25, 465 - SMTP

Theory

Simple Mail Transfer Protocol is used to send e‐mails, and it uses TCP port 25. SMTP can be used over SSL using port 465.

Methodology

• Check whether the server supports the VRFY command so we can enumerate users.

• Check if there is a public exploit for the target server.

Practical

Nmap Basic Enumeration

nmap ‐sV ‐O ‐sC ‐p25 ‐T5 <IP>

Nmap Advanced Enumeration

nmap -sV -O -p25 --script=smtp* -T5 <IP>

Enumerate Users

Netcat

Use netcat to connect to the server and look for two users:

• User gus, which doesn't exist

• User root, which exists on the server

nc <IP> 25

VRFY gus

VRFY root

Metasploit

msfconsole -q

use auxiliary/scanner/smtp/smtp_enum

set RHOSTS <IP>

run

Github Tool

python3 smtp-enum.py <IP>

REFERENCES

• https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol

• https://github.com/3ls3if/Cybersecurity-Tools/tree/main/python-tools/smtp-user-enumeration

• https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp

• https://pentestlab.blog/2012/11/20/smtp-user-enumeration/

• https://www.hackingarticles.in/4-ways-smtp-enumeration/

• https://ktflash.gitbooks.io/ceh_v9/content/46_smtp_and_dns_enumeration.html