25, 465, 587

PRIMARY CATEGORY → PROTOCOLS AND SERVICES

SMTP → Simple Mail Transfer Protocol

Ports

25

MTA → MTA

This is port is used to send and receive emails between Mail Transfer Agents (MTA)

It is mainly designed for email sending between SMTP Servers and not for stablishing a connection and sending email messages from a Mail User Agent (MUA) to an MTA

It is not recommended that the MTUs use the 25 Port to send emails. Although, this port supports encryption via STARTTLS

465

MUA → MTA

This port allows the email sending from a MUA to an SMTP Server using SSL/TLS to cipher the connection

It automatically encrypts the communication between both parties, It is not optional. This makes it less flexible than STARTTLS

It is not currently the standard, although most SMTP Servers maintain it for compatibility

587

MUA → MTA

It is used to send emails from MUAs to SMTP Servers always requiring authentication

It is currently the standard and it allows to start a connection without encryption and then negotiate it

Note that, as mentioned above, is more flexible than Port 465, as it supports both encrypted and unencrypted connections

SMTP Commands

Command	Description
`AUTH PLAIN`	Service Extension to authenticate the client
`HELO/EHLO`	Client self introduction to the server
`MAIL FROM`	Email Sender
`RCPT TO`	Email Recipient
`DATA`	The client initiates the data transfer
`RSET`	The client aborts the initiated transmission but keeps the connection
`VRFY`	Check if a mailbox is available for message transfer
`EXPN`	”Same” as `VRFY`
`QUIT`	The client terminates the session

Remote Connection

Telnet

telnet <TARGET> <PORT>

Netcat

nc <TARGET> <PORT>

Enumeration

SMTP - 25

nc -nv <TARGET> 25

SMTPS - 465, 587

openssl s_client -connect <TARGET>:465 -crlf

openssl s_client -connect <TARGET>:587 -starttls smtp -crlf

Listing SMTP Avaliable Commands/Extensions

EHLO

telnet <TARGET> <PORT>
220 InFreight ESMTP v2.11
> EHLO
250-mail1
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING

Nmap

NSE Script → smtp-commands.nse

nmap -p25,465,587 -sC -sV -vvv -n -Pn --disable-arp-ping <TARGET>

User Enumeration

VRFY

telnet <TARGET> <PORT>
220 InFreight ESMTP v2.11
> HELO x
250 mail1
> VRFY root
252 2.0.0 root
> VRFY anyrandomuser
550 5.1.1 <anyrandomuser>: Recipient address rejected: User unknown in local recipient table

RCPT TO

telnet <TARGET> <PORT>
220 InFreight ESMTP v2.11
> HELO x
250 mail1
> MAIL FROM:fake@domain.com
250 2.1.0 Ok
> RCPT TO:root
250 2.1.5 Ok
> RCPT TO:anyrandomuser
550 5.1.1 <anyrandomuser>: Recipient address rejected: User unknown in local recipient table

EXPN

telnet <TARGET> <PORT>
220 InFreight ESMTP v2.11
> HELO x
250 mail1
> EXPN root
252 2.0.0 root
> EXPN anyrandomuser
550 5.1.1 <anyrandomuser>: Recipient address rejected: User unknown in local recipient table

smtp-user-enum

Perl Script

smtp-user-enum

It comes with Security Distros such as Kali or Parrot OS

smtp-user-enum -M <MODE> -u <USER> -t <TARGET> -p <PORT>

Custom Userlist

smtp-user-enum -M <MODE> -U <WORDLIST> -t <TARGET> -p <PORT>

Python3 Script

smtp-user-enum

python3 smtp-user-enum --mode <MODE> --domain <DOMAIN> --user <USER> <TARGET> <PORT>

Custom Userlist

python3 smtp-user-enum --mode <MODE> --domain <DOMAIN> --file <WORDLIST> <TARGET> <PORT>

Cloud Enumeration

O365 Spray

O365 Spray

Office365’s MX Validation (Microsoft)

python3 o365spray.py --validate --domain <DOMAIN>

User Enumeration

python3 o365spray.py --enum -U <USERLIST> --domain <DOMAIN>

Bruteforcing || Password Spraying

Hydra

THC-Hydra

Important
The format for the users on the list should be as follows →
<USER>@<DOMAIN>.<TLD>

Bruteforcing

One User ↔ Passwordlist

hydra -v -T <THREADS> -l <USERNAME> -P <PASSWDLIST> <TARGET> smtp

Userlist → Passwordlist

hydra -v -T <THREADS> -L <USERLIST> -P <PASSWORDLIST> <TARGET> smtp

Password Spraying

hydra -v -T <THREADS> -L <USERLIST> -p <PASSWORD> <TARGET> smtp

O365 Spray

Exclusive to Microsoft’s MX

Password Spraying

python3 o365spray.py --spray -U <USERLIST> -p '<PASSWORD>' --count 1 --lockout 1 --domain <DOMAIN>

Open Relay

Some SMTP Servers allows connections from any IP Address

This is done via the mynetworks parameter in the /etc/postfix/main.cf configuration file

mynetworks = 0.0.0.0/0

To identify the target SMTP as an open relay, proceed as follows →

Nmap

NSE Script → smtp-open-relay

nmap -p<PORT> --script smtp-open-relay -vvv -n -Pn --disable-arp-ping <TARGET>

💥Cyb3rBook

Explorer

25, 465, 587 - SMTP

PRIMARY CATEGORY → PROTOCOLS AND SERVICES

Ports

25

465

587

SMTP Commands

Remote Connection

Telnet

Netcat

Enumeration

Banner Grabbing

SMTP - 25

SMTPS - 465, 587

Listing SMTP Avaliable Commands/Extensions

EHLO

Nmap

User Enumeration

VRFY

RCPT TO

EXPN

smtp-user-enum

Perl Script

Python3 Script

Cloud Enumeration

O365 Spray

Office365’s MX Validation (Microsoft)

User Enumeration

Bruteforcing || Password Spraying

Hydra

Bruteforcing

Password Spraying

O365 Spray

Password Spraying

Open Relay

Nmap

Graph View

Table of Contents

Backlinks