Skip to content

Ports 25, 565, 587 - Simple Mail Tranfer Protocol (SMTP)

Related resources

The Simple Mail Transfer Protocol (SMTP) is a protocol for sending emails in an IP network. By default, SMTP servers accept connection requests on port 25. However, newer SMTP servers also use other ports such as TCP port 587. This port is used to receive mail from authenticated users/servers, usually using the STARTTLS command. SMTP works unencrypted without further measures and transmits all commands, data, or authentication information in plain text. To prevent unauthorized reading of data, the SMTP is used in conjunction with SSL/TLS encryption. Under certain circumstances, a server uses a port other than the standard TCP port 25 for the encrypted connection, for example, TCP port 465.

SMTP. Source: https://wiki.inf.ufpr.br/maziero/doku.php?id=espec:servico_de_e-mail

Mail User Agent (MUA): SMTP client who sends the email. MUA converts it into a header and a body and uploads both to the SMTP server.

Mail Submission Agent (MSA), which checks the validity, i.e., the origin of the e-mail. This MSA is also called Relay server. These are very important later on, as the so-called Open Relay Attack. Proxy that occasionally precedes the MTA to relieve the load. It checks the validity, i.e., the origin of the e-mail. This MSA is also called Relay server.

Mail Transfer Agent (MTA): The MTA checks the e-mail for size and spam and then stores it. At this point of the process, this MTA works as the sender's server. The MTA then searches the DNS for the IP address of the recipient mail server. On arrival at the destination SMTP server, the receiver's MTA reassembles the data packets to form a complete e-mail.

Mail delivery agent (MDA): It deals with transferring the email to the recipient's mailbox.

Other concepts:

  • DKIM : DomainKeys Identified Mail (DKIM) provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. The identity is independent of other email identities, such as the author's From: field.
  • Sender Policy Framework (SPF): Sender Policy Framework (SPF) is used to authenticate the sender of an email. With an SPF record in place, Internet Service Providers can verify that a mail server is authorized to send email for a specific domain. An SPF record is a DNS TXT record containing a list of the IP addresses that are allowed to send email on behalf of your domain.

Extended SMTP (ESMTP)

Extended SMTP (ESMTP) deals with the main two shortcomings of SMTP protocol:

  • In SMTP, users are not authenticated, therefore the sender is unreliable.
  • SMTP doesn't have confirmations.

For this, ESMTP uses TLS for encryption and AUTH PLAIN extension for authentication. See also Postfix

Basic commands

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# We can use telnet protocol to connect to a SMTP server
telnet $ip 25

# AUTH is a service extension used to authenticate the client
AUTH PLAIN  

# The client logs in with its computer name and thus starts the session. It also lists all available commands
EHLO
    # Example: 
    # HELO mail1.inlanefreight.htb

# The client names the email sender
MAIL FROM   

# The client names the email recipient
RCPT TO

# The client initiates the transmission of the email
DATA 

# The client aborts the initiated transmission but keeps the connection between client and server
RSET

# The client checks if a mailbox is available for message transfer. This also means that this command could  be used to enumerate existing users on the system. However, this does not always work. Depending on how the SMTP server is configured, the SMTP server may issue `code 252` and confirm the existence of a user that does not exist on the system.
VRFY
# Example: VRFY root

# The client also checks if a mailbox is available for messaging with this command 
EXPN

# The client requests a response from the server to prevent disconnection due to time-out
NOOP

# The client terminates the session
QUIT

If we are connected to a proxy and we want this proxy to connect to a SMTP server, the command that we would send than would look something like this: 

1
CONNECT 10.129.14.128:25 HTTP/1.0

Example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
telnet $ip 25  

# Trying 10.129.14.128... ç
# Connected to 10.129.14.128. 
# Escape character is '^]'. 
# 220 ESMTP Server   

EHLO inlanefreight.htb  
# 250-mail1.inlanefreight.htb 
# 250-PIPELINING 
# 250-SIZE 10240000 
# 250-ETRN 
# 250-ENHANCEDSTATUSCODES 
# 250-8BITMIME 
# 250-DSN 
# 250-SMTPUTF8 
# 250 CHUNKING   

MAIL FROM: <cry0l1t3inlanefreight.htb>  
# 250 2.1.0 Ok   

RCPT TO: <mrb3n@inlanefreight.htb> NOTIFY=success,failure  
# 250 2.1.5 Ok   

DATA  
# 354 End data with <CR><LF>.<CR><LF>  

# From: <cry0l1t3@inlanefreight.htb> 
# To: <mrb3n@inlanefreight.htb> 
# Subject: DB 
# Date: Tue, 28 Sept 2021 16:32:51 +0200 

`Hey man, I am trying to access our XY-DB but the creds dont work.  Did you make any changes there?.`  
# 250 2.0.0 Ok: queued as 6E1CF1681AB   

QUIT  
# 221 2.0.0 Bye Connection closed by foreign host.`

1
mynetworks = 0.0.0.0/0

With this setting, this SMTP server can send fake emails and thus initialize communication between multiple parties. Another attack possibility would be to spoof the email and read it.

Footprinting SMTP

1
2
3
sudo nmap $ip -sC -sV -p25

sudo nmap $ip -p25 --script smtp-open-relay -v
Port Service
TCP/25 SMTP Unencrypted
TCP/143 IMAP4 Unencrypted
TCP/110 POP3 Unencrypted
TCP/465 SMTP Encrypted
TCP/587 SMTP Encrypted/STARTTLS
TCP/993 IMAP4 Encrypted
TCP/995 POP3 Encrypted

Enumeration

When it comes to enumeration it is critical to understand if we are facing a cloud service or a custom mail server implementation.

