SMTP - 25

Port
Service

TCP/25

SMTP Unencrypted

TCP/143

IMAP4 Unencrypted

TCP/110

POP3 Unencrypted

TCP/465

SMTP Encrypted

TCP/993

IMAP4 Encrypted

TCP/995

POP3 Encrypted

Telnet

# to interact with smtp server
telnet ip 25

# HELO/EHLO
HELO mail1.nothing.htb
EHLO mail1.nothing.htb

# VRFY - can be used to enumerate existing users on the system
VRFY root 

# EXPN - when used with a distribution list, it will list all users on that list
EXPN john

# USER - we can use the command USER followed by the username, and if the server responds OK. This means that the user exists on the server.
USER Eren

# find all SMTP error codes here :  <https://serversmtp.com/smtp-error/>

# Send an Email
EHLO nothing.htb

MAIL FROM: <user@nothing.htb>

RCPT TO: <user@nothing.htb>

DATA

QUIT

Nmap

# nmap scan for SMTP
nmap ip -sC -sV -p25

# nmap open relay scan
nmap ip -p25 --script smtp-open-relay -v

# 
swaks --from notifications@something.com --to employees@something.com --header 'Subject: Company Notification' --body 'Hi All, Please complete the following survey. <http://mycustomphishinglink.com/>' --server ip

Brute force users

# smtp-user-enum tool
smtp-user-enum -M VRFY -U user.txt -t ip

# with domain 
smtp-user-enum -M RCPT -U userlist.txt -D nothing.htb -t ip

Last updated