LinkedInGithub
Edit

SMTP 25,465,587

SMTP Scanning and Enumeration - Ports 25, 465, 587

SMTP (Simple Mail Transfer Protocol) is the standard protocol for sending emails across the Internet. Below are the methods for scanning and enumerating SMTP services across different ports.

SMTP Overview:

  • Default Ports:

    • Port 25: Used for unencrypted email transmission (deprecated for sending email).

    • Port 465: Used for SMTP over SSL (deprecated).

    • Port 587: Used for SMTP with STARTTLS, the recommended port for email submission.

  • Protocol: SMTP is used for the transfer of email messages between servers. It does not handle the retrieval of emails but only the sending part.

Enumeration Techniques:

  1. Banner Grabbing:

    • Use nc or nmap to grab the SMTP banner and get the version information.

    • Example:

      nc -vn <IP> 25
nc -vn <IP> 465
nc -vn <IP> 587

  2. Unauthenticated Enumeration with Nmap:

    • Use nmap to detect SMTP service version and perform general enumeration.

      sudo nmap -sV -p25,465,587 -sC -A <IP>

  3. SMTP Commands for Enumeration:

    • Use basic SMTP commands to communicate with the server and retrieve information. Example:

      telnet <IP> 25
EHLO <domain>  # Get supported features
HELP  # List supported SMTP commands

  4. Check for Open Relay:

    • Test if the SMTP server is configured as an open relay, which could allow anyone to send emails through the server. Example:

      telnet <IP> 25
HELO <domain>
MAIL FROM:<sender@domain.com>
RCPT TO:<recipient@domain.com>
DATA
Subject: Test
This is a test email.
.

  5. SMTP Brute Force with Hydra:

    • Use Hydra to brute-force SMTP login attempts with a wordlist. Example:

      hydra -t 1 -l <username> -P <password_list> -vV <IP> smtp

  6. Automated Checks with Nmap Scripts:

    • Use nmap scripts to check for known vulnerabilities and misconfigurations in SMTP services. Example:

      nmap --script=smtp-* -p 25,465,587 <IP>

  7. SMTP with STARTTLS (Port 587):

    • Use openssl or nmap to check for the presence of STARTTLS support. Example:

      openssl s_client -connect <IP>:587 -starttls smtp
nmap -p 587 --script=starttls <IP>

  8. SSL/TLS Version Enumeration (Port 465):

    • Use openssl to test SSL/TLS versions for SMTP over SSL on port 465. Example:

      openssl s_client -connect <IP>:465

  9. SMTP Authentication Check:

    • Check if SMTP authentication is enabled and test for weak credentials. Example:

      telnet <IP> 25
EHLO <domain>
AUTH LOGIN  # If supported, try base64 encoding credentials

  10. Check for SMTP Server Version:

    • Enumerate SMTP version to check for known vulnerabilities in the server version. Example:

      telnet <IP> 25
EHLO <domain>

Useful Tools for Scanning:

  • Nmap: For version detection, script scanning, and vulnerability checks.

  • Hydra: For brute-forcing SMTP credentials.

  • Telnet: For basic manual enumeration of the SMTP server.

  • openssl: For checking SSL/TLS support on SMTP servers.

  • smtp-user-enum: For enumerating valid email addresses or usernames.

PreviousSMB 139,445NextSNMP 161,162,10161,10162

Last updated