Monty's Pentesting Notes | Obsidian

    SMTP

    Port 25, 587 (authenticated), 465 (SSL/TLS)

    Table of Contents

    General Information of Simple Mail Transfer Protocol

    Overview:

    • Protocol for sending emails over IP networks.
    • Used between email client ↔ outgoing mail server or between SMTP servers.
    • Often paired with IMAP/POP3 for fetching emails.
    • Client-server based; servers can act as clients when communicating with other servers.

    Dangerous Settings

    To prevent emails from being filtered by spam filters, sender can use a relay server that the recipient trusts. It is an SMTP server that is known and verified by all others. As a rule, the sender must authenticate himself to the relay server before using it.

    Often, administrators have no overview of which IP ranges they have to allow. This results in a misconfiguration of the SMTP server that we will still often find in external and internal penetration tests. Therefore, they allow ALL IP addresses.

    Open Relay Configuration

    mynetworks = 0.0.0.0/0

    With this setting, this SMTP server can send fake emails and thus initialize communication between multiple parties. Another attack possibility would be to spoof the email and read it.

    Security Components:

    • MUA (Mail User Agent): Email client (e.g., Thunderbird).
    • MSA (Mail Submission Agent)/Relay Server: Validates origin, prevents unauthorized relaying.
    • MTA (Mail Transfer Agent): Sends/receives emails, checks size/spam.
    • MDA (Mail Delivery Agent): Delivers email to recipient's mailbox.
    Client (MUA)Submission Agent (MSA)Open Relay (MTA)Mail Delivery Agent (MDA)Mailbox (POP3/IMAP)
    But SMTP has two disadvantages inherent to the network protocol.

    1. The first is that sending an email using SMTP does not return a usable delivery confirmation

    2. Users are not authenticated when a connection is established, and the sender of an email is therefore unreliable. As a result, open SMTP relays are often misused to send spam en masse. The originators use arbitrary fake sender addresses for this purpose to not be traced (mail spoofing). Many different security techniques helps prevent the misuse of SMTP servers. For example, suspicious emails are rejected or moved to quarantine (spam folder). Responsible for this are the identification protocol DomainKeys (DKIM), the Sender Policy Framework (SPF).

    SMTP Configurations

    > cat /etc/postfix/main.cf | grep -v "#" | sed -r "/^\s*$/d"

smtpd_banner = ESMTP Server 
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = mail1.inlanefreight.htb
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtp_generic_maps = hash:/etc/postfix/generic
mydestination = $myhostname, localhost 
masquerade_domains = $myhostname
mynetworks = 127.0.0.0/8 10.129.0.0/16
mailbox_size_limit = 0
recipient_delimiter = +
smtp_bind_address = 0.0.0.0
inet_protocols = ipv4
smtpd_helo_restrictions = reject_invalid_hostname
home_mailbox = /home/postfix

    SMTP Commands

    CommandDescription
    AUTH PLAINAUTH is a service extension used to authenticate the client.
    HELOThe client logs in with its computer name and thus starts the session.
    MAIL FROMThe client names the email sender.
    RCPT TOThe client names the email recipient.
    DATAThe client initiates the transmission of the email.
    RSETThe client aborts the initiated transmission but keeps the connection between client and server.
    VRFYThe client checks if a mailbox is available for message transfer.
    EXPNThe client also checks if a mailbox is available for messaging with this command.
    NOOPThe client requests a response from the server to prevent disconnection due to time-out.
    QUITThe client terminates the session.

    Interacting with SMTP via Telnet

    Interacting via Telnet:

    • Connect: telnet <IP> 25
    • Session:
      • HELO <hostname> or EHLO <hostname>
      • MAIL FROM:<sender>
      • RCPT TO:<recipient>
      • DATA + email content + . to send
      • QUIT to end
    > telnet 10.129.14.128 25

Trying 10.129.14.128...
Connected to 10.129.14.128.
Escape character is '^]'.
220 ESMTP Server 


HELO mail1.inlanefreight.htb

250 mail1.inlanefreight.htb


EHLO mail1

250-mail1.inlanefreight.htb
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
    • VRFY Command:
      • Attempts to verify user existence.
      • Often returns 252, unreliable for enumeration.
    > telnet 10.129.14.128 25

Trying 10.129.14.128...
Connected to 10.129.14.128.
Escape character is '^]'.
220 ESMTP Server 

VRFY root

252 2.0.0 root


VRFY cry0l1t3

252 2.0.0 cry0l1t3


VRFY testuser

252 2.0.0 testuser


VRFY aaaaaaaaaaaaaaaaaaaaaaaaaaaa

252 2.0.0 aaaaaaaaaaaaaaaaaaaaaaaaaaaa
    • Sending an Email
    > telnet 10.129.14.128 25

Trying 10.129.14.128...
Connected to 10.129.14.128.
Escape character is '^]'.
220 ESMTP Server


EHLO inlanefreight.htb

250-mail1.inlanefreight.htb
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING


MAIL FROM: <cry0l1t3@inlanefreight.htb>

250 2.1.0 Ok


RCPT TO: <mrb3n@inlanefreight.htb> NOTIFY=success,failure

250 2.1.5 Ok


DATA

354 End data with <CR><LF>.<CR><LF>

From: <cry0l1t3@inlanefreight.htb>
To: <mrb3n@inlanefreight.htb>
Subject: DB
Date: Tue, 28 Sept 2021 16:32:51 +0200
Hey man, I am trying to access our XY-DB but the creds don't work. 
Did you make any changes there?
.

250 2.0.0 Ok: queued as 6E1CF1681AB


QUIT

221 2.0.0 Bye
Connection closed by foreign host.

    Nmap for SMTP

    Nmap Usage:

    • Basic Scan: nmap -sC -sV -p25 <IP>
      • Detects SMTP server, lists supported commands.
    • Open Relay Check: nmap -p25 --script smtp-open-relay -v <IP>
      • Runs 16 tests to identify open relay.
      • Example Output: Server is an open relay (16/16 tests)