LinkedInGithub
Edit

7.smtp

I. Email Basics

Function: Handles and delivers email. Protocols:

  • SMTP (Simple Mail Transfer Protocol): Sending emails.

  • POP3 (Post Office Protocol 3): Receiving emails (typically removes from server).

  • IMAP4 (Internet Message Access Protocol 4): Receiving emails (keeps on server).

Ports:

  • SMTP: TCP/25 (unencrypted), TCP/465 (encrypted), TCP/587 (encrypted/STARTTLS)

  • POP3: TCP/110 (unencrypted), TCP/995 (encrypted)

  • IMAP4: TCP/143 (unencrypted), TCP/993 (encrypted)

Attack Vectors:

  • Misconfigurations (anonymous access, weak protocols).

  • User enumeration.

  • Password attacks (spraying, brute-forcing).

  • Exploiting vulnerabilities (e.g., open relay, CVE-2020-7247).

  • Credential reuse attacks.

  • Email spoofing/phishing.

II. Enumeration

MX Records (Mail Exchanger):

host -t MX <domain>
dig mx <domain>

  • MXToolbox website

  • DNSdumpster for passive recon

A Records (IP Address):

host -t A <mail_server>
dig A <mail_server>

SPF, DKIM, and DMARC Records:

dig txt <domain>

Nmap (for custom mail servers):

nmap -Pn -sV -sC -p25,143,110,465,587,993,995 <target_IP>

III. Misconfigurations

SMTP User Enumeration:

telnet <target_IP> 25
VRFY <username>
EXPN <mailing_list>
RCPT TO <username>

smtp-user-enum tool:

smtp-user-enum -M VRFY -U <user_list> -D <domain> -t <target_IP>

POP3 User Enumeration:

telnet <target_IP> 110
USER <username>
PASS <password>

IV. Cloud Enumeration

Office 365:

python3 o365spray.py --validate --domain <domain>
python3 o365spray.py --enum -U <user_list> --domain <domain>

Google Workspace Enumeration:

python3 enum_google.py --domain <domain>

V. Password Attacks

Hydra:

hydra -L <user_list> -P <password_list> <target_IP> <service>

Cloud Services (Office 365):

python3 o365spray.py --spray -U <user_list> -p <password> --count 1 --lockout 1 --domain <domain>

MailSniper (Office 365):

Invoke-Spray -Usernames <user_list> -Password <password> -OutFile results.txt

VI. Protocol-Specific Attacks

Open Relay:

nmap -p25 -Pn --script smtp-open-relay <target_IP>
swaks --from <sender> --to <recipient> --header 'Subject: <subject>' --body <body> --server <target_IP>

SMTP Spoofing (Manual Test):

telnet <target_IP> 25
HELO example.com
MAIL FROM:<spoofed@domain.com>
RCPT TO:<victim@domain.com>
DATA
Subject: Test
This is a spoofing test.
.
QUIT

VII. Latest Email Service Vulnerabilities

  • CVE-2020-7247 (OpenSMTPD):

    • RCE vulnerability (exploitable since 2018).

    • Affects OpenSMTPD up to version 6.6.2.

    • No authentication required.

    • Shodan.io for finding potentially vulnerable servers.

  • CVE-2021-27211 (Exim):

    • Improper validation of recipient address.

    • Can lead to RCE.

VIII. Additional Tools

  • Amass for passive DNS enumeration.

  • Shodan for discovering exposed mail servers.

  • TheHarvester for gathering email addresses.

  • Censys for advanced reconnaissance.

Previous6.dnsNextActive Directory Enumeration & Attacks

Last updated