🥹Port 110-25-143 (pop3/smtp)

Simple mail transfer protocol (smtp)

SMTP, POP3(s) and IMAP(s) are good for enumerating users.

Also: CHECK VERSIONS and searchsploit

1. SMTP

smtp soporta comandos como VRFY y EXPN vrfy request ask the server to verify an email addres. EXPN ask the server fot the membership of a mailing list.

nv -nv 192.168.11.215 25
VRFY root

smtp-user-enum

smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1
smtp-user-enum -M EXPN -u admin1 -t 10.0.0.1
smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt
smtp-user-enum -M EXPN -D example.com -U users.txt -t 10.0.0.1

sending an email

HELO my.server.com
MAIL FROM: <me@mydomain.com>
RCPT TO: <you@yourdomain.com>
DATA
From: Danny Dolittle
To: Sarah Smith
Subject: Email sample
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii

This is a test email for you to read.
.
QUIT

Open relay

use auxiliary/scanner/smtp/smtp_relay
services -p 25 -u -R

or nmap

nmap -iL email_servers -v --script=smtp-open-relay -p 25

NSE

smtp-brute.nse
smtp-commands.nse
smtp-enum-users.nse
smtp-ntlm-info.nse
smtp-open-relay.nse
smtp-strangeport.nse
smtp-vuln-cve2010-4344.nse
smtp-vuln-cve2011-1720.nse
smtp-vuln-cve2011-1764.nse

commands

ATRN   Authenticated TURN
AUTH   Authentication
BDAT   Binary data
BURL   Remote content
DATA   The actual email message to be sent. This command is terminated with a line that contains only a .
EHLO   Extended HELO
ETRN   Extended turn
EXPN   Expand
HELO   Identify yourself to the SMTP server.
HELP   Show available commands
MAIL   Send mail from email account
MAIL FROM: me@mydomain.com
NOOP   No-op. Keeps you connection open.
ONEX   One message transaction only
QUIT   End session
RCPT   Send email to recipient
RCPT TO: you@yourdomain.com
RSET   Reset
SAML   Send and mail
SEND   Send
SOML   Send or mail
STARTTLS
SUBMITTER      SMTP responsible submitter
TURN   Turn
VERB   Verbose
VRFY   Verify

2 POP

nse

pop3-brute.nse
pop3-capabilities.nse
pop3-ntlm-info.nse

comands

USER   Your user name for this mail server
PASS   Your password.
QUIT   End your session.
STAT   Number and total size of all messages
LIST   Message# and size of message
RETR message#  Retrieve selected message
DELE message#  Delete selected message
NOOP   No-op. Keeps you connection open.
RSET   Reset the mailbox. Undelete deleted messages.

Brute force

hydra -l <USER> -P <PASSWORDS_LIST> -f <IP> pop3 -V
hydra -S -v -l <USER> -P <PASSWORDS_LIST> -s 995 -f <IP> pop3 -V

Read mail

telnet <IP> 110

USER <USER>
PASS <PASSWORD>
LIST
RETR <MAIL_NUMBER>
QUIT

PreviousPort 88 (KERBEROS )NextPort 161-169 (SNMP)

Last updated 1 year ago