Explore this comprehensive guide on SMTP penetration testing, a crucial technique for assessing the security of your email servers.

SMTP, the Simple Mail Transfer Protocol, is a set of rules that govern how electronic mail is transmitted and received over the Internet.

It’s the standard protocol used for sending, relaying, and forwarding emails between servers. This ensures that emails can be sent and received reliably across different email systems.

SMTP Introduction

The process of sending an email involves multiple components, including mail servers, domain names, and internet service providers. One of the critical components is the use of specific ports to facilitate communication between servers.

These ports help in directing the emails to their appropriate destinations.

SMTP typically operates over port 25, which is the default port used for transmitting email traffic. However, for secure email transmissions, other ports like 465 and 587 are used, which support encrypted communication via SSL/TLS.

This adds a layer of security to the email-sending process by encrypting the data transmitted between servers.

ProtocolPortDescription
SMTP25
SSL/TLS465
StartTLS587

In addition to the ports, SMTP also involves various commands and responses that are exchanged between the email client and server.

These commands help in establishing the connection, sending the email data, and ensuring that the email has been successfully delivered. The responses, on the other hand, provide status codes and messages that indicate the success or failure of an email transaction.

Overall, SMTP plays a crucial role in ensuring that electronic mail can be seamlessly transmitted across the internet, making it an indispensable part of modern communication.

MUA → MSA → MTA → internet → MTA → MDA → MUA
Outlook → Exchange → firewall → internet → SMTP-Server of the receiving side → mail-server of the receiving side → Outlook of receiver

SMTP Commands

CommandDescriptionRFC
HELOIdentifies the sending SMTP serverRFC 5321
EHLOExtended HELO, provides more informationRFC 5321
MAIL FROMSpecifies the sender’s email addressRFC 5321
RCPT TOSpecifies the recipient’s email addressRFC 5321
DATAInitiates the message data transmissionRFC 5321
RSETResets the session to initial stateRFC 5321
VRFYRequests verification of an email addressRFC 5321
EXPNRequests the expansion of a mailing listRFC 5321
NOOPNo operation, used for testing or keep-aliveRFC 5321
QUITCloses the SMTP sessionRFC 5321
AUTHInitiates authentication processRFC 4954
STARTTLSInitiates a secure TLS sessionRFC 3207
HELPRequests help information from the serverRFC 5321

RFC 821 – Simple Mail Transfer Protocol

Protocol definition for SMTP. This document covers the model, operating procedure, and protocol details for SMTP.

RFC 1869 – SMTP Service Extensions

Definition of the ESMTP extensions for SMTP. This describes a framework for extending SMTP with new commands, supporting dynamic discovery of the commands provided by the server, and defines a few additional commands.

SMTP Penetration Testing

  1. SMTP Tools
  2. Footprinting SMTP Service
  3. Enumerate SMTP Service
  4. SMTP Vulnerabilities
  5. SMTP Attacks

SMTP – Pentest Tools

ToolDescriptionDownload
swaksSwiss Army Knife for SMTP
smtp-user-enum
nmapNetwork Scanner
msfconsole
THC Hydra

SMTP Reconnaissance

Nmap SMTP NSE Scripts

nmap --script smtp-brute,smtp-commands,smtp-enum-users,smtp-vuln-cve2011-1764 -p 25,465,587 <target-ip>
nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 <target-ip>

SMTP Metasploit Modules

auxiliary/scanner/smtp/smtp_enum
auxiliary/scanner/smtp/smtp_relay
auxiliary/scanner/smtp/smtp_version

Footprinting SMTP Service

sudo nmap 10.129.172.83 -sC -sV -p25,465,587

SMTP Enumeration

SMTP Enumeration is a crucial aspect of the cybersecurity landscape that offers detailed insights into a system’s mail server.

This process is particularly significant for network administrators, IT professionals, and ethical hackers who are continuously working to identify and rectify system vulnerabilities.

In this article, we will delve into the world of SMTP Enumeration, its functions, merits, demerits, and the critical role it plays in network security.

