Pentesting Simple Mail Transfer Protocol (SMTP)

Simple Mail Transfer Protocol (SMTP) is a protocol for transporting mails over TCP/IP network. Initially specified in RFC 821 published by Jonathan Postel in 1982, SMTP rapidly evolved to the robust protocol it is today supporting Multipurpose Internet Mail Extensions (MIME), Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC).

By default, SMTP service runs on unsecured TCP port 25 or secured TCP port 465,587, and 2525 though port 465 has been deprecated while port 2525 is not an Internet Engineering Task Force (IETF)/Internet Assigned Numbers Authority (IANA) official port. SMTP works in tandem with POP/IMAP for an end-to-end mail creation and delivery. Four agents either components of SMTP and/or POP/IMAP application operate harmoniously to send and receive mails. Typically the user creates a mail using a Mail User Agent (MUA) and hands it off to a Mail Submission Agent (MSA). The MSA coordinates with a Mail Transfer Agent (MTA) in relaying the message through severs to reach the recipient destination. Then a Mail Delivery Agent (MDA) picks the mail and drops it off to the user’s mailbox which is then retrieved by the user with MUA.

Mail User Agent (MUA): is a client component of SMTP/POP/IMAP that interacts directly with the user in creating and retrieving mails.
Mail Submission Agent (MSA): a server component of SMTP that receives mail from MUA and coordinates with Mail Transfer Agent (MTA) to relay the mail to recipient server.
Mail Transfer Agent (MTA): is a server component of SMTP that routes and transfers mails between mail servers to recipient server.
Mail Delivery Agent (MDA): is a server component of POP/IMAP that receives mail from MTA and delivers it to the appropriate mailbox.

/images/smtp/00_email-protocols-communication.png — Email Protocols Communication

/images/smtp/00_smtp-pop-imap-communication.png — SMTP/POP/IMAP Communication

Now let’s observe SMTP Mail Transport Communication traffic flow.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# on terminal one
sudo tcpdump -Uni $INTERFACE tcp port 25 or 465 or 587 or 2525    # unbuffered FTP capture filter

# on terminal two
nc -n $IP $PORT    # open a connection to server
HELO $DOMAIN_NAME    # initiate conversation with mail domain server
MAIL FROM: <$SENDER_ADDRESS>    # insert sender's address
RCPT TO: <$RECIPIENT_ADDRESS>    # insert recipient's address
DATA    # activate message transfer
Date: $TIMESTAMP    # e.g: Tue 15 Aug 2023 12:52:24
From: <$SENDER_ADDRESS>    # e.g: user@domain.tld
To: <$RECIPIENT_ADDRESS>    # e.g: user@domain.tld
Subject: $MESSAGE_SUBJECT       # e.g: Greetings
$MESSAGE   # e.g Hello Recipient
.    # end of message transfer
QUIT    # terminate SMTP conversation
CTRL+D    # close connection

/images/smtp/00_smtp-traffic.png — SMTP Traffic

Common Server Application

Unix systems
- Dovecot
- Postfix
- Exim
- Sendmail
Windows systems
- MailEnable
- ArGoSoft Mail Server
- Microsoft Exchange Server
- SmarterMail

Common Commands

COMMAND	USAGE	DESCRIPTION
AUTH	AUTH LOGIN $USERNAME $PASSWORD	client authenticates itself to the server
DATA	DATA	initiate message sending, write message and end with `.`
EHLO/HELO	EHLO/HELO $DOMAIN	initiate conversation using ESMTP/SMTP command
EXPN	EXPN	verify mailing list validity
HELP	HELP `command`	show commands supported/details
MAIL FROM	MAIL FROM $SENDER_ADDRESS	specifies mail sender
NOOP	NOOP	ping the mail server
RCPT TO	RCPT TO $RECIPIENT_ADDRESS	specifies mail recipient
RSET	RSET	aborts the in transit conversation
SIZE	SIZE $NUMBER	define the message size in kilobyte
STARTTLS	STARTTLS	upgrade to a secure connection
VRFY	VRFY $RECIPIENT_ADDRESS	verify username/mailbox validity
QUIT	QUIT	terminate the SMTP conversation

Common Vulnerability

Data Injection: CWE-138
Information Disclosure: CWE-319

Security Best Practices

Deploy a TLS SMTP for encrypted communication.
Implement DMARC to protect participating mail domains from abuse.
Implement SPF to authorize servers that send mail on behalf of your domain.
Apply DKIM to digitally sign the mail for integrity and authenticity.
Enable strong password policies and two-factor authentication for user accounts.
Disable application version fingerprint.

