📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Login
  • Commands
  • Send an email
  • Enumeration
  • User bruteforce
  1. Networking
  2. Ports

25 465 587 - SMTP

Login

Basic

nc -nv <ip> 25

Secure

openssl s_client -crlf -connect <ip>:465

Secure with STARTTLS

openssl s_client -starttls smtp -crlf -connect <ip>:587

Commands

HELO <domain>
MAIL FROM <sender email>
RCPT TO <dest email>
DATA
RSET
VRFY <email>
NOOP
QUIT

Extended SMTP

EHLO
AUTH <method> <user and pass>
STARTTLS
SIZE
HELP

Send an email

HELO x
MAIL FROM <sender address>
RCPT TO <dest address>
DATA
<mail body>
.

Enumeration

nmap <ip> -p <port> -sV --script smtp-* -vv

User bruteforce

Manual

HELO x
<EXPN or VRFY> <username>

The RCPT TO command requires to specify an email to use as source. Sometimes when providing an incomplete destination address the mail server will autocomplete the email revealing the internal name.

HELO x
MAIL FROM test@mail.com
RCPT TO <username>

Automatic tools

Use to following script to generate possible variants of a given username. Downloadable from here

python usernamer.py -n '<user>'

Verify the existence of the generated usernames.

smtp-user-enum -M VRFY -D <mail domain> -u <user> -t <ip>
smtp-user-enum -M VRFY -D <mail domain> -U <file>.txt -t <ip>
Previous22 - SSHNext53 - DNS

Last updated 2 years ago