Furthermore, we’ll explore different tools used in SMTP enumeration and discuss common strategies for preventing potential exploitation.

nmap -p25 --script smtp-commands 172.180.22.16
auxiliary/scanner/smtp/smtp_enum

SMTP Banner Grabbing is a technique used to gather information about an SMTP server. This involves connecting to the server and reading the initial greeting message, or “banner,” which often contains valuable information such as the server’s software version and other system details.

This information can be useful for identifying potential vulnerabilities or for understanding the network setup.

nc -vn 172.180.22.16 25

SMTP User Enumeration

SMTP User Enumeration is a technique used to discover valid email addresses on a mail server. Attackers can exploit this by sending specific commands or malformed email addresses to the mail server and analyzing the server’s responses.

This can reveal whether a particular email address exists, which can then be used for further attacks such as phishing or spamming.

nmap –script smtp-enum-users.nse 172.180.22.16
smtp-user-enum -M VRFY -U list.txt -t 10.129.172.83

Open Relay

An SMTP open relay is a mail server configured to allow anyone on the internet to send email through it. This can be problematic as spammers may exploit it to send unsolicited emails or malware.

To prevent misuse, it’s crucial to configure your SMTP server to relay emails only for authenticated users or specified IP addresses.

sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v
nmap -p25 --script smtp-open-relay 172.180.22.16 -v

SMTP Vulnerabilities

SMTP, while essential for email communication, has various vulnerabilities that attackers can exploit:

  • Open Relay: Misconfigured servers can relay emails from any sender, allowing spammers to distribute unsolicited emails.
  • Man-in-the-Middle Attacks: Without encryption, SMTP traffic can be intercepted, leading to data breaches.
  • Spoofing: Attackers can forge sender addresses, making malicious emails appear as if they originated from a trusted source.
  • Relay Interception: Unauthorized interception of emails due to improper configuration, enabling third parties to read or alter messages.
  • Buffer Overflows: Exploiting software vulnerabilities by sending oversized payloads, potentially leading to server crashes or unauthorized access.

SMTP Injection

Directory harvest attack (DHA)

SMTP Post Exploitation

SWAKS

swaks --to remote-user@example.com --from local-user@<local-ip> --server mail.example.com --body "hello"
sendEmail -t dept@victim.com -f support@rfs.com -s 192.168.8.131 -u Important Upgrade Instructions -a /tmp/BestComputers-UpgradeInstructions.pdf
sudo python -m smtpd -n -c DebuggingServer :25

SMTP Attacks

Attack TypeDescription
Email SpoofingForging the sender’s email address to appear as if it’s from a different source.
Email PhishingSending deceptive emails to trick recipients into revealing sensitive information.
Man-in-the-Middle (MITM)Intercepting and possibly altering communication between the email client and server.
Brute-Force AttacksRepeatedly attempting different username and password combinations to gain unauthorized access.
Email BombingFlooding an email inbox with an overwhelming number of emails, causing denial of service.
Email Relay AttacksExploiting open email relays to send spam or malicious emails through a compromised server.
SMTP User EnumerationDetermining valid email addresses by exploiting SMTP server responses.
SMTP Command InjectionManipulating SMTP commands to execute arbitrary code on the SMTP server.
SMTP Header InjectionInjecting malicious content into email headers to trick email clients into unintended actions.
Denial of Service (DoS)Overwhelming SMTP servers with excessive traffic, causing email service disruption.
Email HarvestingUsing automated tools to gather email addresses for spam campaigns or other malicious purposes.
Email EavesdroppingIntercepting unencrypted emails during transmission to access sensitive information.
Email Attachment ExploitsExploiting vulnerabilities in email attachments to execute malware on the recipient’s system.
Malicious Email AttachmentsSending attachments or links to infected files or websites to trick recipients into downloading malware or revealing sensitive information.
List of SMTP Attacks

SMTP Hacking Labs – Join us

SMTP Penetration Testing
HTB_RedTeamLabs

SSH Penetration Testing

FTP penetration testing

RDP Penetration Testing

SMB Penetration Testing

PostgreSQL Penetration Testing

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection

Categorized in:

Network Penetration Testing,