☕
My OSCP Journey: Tips, Tricks, and Cheat Sheets
  • Introduction
  • Network Scan
  • Services Exploitation
    • 21 - FTP
    • 25, 465, 587 - SMTP
    • 53 - DNS
    • 88 - Kerberos
    • 80, 443 - HTTP/S
    • 110, 995 - POP
    • 111 - NFS/RPC
    • 135, 593 - MSRPC
    • 139, 445 - SMB
    • 143, 993 - IMAP
    • 161 - SNMP
    • 389, 636, 3268, 3269 - LDAP
    • 3306 - Mysql
    • 5432 - Postgres
    • 27017 - MongoDB
  • Web Application Attacks
    • SQL Injection
    • File Inclusion Vulnerabilty
    • Command Injection
    • Client-Side Attacks
  • Brute Forcing
  • Privilege Escalation
    • Manual Enumeration
      • Windows Enumeration
      • Linux Enumeration
    • Windows Privesc
    • Linux Privesc
  • Active Directory
    • AD Manual Enumeration
    • AD Automatic Enumeration
    • AD Authentication
    • AD Lateral Movement
    • AD Attacking Kerberos
    • Hash Cracking Techniques
  • Transfer Files
    • Windows Downloads
    • Windows Uploads
  • Shells
    • Reverse/Bind Shells
    • Web Shells
Powered by GitBook
On this page
  • Banner Grabbing
  • Telnet
  • Netcat
  • Openssl (SMTPS)
  • Enumeration
  • NTLM Information Disclosure
  • Commands
  • Configuration files
  • Other

Was this helpful?

Edit on GitHub
  1. Services Exploitation

25, 465, 587 - SMTP

Previous21 - FTPNext53 - DNS

Last updated 2 years ago

Was this helpful?

Banner Grabbing

Telnet

telnet 10.0.0.3 25

Netcat

nc -n 10.0.0.3 25

Openssl (SMTPS)

openssl s_client -starttls smtp -crlf -connect 10.0.0.3:587
Parameters
  • s_client: SSL/TLS client program.

  • -starttls <protocol>: send the protocol-specific message(s) to switch to TLS for communication.

  • -crlf: translate a line feed from the terminal into CR+LF.

Enumeration

NSE Script

nmap -p 25,465,587 --script smtp-commands 10.0.0.3

NSE Script

nmap -p 25,465,587 --script smtp-enum-users 10.0.0.3

NTLM Information Disclosure

On Windows, with NTLM authentication enabled, sending a SMTP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.

Manually

telnet example.com 587
...
>> HELO
250 example.com Hello [x.x.x.x]
>>AUTH NTLM 334
NTLM supported
>>TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
334 TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA
nmap -p 587 --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com 10.0.0.3

Commands

HELO        Identify to the SMTP server.
EHLO        Alternative HELO for Extended SMTP protocol.
MAIL FROM:  Sender's email address.
RCPT TO:    Recipient's email address.
DATA        Initiate message content transfer. Command is terminated with a line containing only a .
RSET        Reset the session. Connection will not be closed.
VRFY        Verify username or mailbox.
NOOP        No-op. Keeps connection open.
QUIT        Ends session.

Note: Sessions must start with HELO and end with QUIT.

Configuration files

sendmail.cf
submit.cf

Other

The following Python script opens a TCP socket, connects to the SMTP server, and issues a VRFY command for a given username:

#!/usr/bin/python
import socket
import sys

if len(sys.argv) != 2:
        print "Usage: vrfy.py <username>"
        sys.exit(0)

# Create a Socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Connect to the Server
connect = s.connect(('10.11.1.217',25))

# Receive the banner
banner = s.recv(1024)
print banner

# VRFY a user
s.send('VRFY ' + sys.argv[1] + '\r\n')
result = s.recv(1024)
print result

# Close the socket
s.close()

NSE Script

smtp-commands
smtp-enum-users
smtp-ntlm-info