Simple Mail Transfer Protocol (SMTP) – port 25

• Simple Mail Transfer Protocol (Wikipedia)
• RFC 5321 Simple Mail Transfer Protocol
• What SMTP Port Should I Use?
• Sender Policy Framework (Wikipedia)

💡 See Email Authentication.

Enumeration

• Nmap 
• smtp_users_enumeration.py

Ports

Port	Description
25	Standard SMTP port
465	Deprecated port for secure SMTP
587	Modern port for secure SMTP
2525	Alternative, non-standard SMTP port

Nmap Scripts

nmap -p 25,465,587 x.x.x.1-254 -oG smtp-sweep.txt

Enumerate users on a SMTP server by issuing the VRFY, EXPN or RCPT TO commands. See smtp-enum-users documentation.

Default username file: /usr/share/nmap/nselib/data/usernames.lst

nmap -p 25,465,587 --script=smtp-enum-users.nse $IP

nmap -p 25,465,587 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={EXPN,RCPT,VRFY},unpwdb.timelimit=0,userdb=/usr/share/seclists/Usernames/top-usernames-shortlist.txt $IP

iSMTP

Not impressed by results…

sudo apt install ismtp

ismtp -h

User enumeration with VRFY method

ismtp -e usernames.txt -l 1 -t 30 -f ips.txt

smtp-user-enum

Username guessing tool primarily for use against the default Solaris SMTP service. Can use either EXPN, VRFY or RCPT TO.

Installation

sudo apt install smtp-user-enum

Help

smtp-user-enum -h

Enumerate usernames

IP=x.x.x.x
USERS=/usr/share/seclists/Usernames/top-usernames-shortlist.txt

smtp-user-enum -M VRFY -u idontexist -t $IP

smtp-user-enum -M EXPN -u admin1 -t $IP

smtp-user-enum -M RCPT -U $USERS -t $IP

mtp-user-enum -M EXPN -D example.com -U $USERS -t $IP

Bruteforce credentials

See Hydra. CAN ALSO BRUTEFORCE USERNAMES!

Telnet

telnet $IP 25

Netcat

nc -C $IP 25

Verify an email address

VRFY root
VRFY idontexist

for IP in $(cat ips.txt); do echo $IP; echo "VRFY root" | nc -C -w 10 $IP 25; done

Membership of a mailing list

EXPN

Authentication

EHLO mailserver
AUTH LOGIN
334 VXNlcm5hbWU6   --- This means "Username:" in base 64
[username in base64]
334 UGFzc3dvcmQ6   --- This means "Password:" in base 64
[password in base 64]

235 Authentication succeeded

Return codes

Code 	Meaning
200 	(nonstandard success response, see rfc876)
211 	System status, or system help reply
214 	Help message
220 	<domain> Service ready
221 	<domain> Service closing transmission channel
250 	Requested mail action okay, completed
251 	User not local; will forward to <forward-path>
252 	Cannot VRFY user, but will accept message and attempt delivery
354 	Start mail input; end with <CRLF>.<CRLF>
421 	<domain> Service not available, closing transmission channel
450 	Requested mail action not taken: mailbox unavailable
451 	Requested action aborted: local error in processing
452 	Requested action not taken: insufficient system storage
500 	Syntax error, command unrecognised
501 	Syntax error in parameters or arguments
502 	Command not implemented
503 	Bad sequence of commands
504 	Command parameter not implemented
521 	<domain> does not accept mail (see rfc1846)
530 	Access denied (???a Sendmailism)
550 	Requested action not taken: mailbox unavailable
551 	User not local; please try <forward-path>
552 	Requested mail action aborted: exceeded storage allocation
553 	Requested action not taken: mailbox name not allowed
554 	Transaction failed

Send an email

• Establish a connection to the SMTP port of the mail server.
• Identify yourself to the mail server (use a domain name, not an email address)
• Specify a return address for the message
• Specify at least one recipient for the message
• Send the message data
• Terminate the connection

# The -C option instructs the OpenBSD variant # of netcat to send a carriage 
# return (CR) followed by a linefeed (LF) at the end of each line. As noted 
# above, the traditional variant of netcat lacks this option.
# Use HELO or EHLO (more recent)
nc -C $IP 25
   HELO domain.com
   MAIL FROM:alice@hacker.com
   RCPT TO:bob@secure.net
   DATA
   From: alice@hacker.com
   To: bob@secure.net
   Date: Mon, 12 Apr 2010 14:21:26 -0400
   Subject: Test Message

   This is a test email
   Alice
   .
   QUIT

Send an email – From file

nc -C $IP 25 < email.txt

email.txt

EHLO hostname
MAIL FROM: sender@example.com
RCPT TO:   recipient@example.com
DATA
From: A sender <sender@example.com>
To:   <recipient@example.com>
Date: date
Subject: A test message from hostname

Hi, this is a test email.
.
QUIT

Send an email – Script

#!/usr/bin/expect
set timeout 30
proc abort {} { exit 2 }
spawn nc -C mail.example.org 25
expect default abort "220 "
send "HELO example.com\r"
expect default abort "\n250 "
send "MAIL FROM:bar@example.org\r"
expect default abort "\n250 "
send "RCPT TO:foo@example.org\r"
expect default abort "\n250 "
send "DATA\r"
expect default abort "\n354 "
send "From: bar@example.org\r"
send "To: foo@example.com\r"
send "Subject: Test\r"
send "Date: Thu, 20 Dec 2012 12:00:00 +0000\r"
send "\r"
send "Testing\r"
send ".\r"
expect default abort "\n250 "
send "QUIT\r"