|
| 1 | +--- |
| 2 | +title: SMTP |
| 3 | +description: Simple Mail Transfer Protocol |
| 4 | +categories: [Services] |
| 5 | +tags: [Services, SMTP, Email] |
| 6 | +--- |
| 7 | + |
| 8 | +## Service Info |
| 9 | +- Name: Simple Mail Transfer Protocol (SMTP) |
| 10 | +- Purpose: Sending emails over an IP network. |
| 11 | +- Listening port: **TCP port 25**, **TCP port 587** (Encrypted Transport) |
| 12 | +- OS: Unix-Like, Windows |
| 13 | + |
| 14 | +SMTP faciliates the transfer of mail between a client and a mail server, or between two mail servers. Originally, SMTP did not include user authencation nor transport encryption. Both features are implemented in **Extended Simple Mail Transfer Protocol (ESMTP)**, which faciliates most mail services today. |
| 15 | + |
| 16 | +The process of sending an email using SMTP is as follows: |
| 17 | +1. The SMTP client (**Mail User Agent**) converts email into a header and a body and uploads both to the SMTP Server (**Mail Transfer Agent**) |
| 18 | +2. MTA checks email for size and spam then stores it. |
| 19 | +3. MTA sends email to the destination SMTP Server (**Mail Delivery Agent**), where the data packets will be reassembled into a complete email. |
| 20 | +4. Mail Delivery Agent transfers it to the recipient's mailbox |
| 21 | + |
| 22 | +### SMTP Commands |
| 23 | +SMTP communications are facilitated with commands. Common SMTP commands include: |
| 24 | +- `AUTH PLAIN`: AUTH is a service extension used to authenticate the client. |
| 25 | +- `HELO`: The client logs in with its computer name and thus starts the session. |
| 26 | +- `EHLO`: Extended version of the `HELO` command. The server would respond with a list of its capabilities |
| 27 | +- `MAIL FROM`: The client names the email sender. |
| 28 | +- `RCPT TO`: The client names the email recipient. |
| 29 | +- `DATA`: The client initiates the transmission of the email. |
| 30 | +- `RSET`: The client aborts the initiated transmission but keeps the connection between client and server. |
| 31 | +- `VRFY`: The client checks if a mailbox is available for message transfer. |
| 32 | +- `EXPN`: The client also checks if a mailbox is available for messaging with this command. |
| 33 | +- `NOOP`: The client requests a response from the server to prevent disconnection due to time-out. |
| 34 | +- `QUIT`: The client terminates the session. |
| 35 | + |
| 36 | + |
| 37 | +## Service Enumeration |
| 38 | + |
| 39 | +The default script scan (`-sC`) runs `smtp-command`, which uses the `EHLO` command to list out the available commands on the server. |
| 40 | +```shell-session |
| 41 | +╭─brian@rx-93-nu ~ |
| 42 | +╰─$ sudo nmap 10.10.0.25 -sC -sV -p25 |
| 43 | +
|
| 44 | +Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-27 17:56 CEST |
| 45 | +Nmap scan report for 10.10.0.25 |
| 46 | +Host is up (0.00025s latency). |
| 47 | +
|
| 48 | +PORT STATE SERVICE VERSION |
| 49 | +25/tcp open smtp Postfix smtpd |
| 50 | +|_smtp-commands: mail01.gundam.local, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, |
| 51 | +MAC Address: 00:00:00:00:00:00 (VMware) |
| 52 | +
|
| 53 | +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . |
| 54 | +Nmap done: 1 IP address (1 host up) scanned in 14.09 seconds |
| 55 | +``` |
| 56 | + |
| 57 | +## Service Interaction |
| 58 | +Interaction with an SMTP server can be done using the `telnet` utility |
| 59 | +```bash |
| 60 | +telnet <host> 25 |
| 61 | +``` |
| 62 | +After connecting to the SMTP server, we may use the `EHLO` command to greet the server and get a list of available features. |
| 63 | +```shell-session |
| 64 | +╭─brian@rx-93-nu ~ |
| 65 | +╰─$ telnet 10.10.0.25 25 |
| 66 | +
|
| 67 | +Trying 10.10.0.25... |
| 68 | +Connected to 10.10.0.25. |
| 69 | +Escape character is '^]'. |
| 70 | +220 ESMTP Server |
| 71 | +
|
| 72 | +
|
| 73 | +HELO mail01.gundam.local |
| 74 | +
|
| 75 | +250 mail01.gundam.local |
| 76 | +
|
| 77 | +
|
| 78 | +EHLO mail1 |
| 79 | +
|
| 80 | +250-mail01.gundam.local |
| 81 | +250-PIPELINING |
