25, 465, 587 - SMTP
Banner Grabbing
Telnet
telnet 10.0.0.3 25
Netcat
nc -n 10.0.0.3 25
Openssl (SMTPS)
openssl s_client -starttls smtp -crlf -connect 10.0.0.3:587
Enumeration
smtp-commands NSE Script
nmap -p 25,465,587 --script smtp-commands 10.0.0.3
smtp-enum-users NSE Script
nmap -p 25,465,587 --script smtp-enum-users 10.0.0.3
NTLM Information Disclosure
On Windows, with NTLM authentication enabled, sending a SMTP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.
Manually
telnet example.com 587
...
>> HELO
250 example.com Hello [x.x.x.x]
>>AUTH NTLM 334
NTLM supported
>>TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
334 TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA
smtp-ntlm-info NSE Script
nmap -p 587 --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com 10.0.0.3
Commands
HELO Identify to the SMTP server.
EHLO Alternative HELO for Extended SMTP protocol.
MAIL FROM: Sender's email address.
RCPT TO: Recipient's email address.
DATA Initiate message content transfer. Command is terminated with a line containing only a .
RSET Reset the session. Connection will not be closed.
VRFY Verify username or mailbox.
NOOP No-op. Keeps connection open.
QUIT Ends session.
Note: Sessions must start with HELO and end with QUIT.
Configuration files
sendmail.cf
submit.cf
Other
The following Python script opens a TCP socket, connects to the SMTP server, and issues a VRFY command for a given username:
#!/usr/bin/python
import socket
import sys
if len(sys.argv) != 2:
print "Usage: vrfy.py <username>"
sys.exit(0)
# Create a Socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect to the Server
connect = s.connect(('10.11.1.217',25))
# Receive the banner
banner = s.recv(1024)
print banner
# VRFY a user
s.send('VRFY ' + sys.argv[1] + '\r\n')
result = s.recv(1024)
print result
# Close the socket
s.close()
Last updated
Was this helpful?