SMTP Attacks

Default Configuration

cat /etc/postfix/main.cf | grep -v "#" | sed -r "/^\s*$/d"
smtpd_banner = ESMTP Server 
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = mail1.inlanefreight.htb
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtp_generic_maps = hash:/etc/postfix/generic
mydestination = $myhostname, localhost 
masquerade_domains = $myhostname
mynetworks = 127.0.0.0/8 10.129.0.0/16
mailbox_size_limit = 0
recipient_delimiter = +
smtp_bind_address = 0.0.0.0
inet_protocols = ipv4
smtpd_helo_restrictions = reject_invalid_hostname
home_mailbox = /home/postfix

Command

Description

AUTH PLAIN

AUTH is a service extension used to authenticate the client.

HELO

The client logs in with its computer name and thus starts the session.

MAIL FROM

The client names the email sender.

RCPT TO

The client names the email recipient.

DATA

The client initiates the transmission of the email.

RSET

The client aborts the initiated transmission but keeps the connection between client and server.

VRFY

The client checks if a mailbox is available for message transfer.

EXPN

The client also checks if a mailbox is available for messaging with this command.

NOOP

The client requests a response from the server to prevent disconnection due to time-out.

QUIT

The client terminates the session.

Telnet - HELO/EHLO

telnet 10.129.14.128 25
Trying 10.129.14.128...
Connected to 10.129.14.128.
Escape character is '^]'.
220 ESMTP Server 


HELO mail1.inlanefreight.htb

250 mail1.inlanefreight.htb


EHLO mail1

250-mail1.inlanefreight.htb
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
  • The command VRFY can be used to enumerate existing users on the system.

    • However, this does not always work. Depending on how the SMTP server is configured, the SMTP server may issue code 252

    • and confirm the existence of a user that does not exist on the system.

    • A list of all SMTP response codes can be found here.

Telnet - VRFY

 telnet 10.129.14.128 25
Trying 10.129.14.128...
Connected to 10.129.14.128.
Escape character is '^]'.
220 ESMTP Server 

VRFY root

252 2.0.0 root


VRFY cry0l1t3

252 2.0.0 cry0l1t3


VRFY testuser

252 2.0.0 testuser


VRFY aaaaaaaaaaaaaaaaaaaaaaaaaaaa

252 2.0.0 aaaaaaaaaaaaaaaaaaaaaaaaaaaa
  • Sometimes we may have to work through a web proxy. We can also make this web proxy connect to the SMTP server. The command that we would send would then look something like this: CONNECT 10.129.14.128:25 HTTP/1.0

Send an Emails

  • All the commands we enter in the command line to send an email we know from every email client program like Thunderbird, Gmail, Outlook, and many others.

    • We specify the subject, to whom the email should go, CC, BCC, and the information we want to share with others. Of course, the same works from the command line.

telnet 10.129.14.128 25
Trying 10.129.14.128...
Connected to 10.129.14.128.
Escape character is '^]'.
220 ESMTP Server


EHLO inlanefreight.htb

250-mail1.inlanefreight.htb
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING


MAIL FROM: <[email protected]>

250 2.1.0 Ok


RCPT TO: <[email protected]> NOTIFY=success,failure

250 2.1.5 Ok


DATA

354 End data with <CR><LF>.<CR><LF>

From: <[email protected]>
To: <[email protected]>
Subject: DB
Date: Tue, 28 Sept 2021 16:32:51 +0200
Hey man, I am trying to access our XY-DB but the creds don't work. 
Did you make any changes there?
.

250 2.0.0 Ok: queued as 6E1CF1681AB


QUIT

221 2.0.0 Bye
Connection closed by foreign host.

Key Points About Email Headers

  • Information Carrier: Contains valuable details about an email.

  • Included Information:

    • Sender (mandatory)

    • Recipient (mandatory)

    • Sending time (mandatory)

    • Arrival time (optional)

    • Email route (optional)

    • Content and format (optional)

  • Email Header Structure

    • https://datatracker.ietf.org/doc/html/rfc5322

Dangerous Settings

Relay Servers and Spam Filtering:

  • Circumventing Spam Filters: Some senders use trusted relay servers to bypass recipient spam filters.

  • Trusted Relay Servers: These servers are known and verified by other email servers.

  • Authentication Requirement: The sender typically needs to authenticate with the relay server.

Open Relay Configuration

mynetworks = 0.0.0.0/0
  • With this setting, this SMTP server can send fake emails and thus initialize communication between multiple parties.

    • Another attack possibility would be to spoof the email and read it.

Footprinting the Service

sudo nmap 10.129.14.128 -sC -sV -p25
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-27 17:56 CEST
Nmap scan report for 10.129.14.128
Host is up (0.00025s latency).

PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: mail1.inlanefreight.htb, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 
MAC Address: 00:00:00:00:00:00 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.09 seconds
  • using the smtp-open-relay NSE script to identify the target SMTP server as an open relay using 16 different tests

sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-30 02:29 CEST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 02:29
Completed NSE at 02:29, 0.00s elapsed
Initiating ARP Ping Scan at 02:29
Scanning 10.129.14.128 [1 port]
Completed ARP Ping Scan at 02:29, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:29
Completed Parallel DNS resolution of 1 host. at 02:29, 0.03s elapsed
Initiating SYN Stealth Scan at 02:29
Scanning 10.129.14.128 [1 port]
Discovered open port 25/tcp on 10.129.14.128
Completed SYN Stealth Scan at 02:29, 0.06s elapsed (1 total ports)
NSE: Script scanning 10.129.14.128.
Initiating NSE at 02:29
Completed NSE at 02:29, 0.07s elapsed
Nmap scan report for 10.129.14.128
Host is up (0.00020s latency).

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-open-relay: Server is an open relay (16/16 tests)
|  MAIL FROM:<> -> RCPT TO:<[email protected]>
|  MAIL FROM:<[email protected]> -> RCPT TO:<[email protected]>
|  MAIL FROM:<antispam@ESMTP> -> RCPT TO:<[email protected]>
|  MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<[email protected]>
|  MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<relaytest%nmap.scanme.org@[10.129.14.128]>
|  MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<relaytest%nmap.scanme.org@ESMTP>
|  MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<"[email protected]">
|  MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<"relaytest%nmap.scanme.org">
|  MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<[email protected]@[10.129.14.128]>
|  MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<"[email protected]"@[10.129.14.128]>
|  MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<[email protected]@ESMTP>
|  MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<@[10.129.14.128]:[email protected]>
|  MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<@ESMTP:[email protected]>
|  MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<nmap.scanme.org!relaytest>
|  MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<nmap.scanme.org!relaytest@[10.129.14.128]>
|_ MAIL FROM:<antispam@[10.129.14.128]> -> RCPT TO:<nmap.scanme.org!relaytest@ESMTP>
MAC Address: 00:00:00:00:00:00 (VMware)

NSE: Script Post-scanning.
Initiating NSE at 02:29
Completed NSE at 02:29, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

Enumerate users on SMTP

  • DID not work need another tool

smtp-user-enum -M VRFY -U footprinting.txt -t 10.129.38.126 -v

Last updated