| 82 | +250-SIZE 10240000 |
| 83 | +250-ETRN |
| 84 | +250-ENHANCEDSTATUSCODES |
| 85 | +250-8BITMIME |
| 86 | +250-DSN |
| 87 | +250-SMTPUTF8 |
| 88 | +250 CHUNKING |
| 89 | +``` |
| 90 | + |
| 91 | +### User Enumeration |
| 92 | +Commands such as `VRFY`, `EXPN`, and `RCPT TO` may be used to enumerate users on the system. |
| 93 | + |
| 94 | +VRFY: |
| 95 | +```shell-session |
| 96 | +VRFY root |
| 97 | +
|
| 98 | +252 2.0.0 root |
| 99 | +
|
| 100 | +
|
| 101 | +VRFY www-data |
| 102 | +
|
| 103 | +252 2.0.0 www-data |
| 104 | +
|
| 105 | +
|
| 106 | +VRFY new-user |
| 107 | +
|
| 108 | +550 5.1.1 <new-user>: Recipient address rejected: User unknown in local recipient table |
| 109 | +``` |
| 110 | + |
| 111 | +`EXPN` is similiar to `VRFY`, but when used with a distribution list, it will list all users on that list. |
| 112 | +- A quick way to get all users on the system is to try `EXPN all` |
| 113 | + |
| 114 | +```shell-session |
| 115 | +EXPN john |
| 116 | +
|
| 117 | +250 2.1.0 john@gundam.local |
| 118 | +
|
| 119 | +
|
| 120 | +EXPN support-team |
| 121 | +
|
| 122 | +250 2.0.0 carol@gundam.local |
| 123 | +250 2.1.5 elisa@gundam.local |
| 124 | +``` |
| 125 | + |
| 126 | +The `RCPT TO` is usually used to identify the recipient of the email, but it can be repeated multiple times for a given message to deliver a message to multiple recipients. We can leverage this to identify users. |
| 127 | +```shell-session |
| 128 | +MAIL FROM:test@htb.com |
| 129 | +it is |
| 130 | +250 2.1.0 test@exmaple.com... Sender ok |
| 131 | +
|
| 132 | +
|
| 133 | +RCPT TO:julio |
| 134 | +
|
| 135 | +550 5.1.1 julio... User unknown |
| 136 | +
|
| 137 | +
|
| 138 | +RCPT TO:kate |
| 139 | +
|
| 140 | +550 5.1.1 kate... User unknown |
| 141 | +
|
| 142 | +
|
| 143 | +RCPT TO:john |
| 144 | +
|
| 145 | +250 2.1.5 john... Recipient ok |
| 146 | +``` |
| 147 | + |
| 148 | +The process of enumerating users may be automated using [smtp-user-enum](https://github.com/pentestmonkey/smtp-user-enum). |
| 149 | +- Use `-M` to specify method (`VRFY`, `EXPN`, or `RCPT`). |
| 150 | +- Use `-U` to specify wordlist. |
| 151 | +- Use `-D` to specify domain. |
| 152 | + |
| 153 | +```bash |
| 154 | +smtp-user-enum -M <command> -U <userlist> -D <domain> -t <host> |
| 155 | +``` |
| 156 | + |
| 157 | +### Sending Email |
| 158 | +We can send an email to a number of valid recipients within the `telnet` session with an SMTP server. |
| 159 | +```shell-session |
| 160 | +EHLO gundam.local |
| 161 | +
|
| 162 | +250-mail01.gundam.local |
| 163 | +250-PIPELINING |
| 164 | +250-SIZE 10240000 |
| 165 | +250-ETRN |
| 166 | +250-ENHANCEDSTATUSCODES |
| 167 | +250-8BITMIME |
| 168 | +250-DSN |
| 169 | +250-SMTPUTF8 |
| 170 | +250 CHUNKING |
| 171 | +
|
| 172 | +
|
| 173 | +MAIL FROM: <brian@gundam.local> |
| 174 | +
|
| 175 | +250 2.1.0 Ok |
| 176 | +
|
| 177 | +
|
| 178 | +RCPT TO: <john@gundam.local> NOTIFY=success,failure |
| 179 | +
|
| 180 | +250 2.1.5 Ok |
| 181 | +
|
| 182 | +
|
| 183 | +DATA |
| 184 | +
|
| 185 | +354 End data with <CR><LF>.<CR><LF> |
| 186 | +
|
| 187 | +From: <brian@gundam.local> |
| 188 | +To: <john@gundam.local> |
| 189 | +Subject: DB |
| 190 | +Date: Tue, 28 Sept 2021 16:32:51 +0200 |
| 191 | +Good morning and I wish you a happy day! |
| 192 | +. |
| 193 | +
|
| 194 | +250 2.0.0 Ok: queued as 6E1CF1681AB |
| 195 | +
|
| 196 | +
|
| 197 | +QUIT |
| 198 | +
|
| 199 | +221 2.0.0 Bye |
| 200 | +Connection closed by foreign host. |
| 201 | +``` |
| 202 | + |
| 203 | +Alternatively, we can use [swaks](https://github.com/jetmore/swaks), a command line SMTP testing tool to send mail. |
| 204 | +```bash |
| 205 | +swaks --from <sender> --to <recipient> --header <email_header> --body <email_body> --server <host> |
| 206 | +``` |
| 207 | + |
| 208 | +## Password Attacks |
| 209 | +Hydra can be used to perform a password spray or brute-force against SMTP. |
| 210 | +```bash |
| 211 | +hydra -L <user_list> -p <password> -f <target> smtp |
| 212 | +``` |
0 commit comments