PRIMARY CATEGORY → PROTOCOLS AND SERVICES
SMTP → Simple Mail Transfer Protocol
Ports
25
MTA → MTA
This is port is used to send and receive emails between Mail Transfer Agents (MTA)
It is mainly designed for email sending between SMTP Servers and not for stablishing a connection and sending email messages from a Mail User Agent (MUA) to an MTA
It is not recommended that the MTUs use the 25 Port to send emails. Although, this port supports encryption via STARTTLS
465
MUA → MTA
This port allows the email sending from a MUA to an SMTP Server using SSL/TLS to cipher the connection
It automatically encrypts the communication between both parties, It is not optional. This makes it less flexible than STARTTLS
It is not currently the standard, although most SMTP Servers maintain it for compatibility
587
MUA → MTA
It is used to send emails from MUAs to SMTP Servers always requiring authentication
It is currently the standard and it allows to start a connection without encryption and then negotiate it
Note that, as mentioned above, is more flexible than Port 465, as it supports both encrypted and unencrypted connections
SMTP Commands
| Command | Description |
|---|---|
AUTH PLAIN | Service Extension to authenticate the client |
HELO/EHLO | Client self introduction to the server |
MAIL FROM | Email Sender |
RCPT TO | Email Recipient |
DATA | The client initiates the data transfer |
RSET | The client aborts the initiated transmission but keeps the connection |
VRFY | Check if a mailbox is available for message transfer |
EXPN | ”Same” as VRFY |
QUIT | The client terminates the session |
Enumeration
SMTP Clients
telnet <TARGET> <PORT>nc <TARGET> <PORT>Banner Grabbing
SMTP - 25
nc -nv <TARGET> 25SMTPS - 465, 587
openssl s_client -connect <TARGET>:465 -crlfopenssl s_client -connect <TARGET>:587 -starttls smtp -crlfSMTP Avaliable Commands/Extensions
EHLO
telnet <TARGET> <PORT>
220 InFreight ESMTP v2.11
> EHLO
250-mail1
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKINGNmap
NSE Script → smtp-commands.nse
nmap -p25,465,587 -sC -sV -vvv -n -Pn --disable-arp-ping <TARGET>User Enumeration
Manual Enumeration
VRFY
telnet <TARGET> <PORT>
220 InFreight ESMTP v2.11
> HELO x
250 mail1
> VRFY root
252 2.0.0 root
> VRFY anyrandomuser
550 5.1.1 <anyrandomuser>: Recipient address rejected: User unknown in local recipient tableRCPT TO
telnet <TARGET> <PORT>
220 InFreight ESMTP v2.11
> HELO x
250 mail1
> MAIL FROM:fake@domain.com
250 2.1.0 Ok
> RCPT TO:root
250 2.1.5 Ok
> RCPT TO:anyrandomuser
550 5.1.1 <anyrandomuser>: Recipient address rejected: User unknown in local recipient tableEXPN
telnet <TARGET> <PORT>
220 InFreight ESMTP v2.11
> HELO x
250 mail1
> EXPN root
252 2.0.0 root
> EXPN anyrandomuser
550 5.1.1 <anyrandomuser>: Recipient address rejected: User unknown in local recipient tablesmtp-user-enum
- Perl Script
It comes with Security Distros such as Kali or Parrot OS
smtp-user-enum -M <MODE> -u <USER> -t <TARGET> -p <PORT>- Python3 Script
python3 smtp-user-enum --mode <MODE> --user <USER> <TARGET> <PORT>Bruteforce Enumeration
smtp-user-enum
- Perl
Use
-Uoption to indicate file with a list of users
smtp-user-enum -M <MODE> -U <WORDLIST> -t <TARGET> -p <PORT>- Python3
Use
-Uoption to indicate file with a list of users
python3 smtp-user-enum --mode <MODE> --file <WORDLIST> <TARGET> <PORT>Open Relay
Some SMTP Servers allows connections from any IP Address
This is done via the mynetworks parameter in the /etc/postfix/main.cf configuration file
mynetworks = 0.0.0.0/0To identify the target SMTP as an open relay, proceed as follows →
Nmap
NSE Script → smtp-open-relay
nmap -p<PORT> --script smtp-open-relay -vvv -n -Pn --disable-arp-ping <TARGET>