CyberWolf-Security
  • Home
  • Getting Started in Cyber Security
  • Misc
    • Misc Items
      • Powershell commands
      • Reverse Shells
      • Web Shells
      • File Sharing
      • Useful Commands
      • Google Dorks
      • Proxy & Proxy Chains
      • Port Scanning
      • Intercept Linux CLI Traffic
      • Nessus
    • Frequency stuff
    • Random stuff - needs sorting
  • Services
    • Ports - Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 69 - TFTP
      • 79 - Finger
      • 88 - Kerberos
      • 123 - NTP
      • 137 - Netbios
      • 161 - SNMP
      • 363 - LDAP
      • 443 - HTTPS
        • IIS
      • 445 - SMB
      • 500 - IKE
      • 623 - IPMI
      • 873 - RSYNC
      • 1433 - MSSQL
      • 1521 - Oracle DB
      • 3389 - RDP
      • 3260 - iSCSI
      • 2049 - NFS
      • 5900 - VNC
      • 5985 - WinRM
      • 6000 - X11
      • 8080 - Jenkins
      • 11211 - Memcached
  • Password Cracking
    • Password attacks
    • Password Cracking
  • Tools
    • Tools
      • Crackmapexec
      • Metasploit
      • Bloodhound
      • Tcpdump
      • Logcat
  • Wireless testing
    • Wireless
      • Converting handshake to .hccapx for Hashcat
      • Cracking WPA/WPA2 hashes
      • Hacking Wireless
      • Get Wireless password from Windows CMD
      • Hotspot
  • Web Application
    • Web App
      • Directory Brute forcing
      • Subdomain brute forcing
      • JWT Tokens
      • GIT
      • Cross-Site Scripting (XSS)
        • Embedded images
        • Payloads
      • WPScan
      • Local File Inclusion (LFI)
      • SQLmap
      • Server Side Template Injection
      • SQL Injection
      • Using Hydra for web brute force
      • Remote Code Execution (RCE)
      • Uploads
      • Subdomain takeover
      • XLS/CSV Injection
      • XML Injection
  • Internals
    • Internals
      • Finding Domain Controllers and DHCP servers
      • Discovering hosts from the inside
      • Dumping domain hashes
      • Active Directory
      • Getting local hashes
      • service principle names (SPNs)
  • Mobile Application
    • Mob App
      • MobApp Testing VM
      • Jailbreaking IOS
      • Tools
        • Frida
        • MobSF
          • Installing MobSF
      • Mobile Application Testing
        • Android
          • Checklist and Methodology
          • ADB
        • IOS
          • Checklist and Methodology
  • Cloud
    • Microsoft Office 365 Security Review
      • Page 1
    • Kubernetes & Docker Review
  • Privilege escalation
    • Windows
      • Tools
      • Unquoted service paths
    • Service Execution
    • Linux
      • Tools
      • Perform a core dump
      • Useful commands
      • Spawn a TTY shell
  • CTF-stuff
    • .Git
  • Steganography
    • Tools
  • Labs / Resources
    • Mitre Caldera
    • Blue-Team
      • Labs
    • Red-Team
      • Vulnerable virtual machines
      • Vulnerable Sites
  • Training
    • Certifications
      • OSCP
      • CEH
      • Crest
        • Crest CPSA
        • Crest CRT
          • Syllabus
          • Appendix B: Core Technical Skills
            • B4 - Network Mapping & Target Identification
            • B5 - Interpreting Tool Output
            • B8 - OS Fingerprinting
            • B9 - Application Fingerprinting and Evaluating Unknown Services
            • B13 - File System Permissions
          • Appendix C: Background Information Gathering & Open Source
            • C2 - Domain Name Server (DNS)
          • Appendix D: Networking Equipment
            • D1 - Management Protocols
            • D3 - Networking Protocols
          • Appendix E: Microsoft Windows Security Assessment
            • E1 - Domain Reconnaissance
            • E2 - User Enumeration
            • E3 - Active Directory
            • E5 - Windows Vulnerabilities
            • E9 - Common Windows Applications
          • Appendix F: Unix Security Assessment
            • F1- User enumeration
            • F2 - Unix vulnerabilities
            • F3 - FTP
            • F4 - Sendmail / SMTP
            • F5 - Network File System (NFS)
            • F6 - R* services
            • F7 - X11
            • F8 - RPC services
            • F9 - SSH
          • Appendix G: Web Technologies
            • G1 - Web Server Operation
            • G2 - Web Servers & their Flaws
            • G4 - Web Protocols
            • G7 - Web Application Servers
          • Appendix I: Web Testing Techniques
            • I1 - Web Site Structure Discovery
            • I2 - Cross Site Scripting Attacks
            • I3 - SQL Injection
            • I6 - Parameter Manipulation
          • Appendix J: Databases
            • J1 - Microsoft SQL Server
            • J2 - Oracle RDBMS
            • J3 - Web / App / Database Connectivity
      • Study Material
        • Encryption
    • Terminology
      • NTLM & NTLM2
  • Vulnerabilities
    • Vulnerabilities
  • Exploits
    • ImageMagick
    • CVE-2021-3560 (PolKit)
  • Bug Bounty
    • Bug Bounty Programs
    • Sub Domain Finder
    • link dump
  • FAQ
    • Install ALFA AWUS1900 on Kali
    • Update and upgrade Linux
  • Build Review
    • Workstation
  • Hack the Box
    • Challenges
      • The Needle
Powered by GitBook
On this page
  • SMTP User Enumeration Utility
  • Manual Enumeration
  • smtp-user-enum (builtin in Kali)
  • Nmap
  • Send Email
  • Swaks

