Skip to content

SMTP Enumeration Tools

Jump to bottom
TheGetch edited this page Jan 5, 2021 · 1 revision

SMTP Enumeration Tools

SMTP Enumeration Tools

Nmap Enumeration

$ ls -lh /usr/share/nmap/scripts/ | grep smtp
-rw-r--r-- 1 root root  4309 Oct 12 09:29 smtp-brute.nse
-rw-r--r-- 1 root root  4769 Oct 12 09:29 smtp-commands.nse
-rw-r--r-- 1 root root 12006 Oct 12 09:29 smtp-enum-users.nse
-rw-r--r-- 1 root root  5873 Oct 12 09:29 smtp-ntlm-info.nse
-rw-r--r-- 1 root root 10148 Oct 12 09:29 smtp-open-relay.nse
-rw-r--r-- 1 root root   716 Oct 12 09:29 smtp-strangeport.nse
-rw-r--r-- 1 root root 14781 Oct 12 09:29 smtp-vuln-cve2010-4344.nse
-rw-r--r-- 1 root root  7719 Oct 12 09:29 smtp-vuln-cve2011-1720.nse
-rw-r--r-- 1 root root  7603 Oct 12 09:29 smtp-vuln-cve2011-1764.nse
$ nmap x.x.x.x -p 25 -sV --script=exampleScript1.nse,exampleScript2.nse

Manual Connection

$ nc -nv x.x.x.x 25

Mass email

If you've collected emails from the target domain, you can use something like the following to send out super simple phishing emails. (Saw this on a HTB machine, keep expectations of success low in the real world)

$ while read mail; do swaks –to $mail –from IT@targetdomain.com –header "Subject: Credentials / Errors" –body "goto http://attackerIP/" –server x.x.x.x; done < mails.txt

_Sidebar

Home

1. Recon

Ping Sweep

CIDR to IP

2. Enumeration

Enumeration General Notes

Host/Port Scanning

Services

01. FTP (21)

02. SSH (22)

03. SMTP (25)

04. DNS (53)

05. HTTP (80,443,8080,8443,etc.)

06. POP3 (110)

07. SMB (139,445)

08. SNMP (161,162)

09. LDAP (389)

10. MS-SQL or MySQL (1433,3306)

11. RDP (3389)

12. Winrm (5985)

13. Memcache (11221)

3. Exploitation

Exploitation General Notes

4. Post Exploiation

Post Exploitation General Notes

Editable Service

Privilege Escalation

Scheduled Jobs/Tasks

5. High Value Information

Hashes

6. Reporting

7. Random Notes/Useful Tidbits

Clone this wiki locally