THM – Network Services – SMTP – Part 7

Byaghanim
Bilde av Miguel Á. Padriñán fra Pexels

Understanding SMTP 

What is SMTP? 

SMTP stands for simple mail transfer protocol. It is utilized to handle the sending of emails. In order to support email services, a protocol pair is required, comprising of SMTP and POP/IMAP. Together they allow the user to send outgoing mail and retrieving incoming mail, respectively.  

The SMTP server performs three basic functions:  

  • It verifies who is sending emails through the SMTP server. 
  • It sends the outgoing mail. 
  • If the outgoing mail can’t be delivered it sends the message back to the sender.  

POP and IMAP 

Pop, or “Post Office Protocol” and IMAP “Internet Message Access Protocol” are both email protocols who are responsible for the transfer of email between a client and a mail server. The main difference is in POP’s more simplistic approach of downloading the inbox from the mail server to the client. Where IMAP will synchronize the current inbox, with new mail on the server, downloading anything new. Meaning that changes to the inbox made on one computer, over IMAP, will persist if you then synchronize the inbox from another computer. The POP/IMAP server is responsible for fulfilling this process.  

How does SMTP work? 

Email delivery functions much the same as the physical mail delivery system. The user will supply the email and a service, and through a series of steps – will deliver it to the recipient’s inbox. The role of the SMTP server in this service, is to act as the sorting office, the email is picked up and sent to this server, which then directs it to the recipient.  

We can map the journey of an email from your computer to the recipients like this:  

  1. The mail user agent, which is either your email client or an external program. connects to the SMTP server of your domain, e.g. smtp.google.com. This initiates the SMTP handshake. This connection works over the SMTP port- which is usually 25. Once these connections have been made and validated, the SMTP session starts.
  2. The process of sending mail can now begin. The client first submits the sender, and recipient’s email address- the body of the email and any attachments, to the server. 
  3. The SMTP server then checks whether the domain name of the recipient and the sender is the same.
  4. The SMTP server of the sender will make a connection to the recipient’s SMTP server before relaying the email. If the recipient’s server can’t be accessed or is not available- the Email gets put into an SMTP queue. 
  5. Then, the recipient’s SMTP server will verify the incoming email. It does this by checking if the domain and username have been recognized. The server will then forward the email to the POP or IMAP server, as shown in the diagram above. 
  6. The E-Mail will then show up in the recipient’s inbox. 

What runs SMTP? 

SMTP Server software is readily available on Windows server platforms, with many variants of SMTP being available to run on Linux.  

What is the first step in the SMTP process? SMTP handshake 

Where does the SMTP server send the email if the recipients server is not available? SMTP queue 

On what server does the Email ultimately end up on? POP/IMAP 

Enumerating SMTP 

Enumerating Server Details 

Poorly configured or vulnerable mail servers can often provide initial foothold into a network, but prior to launching an attack, we want to fingerprint the server to make our targeting as precise as possible. We’re going to use the “smtp_version” module in Metasploit. It will scan a range of IP addresses and determine the verison of any mail server it encounters.  

Enumerating users from SMTP 

The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of user’s aliases and lists of e-mail (mailing lists)). Using these SMTP commands, we can reveal a list of valid users.  

We can do this manually, over a telnet connection – however Metasploit provides a handy module appropriately called “smtp_enum” that will do the legwork for us.  

Alternatives 

This enumeration technique will work for the majority of SMTP configurations; however there are other, non-Metasploit tools such as smtp-user-enum that work even better for enumerating OS-level user accounts on Solaris via the SMTP service. Enumeration is performed by inspecting the responses to VRFY, EXPN, and RCPT TO commands.

This technique could be adapted in future to work against other vulnerable SMTP daemons.  

Scan the server with nmap and determin open ports. SMTP is open. Port 25/TCP.  

Start Metasploit and search for module “smtp_version.

Set the correct options. 

Run the exploit. What is the system mail name?  

Polosmtp.home ESMPT Postfix (MTA (Mail Transfer Agent)).  

Next stage, use smtp_enum. We’re going to be using the “top-username-shortlist.txt” wordlist from the username subsection to seclists. (This is in my toolbox).  