Was this helpful?

  1. Services
  2. Ports - Services

25 - SMTP

The Simple Mail Transfer Protocol is a communication protocol for electronic mail transmission.

SMTP User Enumeration Utility

Allows the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of users aliases and lists of e-mail (mailing lists)). Through the implementation of these SMTP commands can reveal a list of valid users. User files contains only Unix usernames so it skips the Microsoft based Email SMTP Server. This can be changed using UNIXONLY option and custom user list can also be provided.

Metasploit:

use auxiliary/scanner/smtp/smtp_enum

Manual Enumeration

You can guess for valid user account through the following command and if you receive response code 550 it means unknown user account:

telnet into the host:

telnet 192.168.0.1 25

Using vrfy:

vrfy raj@mail.lab.ignite

Using rcpt:

RCPT TO:root

If you received a message code 250,251,252 which means the server has accepted the request and user account is valid.

smtp-user-enum (builtin in Kali)

if not installed just run

apt install smtp-user-enum

Simple run:

smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1

Adding domain (will add the domain after the user):

root@kali# smtp-user-enum -U users.txt -D humongousretail.com -t 10.13.38.12 -m 50 -M RCPT
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... RCPT
Worker Processes ......... 50
Usernames file ........... /usr/share/seclists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt
Target count ............. 1
Username count ........... 21168
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ humongousretail.com

######## Scan started at Sat May 11 10:59:18 2019 #########
10.13.38.12: it@humongousretail.com exists
10.13.38.12: legal@humongousretail.com exists
10.13.38.12: marketing@humongousretail.com exists
10.13.38.12: sales@humongousretail.com exists
######## Scan completed at Sat May 11 11:06:51 2019 #########
4 results.

21168 queries in 453 seconds (46.7 queries / sec)

Nmap

nmap –script smtp-enum-users.nse 172.16.212.133

Send Email

Swaks

Kali has a built in Perl script that can be used to send emails - Swaks - Swiss Army Knife for SMTP.

Example:

swaks --to sales@FAKEDOMAIN.com --from it@FAKEDOMAIN.com --header "Subject: Credentials / Errors" --body "test http://10.14.15.41/" --server FAKEDOMAIN.com
Previous22 - SSHNext69 - TFTP

Last updated 2 years ago

Was this helpful?

Credit:

https://0xdf.gitlab.io/2020/06/17/endgame-xen.html