Post 31 - SMTP

05 Jan 2023

Understanding SMTP

Email requires protocol pair, SMTP and POP/IMAP. SMTP server performs three basic functions:

• Verifies who is sending emails through the server
• Sends the outgoing mail
• If outgoing mail is undeliverable it send the message back to the sender

Process

1. Mail user agent (client program) connects to smtp server and validates, SMTP session starts.
2. Client submits sender and recipient addresses, body, and any attachments to server.
3. SMTP server checks if domain name of recipient is same as sender’s.
4. SMTP server connects to recipient’s SMTP server. If server can’t be accessed, email gets queued.
5. Recipient’s SMTP server verifies incoming email, checks if domain and user name have been recognized, then passes email on to POP or IMAP server.
6. Email is shown in recipient’s inbox.

Deeper breakdowns into sub protocols and such: https://computer.howstuffworks.com/e-mail-messaging/email3.htm
https://www.afternerd.com/blog/smtp/

SMTP server software available on Windows server and Linux.

Enumerating SMTP

Poorly configured or vulnerable mail servers can provide an initial foothold to a network, but you need to fingerprint the server for precise targeting. This task uses “smtp_version” module of metasploit. Scans IP Address range and determines the version of any mail servers encountered.

SMTP service has internal commands that help enumerate users:

• VRFY - confirms name of valid users
• EXPN - reveals actual addresses of user’s aliases and mailing lists Can be done manually through telnet, but metasploit has “smtp_enum” module. Scans host or range of hosts and uses wordlist of usernames.

Alternatives

Non-metasploit tools include “smtp-user-enum”, which works better for enumerating OS-level accounts on Solaris via SMTP. Works by inspecting responses to VRFY, EXPN, and RCPT TO commands. Could be adapted to other vulnerable SMTP dameons. (Alternative worth keeping in mind if trying to distance self from Metasploit, e.g. in ppreparation for OSCP).

The Task

Enumerate the task SMTP VM.

Process

Start with nmap scan nmap -v -A -p-

Start Metasploit with msfconsole
Search for known named module with search fullname:smtp_version
Select modules from list with use <#>
Show options to fill in with options
Set options
Run module with run

Switch to “smtp_enum” module
Set user_list (wordlist) and rhosts options
Run module

All info grabbed. Had multiple usernames but was only looking for one, and had to guess.