SMTP
Simple Mail Transfer Protocol (SMTP) is a protocol used by a mail client (Mail User Agent) to transfer emails (Mail Submission Agent) to a server called Mail Transfer Agent. This server will transfer emails to another server that will handle the delivery.
The Mail Transfer Agent will send the mail to a Mail Delivery Agent which is the server that the client will query to access his/her emails. It's common for a MTA to also be a MDA.
ποΈ Ports
- 25 (TCP)
- 587 (TCP) - with or without SSL/TLS
- 2525 (TCP) - unofficial
π₯ SMTP communications are not encrypted.
π There is a secure version called SMTPS (port 465, over SSL/TLS). Modern web servers use port 587 with SSL/TLS as smtps was revoked.
You could use the analogy of a MSA being the postman that takes mail from your inbox (MUA) and deliver them to the post center (MTA).
$ telnet IP 25
helo hostname
mail from: <helo@example.com>
rcpt to: <helo@example.com> NOTIFY=success,failure
data
subject: xxx
xxx
.
SMTP also has the commands VRFY
to check if a user exists, and EXPN
to see the emails/mailing lists/... for a user.
SMTP vulnerabilities β οΈ
Enumeration
- Metasploit
msf6> use auxiliary/scanner/smtp/smtp_version # version
- Dig info using nmap
$ nmap IP -p 25,465 --script "*smtp*"
$ nmap IP -p 25,465 --script smtp-open-relay
Foothold
- We can use Metasploit, which is quite reliable
msf6> use auxiliary/scanner/smtp/smtp_enum # users...
- We can use
smtp-user-enum
which supports 3 methods:VRFY
(not always working, code 252, doc),RCPT
(along with -D) andEXPN
$ sudo apt install smtp-user-enum
$ smtp-user-enum -M VRFY -u root -t IP
$ smtp-user-enum -M VRFY -U users.lst -t IP
$ smtp-user-enum -M RCPT -U users.lst -D example.com -t IP
- The password may be weak and vulnerable to brute force.
$ hydra -l username@example.com -P passwords.lst smtp://IP -v
Well-known CVEs
- OpenSMTPD 6.6.2: unauthenticated RCE. CVE-2020-7247.
Additional Notes
- o365spray can be used to brute force usernames and passwords of Microsoft Office 365 accounts.
$ git clone https://github.com/0xZDH/o365spray
$ cd o365spray
$ python3 o365spray.py --validate --domain xxx.yyy # valid?
$ python3 o365spray.py --enum -U users.txt --domain xxx.yyy
π» To-do π»
Stuff that I found, but never read/used yet.
- SMTP protocol extension ESMTP with SMTP-Auth
- MSA is also called Relay server
- Open Relay (IPs allowed to use the SMTP Server,
0.0.0.0/0
=any%) - Mail Server Configuration