# 25, 465, 587 - SMTP

## <mark style="color:red;">Banner Grabbing</mark> <a href="#banner-grabbing" id="banner-grabbing"></a>

### <mark style="color:blue;">**Telnet**</mark>

```sh
telnet 10.0.0.3 25
```

### <mark style="color:blue;">**Netcat**</mark>

```sh
nc -n 10.0.0.3 25
```

### <mark style="color:blue;">**Openssl (SMTPS)**</mark>&#x20;

```sh
openssl s_client -starttls smtp -crlf -connect 10.0.0.3:587
```

<details>

<summary>Parameters</summary>

* `s_client`: SSL/TLS client program.
* `-starttls <protocol>`: send the protocol-specific message(s) to switch to TLS for communication.
* `-crlf`: translate a line feed from the terminal into `CR+LF`.

</details>

## <mark style="color:red;">Enumeration</mark> <a href="#enumeration" id="enumeration"></a>

[**smtp-commands**](https://nmap.org/nsedoc/scripts/smtp-commands.html) **NSE Script**

```sh
nmap -p 25,465,587 --script smtp-commands 10.0.0.3
```

[**smtp-enum-users**](https://nmap.org/nsedoc/scripts/smtp-enum-users.html) **NSE Script**

```sh
nmap -p 25,465,587 --script smtp-enum-users 10.0.0.3
```

## <mark style="color:red;">NTLM Information Disclosure</mark> <a href="#ntlm-information-disclosure" id="ntlm-information-disclosure"></a>

On Windows, with NTLM authentication enabled, sending a SMTP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.

**Manually**

```sh
telnet example.com 587
...
>> HELO
250 example.com Hello [x.x.x.x]
>>AUTH NTLM 334
NTLM supported
>>TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
334 TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA
```

[**smtp-ntlm-info**](https://nmap.org/nsedoc/scripts/smtp-ntlm-info.html) **NSE Script**

```sh
nmap -p 587 --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com 10.0.0.3
```

## <mark style="color:red;">Commands</mark> <a href="#commands" id="commands"></a>

```txt
HELO        Identify to the SMTP server.
EHLO        Alternative HELO for Extended SMTP protocol.
MAIL FROM:  Sender's email address.
RCPT TO:    Recipient's email address.
DATA        Initiate message content transfer. Command is terminated with a line containing only a .
RSET        Reset the session. Connection will not be closed.
VRFY        Verify username or mailbox.
NOOP        No-op. Keeps connection open.
QUIT        Ends session.
```

Note: Sessions must start with HELO and end with QUIT.

## <mark style="color:red;">Configuration files</mark> <a href="#configuration-files" id="configuration-files"></a>

```
sendmail.cf
submit.cf
```

## <mark style="color:red;">Other</mark>

The following Python script opens a TCP socket, connects to the SMTP server, and issues a VRFY command for a given username:

```python
#!/usr/bin/python
import socket
import sys

if len(sys.argv) != 2:
        print "Usage: vrfy.py <username>"
        sys.exit(0)

# Create a Socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Connect to the Server
connect = s.connect(('10.11.1.217',25))

# Receive the banner
banner = s.recv(1024)
print banner

# VRFY a user
s.send('VRFY ' + sys.argv[1] + '\r\n')
result = s.recv(1024)
print result

# Close the socket
s.close()
```