News & Events
Email penetration testing – part #2
Back again with the Second blog in our Email Pentesting Series.
Today we will be doing SMTP Service Fingerprinting and will get to know about Directory Harvest Attacks, and Enumeration of SMTP Subsystems and Features.
So lets do it.
For SMTP Fingerprinting am going to use Vulnerable Metasploitable Machine Here as victim. My Kali Linux will be the Attacker Machine.
ATTACKER MACHINE IP : 192.168.43.138
VICTIM MACHINE IP : 192.168.43.250
Recon and Enumeration :
Once we know that the target machine is Running with SMTP Service on port number 25 by scanning using NMAP.
STEP 1 : Enumeration of SMTP Service Fingerpriting.
In this Step you need to find out the Domain of the SMTP Server and Version information of SMTP Servers using several tools such as SMTP-USER-ENUM, iSMTP, smtpscan, smtpmap, telnet, netcat.
We can use any one of the above tools.
We used telnet here to fingerprint the SMTP service on my target IP.
we got the domain information about the SMTP Server.
STEP 2 : Directory Harvest Attacks
Directory Harvest Attack (DHA) is a common technique that finds valid Email Addresses of a domain name. Every company uses standard format for official Email Addresses.
There are two ways to harvest email addresses.
- Using Probable Combinations of email addresses that appends with official email server.
- using combinations of usernames, initials, surnames of the employees of your target company for finding valid email address of an email server/domain name.
Here we are going to use telnet to probe and find out the available users in here for that. You can use Metasploit Framework also for this or SMTP-USER-ENUM.
Here we will use options like VRFY and RCPT to verify the users are available in the Sender list & recipient List.
I tried verifying with the user msfadmin and the email address in the target server. When I try to access it with other user “sam” it got rejected due to it unavailability in the mail server.
STEP 3: Enumerating SMTP Subsystems and Feature
SMTP Services possess exploitable subsystems and features that can be targeted by using Certain commands like “EHLO” command.
In the above screenshots you can see that the supported extension for an SMTP server is extended SMTP(ESMTP).
You can pass the EHLO world command while connecting to the target system using telnet.
It gives us lot of information about the target SMTP Server.
- PIPELINING – Pipelining Sends batches of SMTP commands without waiting for a response from the SMTP Server to individual comments.
- SIZE – SIZE extension has two purposes:
- To give the server an estimate of the size of a message before the message is transmitted.
- To warn the client that messages above a certain size will not be accepted.
- ETRN – allows an SMTP server to send a request to another SMTP server to send any e-mail messages it has. The ETRN command has been specifically designed to allow intergration with dial-up mail servers.
- 8BITMIME – is a way for SMTP servers that support it to transmit email using 8-bit character sets in a standards-compliant way that won’t break old servers.
- DSN – DSN (Delivery Status Notification) is an extension to SMTP email delivery that can notify senders about the status of their message’s delivery.
- STARTTLS – StartTLS is mainly used as a protocol extension for communication by e-mail, based on the protocols SMTP, IMAP and POP. In order to encrypt the information transmitted.
We will be continuing with this blog series, stick with us to learn more on email pentesting
Sam Nivethan V J
Security Analyst & Trainer
REFERENCES & CREDITS