Run the exploit. What username is returned? Administrator 

Exploiting SMTP 

At the end of our enumeration section we have a few vital pieces of information. 

  1. A user account name 
  2. The type of SMTP server and Operating system running 

We know from our port scan, that the only other open port on this machine is an SSH login. We’re going to use this information to try and bruteforce the password of the SSH login for our user using Hydra. 

Hydra 

There is a wide array of customizability when it comes to using Hydra, and it allows for adaptive password attackers against many different services, including SSH.  

Hydra uses dictionary attacks primarily. 

The syntax for the command we’re going to use find the password in this:  

hydra -t 16 –L USERNAME –P /usr/share/wordlists/rockyou.txt -vV IP-ADDR ssh
SECTION FUNCTION 
hydra Runs the hydra tool 
 
-t 16 
 		Number of parallel connections per target 
 
-l [user] Points to the user who’s account you’re trying to compromise 
 
-P [path to dictionary] Points to the file containing the list of possible passwords 
 
-vV 
 		Sets verbose mode to very verbose, shows the login+pass combination for each attempt 
[machine IP] The IP address of the target machine 
ssh / protocol Sets the protocol 

What is the password for the user we found during the enumeration stage? (do the hydra command). 

Alejandor 

SSH into the server as the user, what is the content of smtp.txt?  

Similar Posts

THM – Command Injection – Part 11

THM – Command Injection – Part 11

Byaghanim

This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsWhat is Command Injection?Discovering Command InjectionExploiting Command InjectionDetecting Blind Command InjectionLinux WindowsRemediating Command InjectionVulnerable FunctionsInput sanitisationBypassing FiltersPractical: Command InjectionWhat user is this application running as?What are the contents of…

THM – Walking An Application – Part 3

THM – Walking An Application – Part 3

Byaghanim

This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsIntroductionExploring The WebsiteViewing the Page SourceHow do I view the Page Source?Let’s view some Page Source!Developer Tools – InspectorDeveloper ToolsInspectorDeveloper Tools – DebuggerDeveloper Tools – DebuggerDeveloper Tools –…

THM – Cross-site scripting (XSS) – Part 10

THM – Cross-site scripting (XSS) – Part 10

Byaghanim

This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsXSS PayloadsWhat is a payload?Proof of ConceptSession StealingKey LoggerExampleBusiness LogicReflected XSSExample ScenarioPotential ImpactHow to test for Reflected XSSStored XSSExample ScenarioHow to test for Stored XSSDOM Based XSSWhat is…

Command And Control – C2 Framework

Command And Control – C2 Framework

Byaghanim

This is a list of Command and control (C2) servers that I’ve tested. Table Of ContentsCovenantInstallation and setupLisenersGruntsPowershell-Empire with StarkillerPoshC2GodGenesisMetasploitSliverInstallSliver and MetasploitBeacon vs sessionExtensions (Armory)CheatsheetExample getting beacon with msfBypassing defender with staged process hollowingHavoc C2InstallInstall the dependenciesUbuntu 20.04 / 22.04Kali and other Debian based Distros only.Debian 10/11Building the TeamserverBuilding the ClientClient Covenant Installation and setup…

TryHackMe – Network Fundementals – Part 1

TryHackMe – Network Fundementals – Part 1

Byaghanim

Table Of ContentsForewordsIntroduction NetworkingThe OSI Model: OverviewEncapsulationTCP/IP Forewords In this blog series I will write down my notes from the courses I take from TryHackMe. This series is from the Complete beginner course where I will go through Network security, Web App security, different tools I use etc. I recommend anyone wanting to learn pentesting…

THM – Network Services – FTP – Part 4

THM – Network Services – FTP – Part 4

Byaghanim

Table Of ContentsUnderstanding FTP Enumerating FTP Exploiting FTP  Understanding FTP  What is FTP? File transfer protocol is a protocol used to allow remote transfer of files over a network. It uses a client-server model to do this. It relays command and data in a very efficient way.   How does FTP work?  A typical FTP session operates using two channels:  A command channel   A data channel  The command channel is used for transmitting commands as well as replies to those commands, while the data channel is used for transferring data.   FTP operates using a client-server protocol. The client…