Port 25 - SMTP

A lot of times these will be locked down, but maybe we'll be lucky.

Generic Connection:

nc -nv 10.11.1.217 25

NB: Nmap -sC will typically show the allowed commands.

Testing:

  • Enumerate Users:

    • VRFY username (checks if username exists)

    • EXPN username (verifies if username is valid)

  • Mail Spoofing:

    • HELO something MAIL FROM: fake_address RCPT TO:valid_mail_account DATA . QUIT

  • Mail Relay Test:

    • HELO something

      • Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain>

      • Unknown domain - mail from: <user@unknown_domain>

      • Domain not present - mail from: <user@localhost>

      • Domain not supplied - mail from: <user>

      • Source address omission - mail from: <> rcpt to: <nobody@recipient_domain>

      • Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>

      • Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain">

      • User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>

      • Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>

      • Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>

Last updated