SMTP Penetration Testing: A Comprehensive Guide

SMTP Penetration Testing: A Comprehensive Guide

Explore this comprehensive guide on SMTP penetration testing, a crucial technique for assessing the security of your email servers.

In this article, Kali is used as a client, and a Windows Server 2012 as an SMTP Server.

Table of Contents

SMTP Introduction

Protocol

Port

Description

SMTP

25

SSL/TLS

465

StartTLS

587

MUA → MSA → MTA → internet → MTA → MDA → MUA

Outlook → Exchange → firewall → internet → SMTP-Server of the receiving side → mail-server of the receiving side → Outlook of receiver

SMTP Commands

Command

Description

RFC

HELO

Identifies the sending SMTP server

RFC 5321

EHLO

Extended HELO, provides more information

RFC 5321

MAIL FROM

Specifies the sender’s email address

RFC 5321

RCPT TO

Specifies the recipient’s email address

RFC 5321

DATA

Initiates the message data transmission

RFC 5321

RSET

Resets the session to initial state

RFC 5321

VRFY

Requests verification of an email address

RFC 5321

EXPN

Requests the expansion of a mailing list

RFC 5321

NOOP

No operation, used for testing or keep-alive

RFC 5321

QUIT

Closes the SMTP session

RFC 5321

AUTH

Initiates authentication process

RFC 4954

STARTTLS

Initiates a secure TLS session

RFC 3207

HELP

Requests help information from the server

RFC 5321

RFC 821 – Simple Mail Transfer Protocol

Protocol definition for SMTP. This document covers the model, operating procedure, and protocol details for SMTP.

RFC 1869 – SMTP Service Extensions

Definition of the ESMTP extensions for SMTP. This describes a framework for extending SMTP with new commands, supporting dynamic discovery of the commands provided by the server, and defines a few additional commands.

SMTP Penetration Testing

  1. SMTP Tools
  2. Footprinting SMTP Service
  3. Enumerate SMTP Service
  4. SMTP Vulnerabilities
  5. SMTP Attacks

SMTP – Pentest Tools

Tool

Description

Download

swaks

Swiss Army Knife for SMTP

smtp-user-enum

nmap

Network Scanner

msfconsole

THC Hydra

SMTP Reconnaissance

Nmap SMTP NSE Scripts

nmap --script smtp-brute,smtp-commands,smtp-enum-users,smtp-vuln-cve2011-1764 -p 25,465,587

nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587

SMTP Metasploit Modules

auxiliary/scanner/smtp/smtp_enum auxiliary/scanner/smtp/smtp_relay auxiliary/scanner/smtp/smtp_version

Footprinting SMTP Service

sudo nmap 10.129.172.83 -sC -sV -p25,465,587

SMTP Enumeration

SMTP Enumeration is a crucial aspect of the cybersecurity landscape that offers detailed insights into a system’s mail server.

This process is particularly significant for network administrators, IT professionals, and ethical hackers who are continuously working to identify and rectify system vulnerabilities.

In this article, we will delve into the world of SMTP Enumeration, its functions, merits, demerits, and the critical role it plays in network security.

Furthermore, we’ll explore different tools used in SMTP enumeration and discuss common strategies for preventing potential exploitation.

nmap -p25 --script smtp-commands 172.180.22.16

auxiliary/scanner/smtp/smtp_enum

Banner Grabbing

nc -vn 172.180.22.16 25

SMTP User Enumeration

nmap –script smtp-enum-users.nse 172.180.22.16

smtp-user-enum -M VRFY -U list.txt -t 10.129.172.83

Open Relay

sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v

nmap -p25 --script smtp-open-relay 172.180.22.16 -v

SMTP Vulnerabilities

SMTP Injection

Directory harvest attack (DHA)

SMTP Post Exploitation

SWAKS

swaks --to --from local-user@ --server mail.example.com --body "hello"

sendEmail -t -f -s 192.168.8.131 -u Important Upgrade Instructions -a /tmp/BestComputers-UpgradeInstructions.pdf

sudo python -m smtpd -n -c DebuggingServer :25

SMTP Attacks

Attack Type

Description

Email Spoofing

Forging the sender’s email address to appear as if it’s from a different source.

Email Phishing

Sending deceptive emails to trick recipients into revealing sensitive information.

Man-in-the-Middle (MITM)

Intercepting and possibly altering communication between the email client and server.

Brute-Force Attacks

Repeatedly attempting different username and password combinations to gain unauthorized access.

Email Bombing

Flooding an email inbox with an overwhelming number of emails, causing denial of service.

Email Relay Attacks

Exploiting open email relays to send spam or malicious emails through a compromised server.

SMTP User Enumeration

Determining valid email addresses by exploiting SMTP server responses.

SMTP Command Injection

Manipulating SMTP commands to execute arbitrary code on the SMTP server.

SMTP Header Injection

Injecting malicious content into email headers to trick email clients into unintended actions.

Denial of Service (DoS)

Overwhelming SMTP servers with excessive traffic, causing email service disruption.

Email Harvesting

Using automated tools to gather email addresses for spam campaigns or other malicious purposes.

Email Eavesdropping

Intercepting unencrypted emails during transmission to access sensitive information.

Email Attachment Exploits

Exploiting vulnerabilities in email attachments to execute malware on the recipient’s system.

Malicious Email Attachments

Sending attachments or links to infected files or websites to trick recipients into downloading malware or revealing sensitive information.

List of SMTP Attacks

SMTP Hacking Labs – Join us

SMTP Penetration TestingHTB_RedTeamLabs

SSH Penetration Testing

FTP penetration testing

RDP Penetration Testing

SMB Penetration Testing

PostgreSQL Penetration Testing

https://cpts-certification.certs-study.com/

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection

Network Penetration Testing, Penetration Testing

Tagged in:

Commercial Pen Testing, Cybersecurity Assessment, Email Security Solutions, Email Server Vulnerabilities, Penetration Testing Services, SMTP Security

Show Comments

Did you find this article valuable?

Support PopLabSec by becoming a sponsor. Any amount is appreciated!