search

SMTP Enumeration

hashtag
Overview

Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission. SMTP is an application layer protocol that enables the sending of email messages between servers and clients. During enumeration, SMTP servers can reveal valuable information about the system and valid user accounts.

Key Characteristics:

  • Port 25: Standard SMTP port

  • Port 587: SMTP submission port (often with STARTTLS)

  • Port 465: SMTP over SSL/TLS (deprecated but still used)

  • Protocol: Text-based, human-readable commands

  • Authentication: Optional, varies by configuration

SMTP Process Flow:

Client (MUA) β†’ Submission Agent (MSA) β†’ Open Relay (MTA) β†’ Mail Delivery Agent (MDA) β†’ Mailbox (POP3/IMAP)

hashtag
SMTP Commands and Responses

hashtag
Common SMTP Commands

# Basic SMTP commands
HELO/EHLO    # Identify client to server (EHLO for Extended SMTP)
MAIL FROM    # Specify sender
RCPT TO      # Specify recipient
DATA         # Begin message content
QUIT         # Close connection
VRFY         # Verify user exists
EXPN         # Expand mailing list
AUTH PLAIN   # Authentication (with ESMTP)
RSET         # Reset connection
NOOP         # No operation (prevent timeout)

hashtag
User Enumeration Commands

hashtag
Default Configuration

SMTP servers like Postfix can be configured in various ways. Understanding common configurations helps identify potential security issues.

hashtag
Example Postfix Configuration

hashtag
Dangerous Settings

hashtag
Open Relay Configuration

The most dangerous SMTP misconfiguration is an open relay, which allows anyone to send emails through the server:

Open Relay Impact:

  • Spam distribution

  • Reputation damage

  • Potential for email spoofing

  • Resource abuse

hashtag
Enumeration Techniques

hashtag
1. Banner Grabbing and Initial Connection

hashtag
2. SMTP Service Detection

hashtag
3. HELO vs EHLO Testing

hashtag
4. User Enumeration with VRFY

hashtag
5. User Enumeration with EXPN

hashtag
6. Email Sending Testing

hashtag
5. Automated User Enumeration

hashtag
Advanced Enumeration

hashtag
Using Nmap NSE Scripts

hashtag
Open Relay Testing

hashtag
Manual Testing Session

hashtag
Security Issues and Attack Vectors

hashtag
1. User Enumeration

  • Issue: VRFY and EXPN commands reveal valid users

  • Impact: Username harvesting for brute force attacks

  • Detection: Different responses for valid vs invalid users

  • Note: Some servers return 252 for all users to prevent enumeration

hashtag
2. Open Relay

  • Issue: Server allows relay of mail from any source

  • Impact: Spam distribution, reputation damage, email spoofing

  • Testing: Attempt to send mail through server to external addresses

  • Configuration: mynetworks = 0.0.0.0/0 creates open relay

hashtag
3. Information Disclosure

  • Issue: Verbose error messages and banners

  • Impact: System information, software versions

  • Examples: Server version, internal hostnames, configuration details

  • Mitigation: Use generic banners

hashtag
4. Authentication Bypass

  • Issue: Weak or missing authentication

  • Impact: Unauthorized mail sending

  • Testing: Attempt unauthenticated mail sending

hashtag
5. Email Spoofing

  • Issue: Lack of SPF/DKIM/DMARC validation

  • Impact: Phishing attacks, reputation damage

  • Testing: Send emails with forged sender addresses

hashtag
Practical Examples

hashtag
HTB Academy Style Enumeration

hashtag
HTB Academy Lab Questions Examples

hashtag
Wordlist-based User Enumeration

hashtag
Enumeration Checklist

hashtag
Initial Discovery

hashtag
User Enumeration

hashtag
Security Testing

hashtag
Tools and Techniques

hashtag
Essential SMTP Tools

hashtag
Custom Scripts

hashtag
Defensive Measures

hashtag
Secure SMTP Configuration

hashtag
Best Practices

  1. Disable VRFY/EXPN: Prevent user enumeration

  2. Custom banners: Hide version information

  3. Rate limiting: Prevent brute force attacks

  4. Authentication: Require authentication for mail sending

  5. Monitoring: Log and monitor SMTP activities

hashtag
Detection and Monitoring

hashtag
Common Vulnerabilities

hashtag
CVE Examples

  • CVE-2020-7247: OpenSMTPD remote code execution

  • CVE-2016-10009: Postfix denial of service

  • CVE-2014-3956: Exim privilege escalation

hashtag
Mitigation Strategies

  1. Keep updated: Regular security patches

  2. Minimal configuration: Disable unnecessary features

  3. Access controls: Restrict SMTP access

  4. Encryption: Use TLS for mail transmission

PreviousNFS EnumerationNextEmail Services (IMAP/POP3)

Last updated