> For the complete documentation index, see [llms.txt](https://docs.wehost.co.in/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.wehost.co.in/cybersecurity/smtp/smtp-attacks.md). # SMTP Attacks ### Default Configuration ```shell-session cat /etc/postfix/main.cf | grep -v "#" | sed -r "/^\s*$/d" ``` ```shell-session smtpd_banner = ESMTP Server biff = no append_dot_mydomain = no readme_directory = no compatibility_level = 2 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache myhostname = mail1.inlanefreight.htb alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases smtp_generic_maps = hash:/etc/postfix/generic mydestination = $myhostname, localhost masquerade_domains = $myhostname mynetworks = 127.0.0.0/8 10.129.0.0/16 mailbox_size_limit = 0 recipient_delimiter = + smtp_bind_address = 0.0.0.0 inet_protocols = ipv4 smtpd_helo_restrictions = reject_invalid_hostname home_mailbox = /home/postfix ``` | **Command** | **Description** | | ------------ | ------------------------------------------------------------------------------------------------ | | `AUTH PLAIN` | AUTH is a service extension used to authenticate the client. | | `HELO` | The client logs in with its computer name and thus starts the session. | | `MAIL FROM` | The client names the email sender. | | `RCPT TO` | The client names the email recipient. | | `DATA` | The client initiates the transmission of the email. | | `RSET` | The client aborts the initiated transmission but keeps the connection between client and server. | | `VRFY` | The client checks if a mailbox is available for message transfer. | | `EXPN` | The client also checks if a mailbox is available for messaging with this command. | | `NOOP` | The client requests a response from the server to prevent disconnection due to time-out. | | `QUIT` | The client terminates the session. | #### Telnet - HELO/EHLO ```shell-session telnet 10.129.14.128 25 ``` ```shell-session Trying 10.129.14.128... Connected to 10.129.14.128. Escape character is '^]'. 220 ESMTP Server HELO mail1.inlanefreight.htb 250 mail1.inlanefreight.htb EHLO mail1 250-mail1.inlanefreight.htb 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING ``` * The command `VRFY` can be used to enumerate existing users on the system. * However, this does not always work. Depending on how the SMTP server is configured, the SMTP server may issue `code 252` * and confirm the existence of a user that does not exist on the system. * A list of all SMTP response codes can be found [here](https://serversmtp.com/smtp-error/). #### Telnet - VRFY ```shell-session telnet 10.129.14.128 25 ``` ```shell-session Trying 10.129.14.128... Connected to 10.129.14.128. Escape character is '^]'. 220 ESMTP Server VRFY root 252 2.0.0 root VRFY cry0l1t3 252 2.0.0 cry0l1t3 VRFY testuser 252 2.0.0 testuser VRFY aaaaaaaaaaaaaaaaaaaaaaaaaaaa 252 2.0.0 aaaaaaaaaaaaaaaaaaaaaaaaaaaa ``` * Sometimes we may have to work through a web proxy. We can also make this web proxy connect to the SMTP server. The command that we would send would then look something like this: `CONNECT 10.129.14.128:25 HTTP/1.0` ### Send an Emails * All the commands we enter in the command line to send an email we know from every email client program like Thunderbird, Gmail, Outlook, and many others. * We specify the `subject`, to whom the email should go, CC, BCC, and the information we want to share with others. Of course, the same works from the command line. ```shell-session telnet 10.129.14.128 25 ``` ```shell-session Trying 10.129.14.128... Connected to 10.129.14.128. Escape character is '^]'. 220 ESMTP Server EHLO inlanefreight.htb 250-mail1.inlanefreight.htb 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING MAIL FROM: 250 2.1.0 Ok RCPT TO: NOTIFY=success,failure 250 2.1.5 Ok DATA 354 End data with . From: To: Subject: DB Date: Tue, 28 Sept 2021 16:32:51 +0200 Hey man, I am trying to access our XY-DB but the creds don't work. Did you make any changes there? . 250 2.0.0 Ok: queued as 6E1CF1681AB QUIT 221 2.0.0 Bye Connection closed by foreign host. ``` #### Key Points About Email Headers * **Information Carrier:** Contains valuable details about an email. * **Included Information:** * Sender (mandatory) * Recipient (mandatory) * Sending time (mandatory) * Arrival time (optional) * Email route (optional) * Content and format (optional) * Email Header Structure * ### Dangerous Settings #### Relay Servers and Spam Filtering: * **Circumventing Spam Filters:** Some senders use trusted relay servers to bypass recipient spam filters. * **Trusted Relay Servers:** These servers are known and verified by other email servers. * **Authentication Requirement:** The sender typically needs to authenticate with the relay server. #### Open Relay Configuration ```shell-session mynetworks = 0.0.0.0/0 ``` * With this setting, this SMTP server can send fake emails and thus initialize communication between multiple parties. * Another attack possibility would be to spoof the email and read it. ### Footprinting the Service ```shell-session sudo nmap 10.129.14.128 -sC -sV -p25 ``` ```shell-session Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-27 17:56 CEST Nmap scan report for 10.129.14.128 Host is up (0.00025s latency). PORT STATE SERVICE VERSION 25/tcp open smtp Postfix smtpd |_smtp-commands: mail1.inlanefreight.htb, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, MAC Address: 00:00:00:00:00:00 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.09 seconds ``` * using the [smtp-open-relay](https://nmap.org/nsedoc/scripts/smtp-open-relay.html) NSE script to identify the target SMTP server as an open relay using 16 different tests ```shell-session sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v ``` ```shell-session Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-30 02:29 CEST NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 02:29 Completed NSE at 02:29, 0.00s elapsed Initiating ARP Ping Scan at 02:29 Scanning 10.129.14.128 [1 port] Completed ARP Ping Scan at 02:29, 0.06s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 02:29 Completed Parallel DNS resolution of 1 host. at 02:29, 0.03s elapsed Initiating SYN Stealth Scan at 02:29 Scanning 10.129.14.128 [1 port] Discovered open port 25/tcp on 10.129.14.128 Completed SYN Stealth Scan at 02:29, 0.06s elapsed (1 total ports) NSE: Script scanning 10.129.14.128. Initiating NSE at 02:29 Completed NSE at 02:29, 0.07s elapsed Nmap scan report for 10.129.14.128 Host is up (0.00020s latency). PORT STATE SERVICE 25/tcp open smtp | smtp-open-relay: Server is an open relay (16/16 tests) | MAIL FROM:<> -> RCPT TO: | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO:<"relaytest@nmap.scanme.org"> | MAIL FROM: -> RCPT TO:<"relaytest%nmap.scanme.org"> | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO:<"relaytest@nmap.scanme.org"@[10.129.14.128]> | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO:<@[10.129.14.128]:relaytest@nmap.scanme.org> | MAIL FROM: -> RCPT TO:<@ESMTP:relaytest@nmap.scanme.org> | MAIL FROM: -> RCPT TO: | MAIL FROM: -> RCPT TO: |_ MAIL FROM: -> RCPT TO: MAC Address: 00:00:00:00:00:00 (VMware) NSE: Script Post-scanning. Initiating NSE at 02:29 Completed NSE at 02:29, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B) ``` #### Enumerate users on SMTP * DID not work need another tool ``` smtp-user-enum -M VRFY -U footprinting.txt -t 10.129.38.126 -v ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.wehost.co.in/cybersecurity/smtp/smtp-attacks.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.