7 - SMTP (25,465,587)

> See SMTP Footprinting notes for more details: [[5 - CPTS Notes/2 - Footprinting Module/Service Enumeration/SMTP (25,465,587)|SMTP (25,465,587)]] > See POP3/IMAP Footprinting notes for more details: [[5 - CPTS Notes/2 - Footprinting Module/Service Enumeration/IMAP (143,993) & POP3 (110,995)|IMAP (143,993) & POP3 (110,995)]] # Introduction - A mail server handles and delivers email over a network - Can receive emails from a client device and send emails to other mails servers - Can also deliver emails to a client device - A client device is usually a device that hosts an email client app where we read/compose emails - Upon sending an email within our email client, the email client establishes a connection to an SMTP server on the network - When we download emails to our email client, the email client establishes a connection to a POP3/IMAP server on the network ![[images/Pasted image 20251019195517.png]] - By default POP3 clients remove downloaded messages from the email server - This makes it difficult to sync an inbox across multiple devices - This can be changed | **Port** | **Service** | | --------- | -------------------------------------------------------------------------- | | `TCP/25` | SMTP Unencrypted | | `TCP/143` | IMAP4 Unencrypted | | `TCP/110` | POP3 Unencrypted | | `TCP/465` | SMTP Encrypted | | `TCP/587` | SMTP Encrypted/[STARTTLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) | | `TCP/993` | IMAP4 Encrypted | | `TCP/995` | POP3 Encrypted | # Enumeration - MX record specifies the mail server responsible for accepting email messages on behalf of a domain name - Possible to configure several MX records, typically pointing to an array of mail servers for load balancing and redundancy - [MXToolbox](https://mxtoolbox.com/) can be used to query information about the MX records - We can also manually query MX records with `dig` and `host` ```bash host -t MX inlanefreight.htb host -t A mail1.inlanefreight.htb dig MX inlinefreight.htb @<dns_server_ip> dig MX inlinefreight.htb | grep -i "mx" | grep -v ";" ``` ```bash sudo nmap <target_ip> -Pn -sCV -p25,110,143,465,587,993,995 ``` # User Enumeration - Email services typically use authentication to allow users to send emails and receive emails - A misconfiguration can happen when the SMTP service allows anonymous authentication or support protocols that can be used to enumerate valid usernames - SMTP has different commands that can be used to enumerate valid usernames `VRFY`, `EXPN`, and `RCPT TO` - If we successfully enumerate valid usernames, we can attempt to password spray, brute-forcing, or guess a valid password ## SMTP 'VRFY' Command - `VRFY` command instructs the SMTP server to check the validity of a particular email username ```bash telnet <target_ip> 25 VERFY root --output-- VERFY www-data --output-- VERFY new-user --output-- ``` ## SMTP `EXPN` Command - `EXPN` is similar to `VRFY`, except that when used with a distribution list, it will list all users on that list - Can be a bigger problem than the `VRFY` command since sites often have an alias such as "all" ```bash telnet <target_ip> 25 EXPN john --output-- EXPN support-team --output-- ``` ## SMTP `RCPT TO` Command - `RCPT TO` command identifies the recipient of the message - This command can be repeated multiple times for a given message to deliver a single message to multiple recipients ```bash telnet <target_ip> 25 MAIL FROM:[email protected] it is 250 2.1.0 [email protected]... Sender ok RCPT TO:julio 550 5.1.1 julio... User unknown RCPT TO:kate 550 5.1.1 kate... User unknown RCPT TO:john ``` ## POP3 `USER` Command - Leverage the POP3 protocol to enumerate users ```bash telnet <target_ip> 110 USER julio --output-- USER john --output-- ``` ## Automating User Enumeration ```bash smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t <target_ip> # -M flag for specific SMTP command # -U flag for userlist to enumerate # -D flag for domain # -t flag for <target_ip> ``` ## Cloud Enumeration - Cloud service providers use their own implementation for email services - These services commonly have custom features that we can abuse for operation, such as username enumeration. - Below we use Office 365 as an example and explore how we can enumerate usernames in this cloud platform ```bash python3 o365spray.py --validate --domain msplaintext.xyz #validate that target is using Office 365 python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz #enumerate users ``` # Password Attacks - We can user `hyrda` to brute-force email services: SMTP, POP3, and IMAP ```bash hydra -L users.txt -p 'password123' -f <target_ip> pop3 python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz ``` # Protocol Specific Attacks ## SMTP Open Relay - An open relay is a SMTP server, which is improperly configured and allows an unauthenticated email relay - Messaging servers that are accidentally or intentionally configured as open relays allow mail from any source to be transparently re-routed through the open relay server - **This behavior masks the source of the messages and makes it look like the mail originated from the open relay server** ```bash sudo nmap <target_ip> -p25 -Pn --script smtp-open-relay ``` - Once confirmed with the above nmap script, we can use any mail client to connect to the mail server and send our email ```bash #swaks (swiss army knife for SMTP) can be used to send emails at the command line swaks --from [email protected] --to [email protected] --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server <target_open_relay_ip>