the mail server type is known, you can search for public vulnerabilities related to it. All SMTP-related exploits found in the Exploit Database can be listed using the following: https://www.exploit-db.com/search?q=SMTP

User Enumeration Techniques

SMTP can allow the enumeration of valid usernames, which is helpful for brute-force attacks, such as Active Directory, on the internal level and phishing attacks on the external level.

VRFY Command (User Verification)

Once you’ve connected to an SMTP server or port using a tool like Telnet, you can use the command below to test if a user exists on the mail server.

VRFY admin       #Check if "admin" exists on the mail server

#If the user exists:
250 User exists

#If the user does not exist:
550 No such user

EXPN Command (Expand Mailing List)

If the following command is successful, it can list all users in a group.

EXPN it-team     #Check for members of a mailing list

Automating Enumeration with Nmap

nmap -p 25 --script smtp-enum-users 10.1.1.1     #Try to enumerate valid users

Automating with Metasploit

Metasploit has an SMTP enumeration auxiliary scanner.

use auxiliary/scanner/smtp/smtp_enum        #SMTP user enumeration
set RHOSTS 10.1.1.1
set USER_FILE usernames.txt
run

If VRFY and EXPN are disabled, an alternative method is to brute-force email addresses using the RCPT TO command.

RCPT TO:[email protected]        #Check if an email exists

#If the email exists:
250 OK

#If the email does not exist:
550 User unknown

Testing for Open Relay Vulnerabilities

An open relay allows unauthorized users to send emails through the server, leading to spam and phishing attacks.

Manual Open Relay Testing

telnet 10.1.1.1 25                    #Connect to the SMTP server
HELO mail.attacker.com                #Identify yourself as a mail client
MAIL FROM:<[email protected]>        #Spoof the sender
RCPT TO:<[email protected]>            #Send mail to an external domain
DATA
Subject: Test Open Relay
This is a test email.
.
QUIT

#If the email is accepted, the server is an open relay.
#If the server rejects the email, it is likely secured.

Automated Open Relay Testing with Nmap

nmap --script smtp-open-relay -p 25 10.1.1.1     #Check for open relays

Automated Open Relay Testing with Metasploit

Metasploit has an SMTP relay auxiliary scanner to test for SMTP open relays.

use auxiliary/scanner/smtp/smtp_relay       #Test for open relay vulnerabilities
set RHOSTS 10.1.1.1
run

Exploiting SMTP Misconfigurations

NTLM Information Disclosure

Some SMTP servers use Windows NTLM authentication, which can leak NTLM challenge-response hashes. You can use Nmap to test for NTLM hash leaks. This can reveal internal Windows usernames and domain names used by the organisation. Also, you can crack the hashes offline using john or hashcat.

nmap -p 25 --script smtp-ntlm-info 10.1.1.1.     #Extract NTLM hash information

Post-Exploitation Strategies

Once SMTP access is obtained, as a penetration tester you can leverage it for post-exploitation.

Extracting Emails from the Server

If you have compromised credentials, use swaks to retrieve messages. You can get swaks here.

swaks --to [email protected] --server <smtp-server> --auth LOGIN --auth-user [email protected] --auth-password password