7. SMTP

I. Email Basics

Function: Handles and delivers email. Protocols:

SMTP (Simple Mail Transfer Protocol): Sending emails.
POP3 (Post Office Protocol 3): Receiving emails (typically removes from server).
IMAP4 (Internet Message Access Protocol 4): Receiving emails (keeps on server).

Ports:

SMTP: TCP/25 (unencrypted), TCP/465 (encrypted), TCP/587 (encrypted/STARTTLS)
POP3: TCP/110 (unencrypted), TCP/995 (encrypted)
IMAP4: TCP/143 (unencrypted), TCP/993 (encrypted)

Attack Vectors:

Misconfigurations (anonymous access, weak protocols).
User enumeration.
Password attacks (spraying, brute-forcing).
Exploiting vulnerabilities (e.g., open relay, CVE-2020-7247).
Credential reuse attacks.
Email spoofing/phishing.

II. Enumeration

MX Records (Mail Exchanger):

host -t MX <domain>
dig mx <domain>

MXToolbox website
DNSdumpster for passive recon

A Records (IP Address):

host -t A <mail_server>
dig A <mail_server>

SPF, DKIM, and DMARC Records:

dig txt <domain>

Nmap (for custom mail servers):

nmap -Pn -sV -sC -p25,143,110,465,587,993,995 <target_IP>

III. Misconfigurations

SMTP User Enumeration:

telnet <target_IP> 25
VRFY <username>
EXPN <mailing_list>
RCPT TO <username>

smtp-user-enum tool:

smtp-user-enum -M VRFY -U <user_list> -D <domain> -t <target_IP>

POP3 User Enumeration:

telnet <target_IP> 110
USER <username>
PASS <password>

IV. Cloud Enumeration

Office 365:

python3 o365spray.py --validate --domain <domain>
python3 o365spray.py --enum -U <user_list> --domain <domain>

Google Workspace Enumeration:

python3 enum_google.py --domain <domain>

V. Password Attacks

Hydra:

hydra -L <user_list> -P <password_list> <target_IP> <service>

Cloud Services (Office 365):

python3 o365spray.py --spray -U <user_list> -p <password> --count 1 --lockout 1 --domain <domain>

MailSniper (Office 365):

Invoke-Spray -Usernames <user_list> -Password <password> -OutFile results.txt

VI. Protocol-Specific Attacks

Open Relay:

nmap -p25 -Pn --script smtp-open-relay <target_IP>
swaks --from <sender> --to <recipient> --header 'Subject: <subject>' --body <body> --server <target_IP>

SMTP Spoofing (Manual Test):

telnet <target_IP> 25
HELO example.com
MAIL FROM:<spoofed@domain.com>
RCPT TO:<victim@domain.com>
DATA
Subject: Test
This is a spoofing test.
.
QUIT

VII. Latest Email Service Vulnerabilities

CVE-2020-7247 (OpenSMTPD):
- RCE vulnerability (exploitable since 2018).
- Affects OpenSMTPD up to version 6.6.2.
- No authentication required.
- Shodan.io for finding potentially vulnerable servers.
CVE-2021-27211 (Exim):
- Improper validation of recipient address.
- Can lead to RCE.

VIII. Additional Tools

Amass for passive DNS enumeration.
Shodan for discovering exposed mail servers.
TheHarvester for gathering email addresses.
Censys for advanced reconnaissance.

Previous6. DNS NextAttacking Common Applications

Last updated 19 days ago

hashtagI. Email Basics

hashtagII. Enumeration

hashtagIII. Misconfigurations

hashtagIV. Cloud Enumeration

hashtagV. Password Attacks

hashtagVI. Protocol-Specific Attacks

hashtagVII. Latest Email Service Vulnerabilities

hashtagVIII. Additional Tools