THM – Network Services – SMTP – Part 7

Bilde av Miguel Á. Padriñán fra Pexels

Understanding SMTP 

What is SMTP? 

SMTP stands for simple mail transfer protocol. It is utilized to handle the sending of emails. In order to support email services, a protocol pair is required, comprising of SMTP and POP/IMAP. Together they allow the user to send outgoing mail and retrieving incoming mail, respectively.  

The SMTP server performs three basic functions:  

  • It verifies who is sending emails through the SMTP server. 
  • It sends the outgoing mail. 
  • If the outgoing mail can’t be delivered it sends the message back to the sender.  


Pop, or “Post Office Protocol” and IMAP “Internet Message Access Protocol” are both email protocols who are responsible for the transfer of email between a client and a mail server. The main difference is in POP’s more simplistic approach of downloading the inbox from the mail server to the client. Where IMAP will synchronize the current inbox, with new mail on the server, downloading anything new. Meaning that changes to the inbox made on one computer, over IMAP, will persist if you then synchronize the inbox from another computer. The POP/IMAP server is responsible for fulfilling this process.  

How does SMTP work? 

Email delivery functions much the same as the physical mail delivery system. The user will supply the email and a service, and through a series of steps – will deliver it to the recipient’s inbox. The role of the SMTP server in this service, is to act as the sorting office, the email is picked up and sent to this server, which then directs it to the recipient.  

We can map the journey of an email from your computer to the recipients like this:  

  1. The mail user agent, which is either your email client or an external program. connects to the SMTP server of your domain, e.g. This initiates the SMTP handshake. This connection works over the SMTP port- which is usually 25. Once these connections have been made and validated, the SMTP session starts.
  2. The process of sending mail can now begin. The client first submits the sender, and recipient’s email address- the body of the email and any attachments, to the server. 
  3. The SMTP server then checks whether the domain name of the recipient and the sender is the same.
  4. The SMTP server of the sender will make a connection to the recipient’s SMTP server before relaying the email. If the recipient’s server can’t be accessed or is not available- the Email gets put into an SMTP queue. 
  5. Then, the recipient’s SMTP server will verify the incoming email. It does this by checking if the domain and username have been recognized. The server will then forward the email to the POP or IMAP server, as shown in the diagram above. 
  6. The E-Mail will then show up in the recipient’s inbox. 

What runs SMTP? 

SMTP Server software is readily available on Windows server platforms, with many variants of SMTP being available to run on Linux.  

What is the first step in the SMTP process? SMTP handshake 

Where does the SMTP server send the email if the recipients server is not available? SMTP queue 

On what server does the Email ultimately end up on? POP/IMAP 

Enumerating SMTP 

Enumerating Server Details 

Poorly configured or vulnerable mail servers can often provide initial foothold into a network, but prior to launching an attack, we want to fingerprint the server to make our targeting as precise as possible. We’re going to use the “smtp_version” module in Metasploit. It will scan a range of IP addresses and determine the verison of any mail server it encounters.  

Enumerating users from SMTP 

The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of user’s aliases and lists of e-mail (mailing lists)). Using these SMTP commands, we can reveal a list of valid users.  

We can do this manually, over a telnet connection – however Metasploit provides a handy module appropriately called “smtp_enum” that will do the legwork for us.  


This enumeration technique will work for the majority of SMTP configurations; however there are other, non-Metasploit tools such as smtp-user-enum that work even better for enumerating OS-level user accounts on Solaris via the SMTP service. Enumeration is performed by inspecting the responses to VRFY, EXPN, and RCPT TO commands.

This technique could be adapted in future to work against other vulnerable SMTP daemons.  

Scan the server with nmap and determin open ports. SMTP is open. Port 25/TCP.  

Start Metasploit and search for module “smtp_version.

Set the correct options. 

Run the exploit. What is the system mail name?  

Polosmtp.home ESMPT Postfix (MTA (Mail Transfer Agent)).  

Next stage, use smtp_enum. We’re going to be using the “top-username-shortlist.txt” wordlist from the username subsection to seclists. (This is in my toolbox).  

Run the exploit. What username is returned? Administrator 

Exploiting SMTP 

At the end of our enumeration section we have a few vital pieces of information. 

  1. A user account name 
  2. The type of SMTP server and Operating system running 

We know from our port scan, that the only other open port on this machine is an SSH login. We’re going to use this information to try and bruteforce the password of the SSH login for our user using Hydra. 


There is a wide array of customizability when it comes to using Hydra, and it allows for adaptive password attackers against many different services, including SSH.  

Hydra uses dictionary attacks primarily. 

The syntax for the command we’re going to use find the password in this:  

hydra -t 16 –L USERNAME –P /usr/share/wordlists/rockyou.txt -vV IP-ADDR ssh
hydra Runs the hydra tool 
-t 16 
Number of parallel connections per target 
-l [user] Points to the user who’s account you’re trying to compromise 
-P [path to dictionary] Points to the file containing the list of possible passwords 
Sets verbose mode to very verbose, shows the login+pass combination for each attempt 
[machine IP] The IP address of the target machine 
ssh / protocol Sets the protocol 

What is the password for the user we found during the enumeration stage? (do the hydra command). 


SSH into the server as the user, what is the content of smtp.txt?  

Similar Posts