SMTP

Simple Mail Transfer Protocol (SMTP) is a protocol used by a mail client (Mail User Agent) to transfer emails (Mail Submission Agent) to a server called Mail Transfer Agent. This server will transfer emails to another server that will handle the delivery.

The Mail Transfer Agent will send the mail to a Mail Delivery Agent which is the server that the client will query to access his/her emails. It's common for a MTA to also be a MDA.

🐊️ Ports

25 (TCP)
587 (TCP) - with or without SSL/TLS
2525 (TCP) - unofficial

🔥 SMTP communications are not encrypted.

🔒 There is a secure version called SMTPS (port 465, over SSL/TLS). Modern web servers use port 587 with SSL/TLS as smtps was revoked.

You could use the analogy of a MSA being the postman that takes mail from your inbox (MUA) and deliver them to the post center (MTA).

$ telnet IP 25
helo hostname
mail from: <helo@example.com>
rcpt to: <helo@example.com> NOTIFY=success,failure
data
subject: xxx
xxx
.

SMTP also has the commands VRFY to check if a user exists, and EXPN to see the emails/mailing lists/... for a user.

SMTP vulnerabilities ☠️

Enumeration

Metasploit

msf6> use auxiliary/scanner/smtp/smtp_version # version

Dig info using nmap

$ nmap IP -p 25,465 --script "*smtp*"
$ nmap IP -p 25,465 --script smtp-open-relay

Foothold

We can use Metasploit, which is quite reliable

msf6> use auxiliary/scanner/smtp/smtp_enum # users...

We can use smtp-user-enum which supports 3 methods: VRFY (not always working, code 252, doc), RCPT (along with -D) and EXPN

$ sudo apt install smtp-user-enum
$ smtp-user-enum -M VRFY -u root -t IP
$ smtp-user-enum -M VRFY -U users.lst -t IP
$ smtp-user-enum -M RCPT -U users.lst -D example.com -t IP

The password may be weak and vulnerable to brute force.

$ hydra -l username@example.com -P passwords.lst smtp://IP -v

Well-known CVEs

OpenSMTPD 6.6.2: unauthenticated RCE. CVE-2020-7247.

Additional Notes

o365spray can be used to brute force usernames and passwords of Microsoft Office 365 accounts.

$ git clone https://github.com/0xZDH/o365spray
$ cd o365spray
$ python3 o365spray.py --validate --domain xxx.yyy # valid?
$ python3 o365spray.py --enum -U users.txt --domain xxx.yyy

👻 To-do 👻

Stuff that I found, but never read/used yet.

SMTP protocol extension ESMTP with SMTP-Auth
MSA is also called Relay server
Open Relay (IPs allowed to use the SMTP Server, 0.0.0.0/0=any%)
Mail Server Configuration

SMTP ¶

SMTP vulnerabilities ☠️ ¶

Enumeration ¶

Foothold ¶

Well-known CVEs ¶

Additional Notes ¶

👻 To-do 👻 ¶