Port 110-25-143 (pop3/smtp)

Simple mail transfer protocol (smtp)

SMTP, POP3(s) and IMAP(s) are good for enumerating users.

Also: CHECK VERSIONS and searchsploit

1. SMTP

smtp soporta comandos como VRFY y EXPN vrfy request ask the server to verify an email addres. EXPN ask the server fot the membership of a mailing list.

nv -nv 192.168.11.215 25
VRFY root

smtp-user-enum

smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1
smtp-user-enum -M EXPN -u admin1 -t 10.0.0.1
smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt
smtp-user-enum -M EXPN -D example.com -U users.txt -t 10.0.0.1

sending an email

HELO my.server.com
MAIL FROM: <me@mydomain.com>
RCPT TO: <you@yourdomain.com>
DATA
From: Danny Dolittle
To: Sarah Smith
Subject: Email sample
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii

This is a test email for you to read.
.
QUIT

Open relay

use auxiliary/scanner/smtp/smtp_relay
services -p 25 -u -R

or nmap

nmap -iL email_servers -v --script=smtp-open-relay -p 25

NSE

smtp-brute.nse
smtp-commands.nse
smtp-enum-users.nse
smtp-ntlm-info.nse
smtp-open-relay.nse
smtp-strangeport.nse
smtp-vuln-cve2010-4344.nse
smtp-vuln-cve2011-1720.nse
smtp-vuln-cve2011-1764.nse

commands

ATRN   Authenticated TURN
AUTH   Authentication
BDAT   Binary data
BURL   Remote content
DATA   The actual email message to be sent. This command is terminated with a line that contains only a .
EHLO   Extended HELO
ETRN   Extended turn
EXPN   Expand
HELO   Identify yourself to the SMTP server.
HELP   Show available commands
MAIL   Send mail from email account
MAIL FROM: me@mydomain.com
NOOP   No-op. Keeps you connection open.
ONEX   One message transaction only
QUIT   End session
RCPT   Send email to recipient
RCPT TO: you@yourdomain.com
RSET   Reset
SAML   Send and mail
SEND   Send
SOML   Send or mail
STARTTLS
SUBMITTER      SMTP responsible submitter
TURN   Turn
VERB   Verbose
VRFY   Verify

2 POP

nse

pop3-brute.nse
pop3-capabilities.nse
pop3-ntlm-info.nse

comands

USER   Your user name for this mail server
PASS   Your password.
QUIT   End your session.
STAT   Number and total size of all messages
LIST   Message# and size of message
RETR message#  Retrieve selected message
DELE message#  Delete selected message
NOOP   No-op. Keeps you connection open.
RSET   Reset the mailbox. Undelete deleted messages.

Brute force

hydra -l <USER> -P <PASSWORDS_LIST> -f <IP> pop3 -V
hydra -S -v -l <USER> -P <PASSWORDS_LIST> -s 995 -f <IP> pop3 -V

Read mail

telnet <IP> 110

USER <USER>
PASS <PASSWORD>
LIST
RETR <MAIL_NUMBER>
QUIT

PreviousPort 88 (KERBEROS )NextPort 161-169 (SNMP)

Last updated 10 months ago

smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1 smtp-user-enum -M EXPN -u admin1 -t 10.0.0.1 smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt smtp-user-enum -M EXPN -D example.com -U users.txt -t 10.0.0.1

HELO my.server.com MAIL FROM: <me@mydomain.com> RCPT TO: <you@yourdomain.com> DATA From: Danny Dolittle To: Sarah Smith Subject: Email sample Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii This is a test email for you to read. . QUIT

ATRN Authenticated TURN AUTH Authentication BDAT Binary data BURL Remote content DATA The actual email message to be sent. This command is terminated with a line that contains only a . EHLO Extended HELO ETRN Extended turn EXPN Expand HELO Identify yourself to the SMTP server. HELP Show available commands MAIL Send mail from email account MAIL FROM: me@mydomain.com NOOP No-op. Keeps you connection open. ONEX One message transaction only QUIT End session RCPT Send email to recipient RCPT TO: you@yourdomain.com RSET Reset SAML Send and mail SEND Send SOML Send or mail STARTTLS SUBMITTER SMTP responsible submitter TURN Turn VERB Verbose VRFY Verify

USER Your user name for this mail server PASS Your password. QUIT End your session. STAT Number and total size of all messages LIST Message# and size of message RETR message# Retrieve selected message DELE message# Delete selected message NOOP No-op. Keeps you connection open. RSET Reset the mailbox. Undelete deleted messages.