About me
Edit

SMTP Attacks

Default Configuration

cat /etc/postfix/main.cf | grep -v "#" | sed -r "/^\s*$/d"
smtpd_banner = ESMTP Server 
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = mail1.inlanefreight.htb
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtp_generic_maps = hash:/etc/postfix/generic
mydestination = $myhostname, localhost 
masquerade_domains = $myhostname
mynetworks = 127.0.0.0/8 10.129.0.0/16
mailbox_size_limit = 0
recipient_delimiter = +
smtp_bind_address = 0.0.0.0
inet_protocols = ipv4
smtpd_helo_restrictions = reject_invalid_hostname
home_mailbox = /home/postfix

Command

Description

AUTH PLAIN

AUTH is a service extension used to authenticate the client.

HELO

The client logs in with its computer name and thus starts the session.

MAIL FROM

The client names the email sender.

RCPT TO

The client names the email recipient.

DATA

The client initiates the transmission of the email.

RSET

The client aborts the initiated transmission but keeps the connection between client and server.

VRFY

The client checks if a mailbox is available for message transfer.

EXPN

The client also checks if a mailbox is available for messaging with this command.

NOOP

The client requests a response from the server to prevent disconnection due to time-out.

QUIT

The client terminates the session.

Telnet - HELO/EHLO

  • The command VRFY can be used to enumerate existing users on the system.

    • However, this does not always work. Depending on how the SMTP server is configured, the SMTP server may issue code 252

    • and confirm the existence of a user that does not exist on the system.

    • A list of all SMTP response codes can be found here.

Telnet - VRFY

  • Sometimes we may have to work through a web proxy. We can also make this web proxy connect to the SMTP server. The command that we would send would then look something like this: CONNECT 10.129.14.128:25 HTTP/1.0

Send an Emails

  • All the commands we enter in the command line to send an email we know from every email client program like Thunderbird, Gmail, Outlook, and many others.

    • We specify the subject, to whom the email should go, CC, BCC, and the information we want to share with others. Of course, the same works from the command line.

Key Points About Email Headers

  • Information Carrier: Contains valuable details about an email.

  • Included Information:

    • Sender (mandatory)

    • Recipient (mandatory)

    • Sending time (mandatory)

    • Arrival time (optional)

    • Email route (optional)

    • Content and format (optional)

  • Email Header Structure

    • https://datatracker.ietf.org/doc/html/rfc5322

Dangerous Settings

Relay Servers and Spam Filtering:

  • Circumventing Spam Filters: Some senders use trusted relay servers to bypass recipient spam filters.

  • Trusted Relay Servers: These servers are known and verified by other email servers.

  • Authentication Requirement: The sender typically needs to authenticate with the relay server.

Open Relay Configuration

  • With this setting, this SMTP server can send fake emails and thus initialize communication between multiple parties.

    • Another attack possibility would be to spoof the email and read it.

Footprinting the Service

  • using the smtp-open-relay NSE script to identify the target SMTP server as an open relay using 16 different tests

Enumerate users on SMTP

  • DID not work need another tool

PreviousSMTPNextSMB Attack

Last updated