Exploitation
Encountering an SMTP service would trigger phishing in an attacker’s mind. Some inclinations are:

Whether they can solicit a user/bot to click a malicious link or download an attachment.
Whether they can trick the user to share sensitive information.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
'WORDLIST
/usr/share/wordlists/dirb/others/names.txt
/usr/share/seclists/Usernames/Names/names.txt
'
## SERVICE ENUMERATION ##
# with nmap
ls /usr/share/nmap/scripts/smtp*    # list nmap smtp scripts
'SNIP
/usr/share/nmap/scripts/smtp-brute.nse
/usr/share/nmap/scripts/smtp-commands.nse
/usr/share/nmap/scripts/smtp-enum-users.nse
/usr/share/nmap/scripts/smtp-ntlm-info.nse
/usr/share/nmap/scripts/smtp-open-relay.nse
/usr/share/nmap/scripts/smtp-strangeport.nse
/usr/share/nmap/scripts/smtp-vuln-cve2010-4344.nse
/usr/share/nmap/scripts/smtp-vuln-cve2011-1720.nse
/usr/share/nmap/scripts/smtp-vuln-cve2011-1764.nse
'
nmap -p 25,465,587 -sV $IP   # version scan
nmap -p 25 --script smtp-open-relay $IP   # identify if server is an open-relay
nmap -p 25 --script smtp-commands $IP   # list server supported commands
nmap -p 25 --script smtp-vuln* $IP   # identify vulnerabilities

# with metasploit
search scanner name:smtp
use auxiliary/scanner/smtp/smtp_version
show options
set rhosts $IP
exploit 

# with linux utilities
dig mx $DOMAIN @IP    # list mail exchange records
dig txt $DOMAIN @IP    # list text records

## CREDENTIAL ENUMERATION ##
# with nmap
nmap -p 25 --script smtp-ntlm-info $IP   # show the windows ntlm credential

# with smtp-user-enum
smtp-user-enum -M VRFY -U $USERNAMELIST -t $IP -p 25 -w 50    # find valid user
smtp-user-enum -M EXPN -D $DOMAIN -U $USERNAMELIST -t $IP   # find all valid user

# with hydra
hydra -L $PASSWORDLIST -t 6 -s 25 $IP smtp-enum    # find valid users
hydra -S -L $PASSWORDLIST -t 6 -s 465 $IP smtp-enum   # find valid users via SSL

# with metasploit
search scanner name:smtp
use auxiliary/scanner/smtp/smtp_enum
show options
set rhosts $IP
set user_file $USERNAMELIST
exploit 

## PATH ENUMERATION ##

## HOST ENUMERATION/FOOTPRINTING ##
# with telnet
telnet $IP $PORT    # open a connection to server
HELO $DOMAIN_NAME    # initiate conversation with mail domain server
MAIL FROM: <$SENDER_ADDRESS>    # sender envelope address
RCPT TO: <$RECIPIENT_ADDRESS>    # recipient envelope address
DATA    # initiate message transfer
Date: $TIMESTAMP    # e.g: Tue 15 Aug 2023 12:52:24
From: <$SENDER_ADDRESS>    # sender header address e.g: user@domain.tld
To: <$RECIPIENT_ADDRESS>    # recipient header address e.g: user@domain.tld
Subject: $MESSAGE_SUBJECT       # e.g: Greetings
$MESSAGE   # e.g Hello Recipient
.    # end message transfer
QUIT    # terminate SMTP conversation

# with openssl
openssl s_client -connect $DOMAIN:25 -starttls smtp -crlf  #upgraded connection 
openssl s_client -connect $DOMAIN:587 -crlf -quiet

# with swaks
swaks --to $RECIPIENT_ADDRESS --from $SENDER_ADDRESS --header 'Subject: $MESSAGE_SUBJECT' --body '$MESSAGE' --server $MAILSERVER --attach @$FILENAME # send a malicious file and use IMAP to read it.

swaks --to $RECIPIENT_ADDRESS --from $SENDER_ADDRESS --header 'Subject: $MESSAGE_SUBJECT' --body '$URLPATH' --server $MAILSERVER # have a user/bot click on the mailicous link

References