SMTP Penetration Testing: A Comprehensive Guide
Essential Guide to Testing SMTP Security
Explore this comprehensive guide on SMTP penetration testing, a crucial technique for assessing the security of your email servers.
In this article, Kali is used as a client, and a Windows Server 2012 as an SMTP Server.
SMTP Introduction
Protocol
Port
Description
SMTP
25
SSL/TLS
465
StartTLS
587
MUA → MSA → MTA → internet → MTA → MDA → MUA
Outlook → Exchange → firewall → internet → SMTP-Server of the receiving side → mail-server of the receiving side → Outlook of receiver
SMTP Commands
Command
Description
RFC
HELO
Identifies the sending SMTP server
RFC 5321
EHLO
Extended HELO, provides more information
RFC 5321
MAIL FROM
Specifies the sender’s email address
RFC 5321
RCPT TO
Specifies the recipient’s email address
RFC 5321
DATA
Initiates the message data transmission
RFC 5321
RSET
Resets the session to initial state
RFC 5321
VRFY
Requests verification of an email address
RFC 5321
EXPN
Requests the expansion of a mailing list
RFC 5321
NOOP
No operation, used for testing or keep-alive
RFC 5321
QUIT
Closes the SMTP session
RFC 5321
AUTH
Initiates authentication process
RFC 4954
STARTTLS
Initiates a secure TLS session
RFC 3207
HELP
Requests help information from the server
RFC 5321
RFC 821 – Simple Mail Transfer Protocol
Protocol definition for SMTP. This document covers the model, operating procedure, and protocol details for SMTP.
RFC 1869 – SMTP Service Extensions
Definition of the ESMTP extensions for SMTP. This describes a framework for extending SMTP with new commands, supporting dynamic discovery of the commands provided by the server, and defines a few additional commands.
SMTP Penetration Testing
SMTP Tools
Footprinting SMTP Service
Enumerate SMTP Service
SMTP Vulnerabilities
SMTP Attacks
SMTP – Pentest Tools
Tool
Description
Download
swaks
Swiss Army Knife for SMTP
smtp-user-enum
nmap
Network Scanner
msfconsole
THC Hydra
SMTP Reconnaissance
Nmap SMTP NSE Scripts
nmap --script smtp-brute,smtp-commands,smtp-enum-users,smtp-vuln-cve2011-1764 -p 25,465,587
nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587
SMTP Metasploit Modules
auxiliary/scanner/smtp/smtp_enum auxiliary/scanner/smtp/smtp_relay auxiliary/scanner/smtp/smtp_version
Footprinting SMTP Service
sudo nmap 10.129.172.83 -sC -sV -p25,465,587
SMTP Enumeration
SMTP Enumeration is a crucial aspect of the cybersecurity landscape that offers detailed insights into a system’s mail server.
This process is particularly significant for network administrators, IT professionals, and ethical hackers who are continuously working to identify and rectify system vulnerabilities.
In this article, we will delve into the world of SMTP Enumeration, its functions, merits, demerits, and the critical role it plays in network security.
Furthermore, we’ll explore different tools used in SMTP enumeration and discuss common strategies for preventing potential exploitation.
nmap -p25 --script smtp-commands 172.180.22.16
auxiliary/scanner/smtp/smtp_enum
Banner Grabbing
nc -vn 172.180.22.16 25
SMTP User Enumeration
nmap –script smtp-enum-users.nse 172.180.22.16
smtp-user-enum -M VRFY -U list.txt -t 10.129.172.83
Open Relay
sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v
nmap -p25 --script smtp-open-relay 172.180.22.16 -v
SMTP Vulnerabilities
SMTP Injection
Directory harvest attack (DHA)
SMTP Post Exploitation
SWAKS
swaks --to remote-user@example.com --from local-user@ --server mail.example.com --body "hello"
sendEmail -t dept@victim.com -f support@rfs.com -s 192.168.8.131 -u Important Upgrade Instructions -a /tmp/BestComputers-UpgradeInstructions.pdf
sudo python -m smtpd -n -c DebuggingServer :25
SMTP Attacks
Attack Type
Description
Email Spoofing
Forging the sender’s email address to appear as if it’s from a different source.
Email Phishing
Sending deceptive emails to trick recipients into revealing sensitive information.
Man-in-the-Middle (MITM)
Intercepting and possibly altering communication between the email client and server.
Brute-Force Attacks
Repeatedly attempting different username and password combinations to gain unauthorized access.
Email Bombing
Flooding an email inbox with an overwhelming number of emails, causing denial of service.
Email Relay Attacks
Exploiting open email relays to send spam or malicious emails through a compromised server.
SMTP User Enumeration
Determining valid email addresses by exploiting SMTP server responses.
SMTP Command Injection
Manipulating SMTP commands to execute arbitrary code on the SMTP server.
SMTP Header Injection
Injecting malicious content into email headers to trick email clients into unintended actions.
Denial of Service (DoS)
Overwhelming SMTP servers with excessive traffic, causing email service disruption.
Email Harvesting
Using automated tools to gather email addresses for spam campaigns or other malicious purposes.
Email Eavesdropping
Intercepting unencrypted emails during transmission to access sensitive information.
Email Attachment Exploits
Exploiting vulnerabilities in email attachments to execute malware on the recipient’s system.
Malicious Email Attachments
Sending attachments or links to infected files or websites to trick recipients into downloading malware or revealing sensitive information.
List of SMTP Attacks
SMTP Hacking Labs – Join us