Custom mail server implementation

We will focus on typical misconfigurations

User enumeration with commands

The SMTP server has different commands that can be used to enumerate valid usernames VRFYEXPN, and RCPT TO. If we successfully enumerate valid usernames, we can attempt to password spray, brute-forcing, or guess a valid password.

VRFY

First we try to connect to the server:

1
telnet $ip 25

If anonymous login is enabled, we are in. Otherwise we could try to login, for instance with user root:

1
VFFY root

The code 252 in the answer means that the user exists. The code 550 means that it is an unknown user.

EXPN

EXPN is similar to VRFY, except that when used with a distribution list. First we try to connect to the server:

1
telnet $ip 25

Then we try to list all users on that distribution list with EXPN:

1
EXPN support-team

A typical response could be:

1
2
250 2.0.0 carol@inlanefreight.htb
250 2.1.5 elisa@inlanefreight.htb
RCPT TO Command

RCPT TO identifies the recipient of the email message. This command can be repeated multiple times for a given message to deliver a single message to multiple recipients.

First we try to connect to the server:

1
telnet $ip 25

Then we attempt the RCPT TO command:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
MAIL FROM:test@htb.com
it is
250 2.1.0 test@htb.com... Sender ok


RCPT TO:julio

550 5.1.1 julio... User unknown


RCPT TO:kate

550 5.1.1 kate... User unknown


RCPT TO:john

250 2.1.5 john... Recipient ok
USER

We can also use the POP3 protocol to enumerate users depending on the service implementation. For example, we can use the command USER followed by the username, and if the server responds OK. This means that the user exists on the server. First we try to connect to the server:

1
telnet $ip 25

Then we attempt the USER command:

1
2
3
4
5
6
USER julio
-ERR


USER john
+OK

User enumeration with commands

A way to automate this enumeration is this script for user enumeration:

1
2
3
# Enumerate users:
for user in $(cat users.txt); do echo VRFY $user | nc -nv -w 6 $ip 25  ; done
# -w: Include a delay in passing the argument. In seconds.

Results from script in user enumeration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
(UNKNOWN) [10.129.16.141] 25 (smtp) open
220 InFreight ESMTP v2.11
252 2.0.0 root
(UNKNOWN) [10.129.16.141] 25 (smtp) open
220 InFreight ESMTP v2.11
550 5.1.1 <lala>: Recipient address rejected: User unknown in local recipient table
(UNKNOWN) [10.129.16.141] 25 (smtp) open
220 InFreight ESMTP v2.11
550 5.1.1 <admin>: Recipient address rejected: User unknown in local recipient table
(UNKNOWN) [10.129.16.141] 25 (smtp) open
220 InFreight ESMTP v2.11
252 2.0.0 robin

smtp-user-enum

Username guessing tool primarily for use against the default Solaris SMTP service. Can use either EXPN, VRFY or RCPT TO.

Repo: https://github.com/pentestmonkey/smtp-user-enum

Basic usage:

1
2
3
4
5
smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t $ip
# -M: Enumeration mode, it can be `VRFY`, `EXPN`, or `RCPT`
# -U: file with list of users
# -D: domain
# -t: target

Cloud mail server implementation

Enumerating users in Microsoft Office 365 (O365)

O365spray

O365spray is a username enumeration and password spraying tool aimed at Microsoft Office 365 (O365). This tool reimplements a collection of enumeration and spray techniques.

1
sudo pip install -r requirements.txt

Basic usage:

1
2
3
4
5
# First validate if our target domain is using Office 365.
python3 o365spray.py --validate --domain msexample.com

# Attempt to identify usernames.
python3 o365spray.py --enum -U users.txt --domain msexample.com

Password Attacks

Custom mail servers

hydra

1
2
3
4
# Attacking a pop3 service
hydra -L users.txt -p 'Company01!' -f $ip pop3

hydra -l user@inlanefreight.htb -P passwords.list -t 64 -f $ip smtp

Cloud mail services

If cloud services support SMTP, POP3, or IMAP4 protocols, we may be able to attempt to perform password spray using tools like Hydra, but these tools are usually blocked.

MSOffice 365

O365spray

See O365spray

1
2
3
4
5
# First validate if our target domain is using Office 365.
python3 o365spray.py --validate --domain msexample.com

# Password spraying technique 
python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msexample.com
MailSniper

See MailSniper

Gmail and Okta

CredKing

Open relay attack

An open relay is a Simple Mail Transfer Protocol (SMTP) server, which is improperly configured and allows an unauthenticated email relay.

First, identify if an SMTP port allows an open relay:

1
nmap -p25 -Pn --script smtp-open-relay $ip

Next, we can use any mail client to connect to the mail server and send our email.

1
swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server $ipSMTPServerVictim

See swaks.

Attacks on SMTPD

Affected version:  OpenSMTPD up to version 6.6.2 Vulnerability: CVE-2020-7247 and leads to RCE.

The vulnerability in this service lies in the program's code, namely in the function that records the sender's email address. This offers the possibility of escaping the function using a semicolon (;) and making the system execute arbitrary shell commands. However, there is a limit of 64 characters, which can be inserted as a command. The technical details of this vulnerability can be found here. Exploit here

Postfix, an example of a SMTP server

Configuration file

See how to install postfix server.

The configuration file for Porsfix service is /etc/postfix/main.cf

Last update: 2024-11-03
Created: June 28, 2023 19:14:21