Email Penetration Testing – Part #2
In this Email Penetration Testing Series - Part 2, We will further enhance our knowledge about some important details of this process.
Today we will be doing SMTP service fingerprinting and will get to know about directory harvest attacks and the enumeration of SMTP subsystems and features.
So let's do it.
For SMTP fingerprinting am going to use a vulnerable Metasploitable machine here as a victim. My kali Linux will be the attacker machine.
ATTACKER MACHINE IP : 192.168.43.138
VICTIM MACHINE IP : 192.168.43.250
Recon and Enumeration :
Once we know that the target machine is running with SMTP service on port number 25 by scanning using NMAP.
STEP 1: Enumeration of SMTP Service Fingerprinting.
In this Step, you need to find out the domain of the SMTP server and version information of SMTP servers using several tools such as SMTP-USER-ENUM, iSMTP, smtpscan, smtpmap, telnet, netcat.
We can use any one of the above tools.
We used telnet here to fingerprint the SMTP service on my target IP.
we got the domain information about the SMTP Server.
STEP 2: Directory Harvest Attacks
Directory Harvest Attack (DHA) is a common technique that finds valid email addresses of a domain name. Every company uses a standard format for official email addresses.
There are two ways to harvest email addresses.
- Using Probable Combinations of email addresses that appends with the official email server.
- Use combinations of usernames, initials, and surnames of the employees of your target company for finding the valid email addresses of an email server/domain name.
Here we are going to use telnet to probe and find out the available users here for that. You can use Metasploit Framework also for this or SMTP-USER-ENUM.
Here we will use options like VRFY and RCPT to verify the users are available in the Sender list & recipient List.
I tried verifying with the user msfadmin and the email address in the target server. When I try to access it with another user “sam” it got rejected due to its unavailability on the mail server.
STEP 3: Enumerating SMTP Subsystems and Feature
SMTP Services possess exploitable subsystems and features that can be targeted by using certain commands like “EHLO” command.
In the above screenshots, you can see that the supported extension for an SMTP server is extended SMTP(ESMTP).
You can pass the EHLO world command while connecting to the target system using telnet.
It gives us a lot of information about the target SMTP server.
- PIPELINING – Pipelining Sends batches of SMTP commands without waiting for a response from the SMTP Server to individual comments.
- SIZE – SIZE extension has two purposes:
- To give the server an estimate of the size of a message before the message is transmitted.
- To warn the client that messages above a certain size will not be accepted.
- ETRN – allows an SMTP server to send a request to another SMTP server to send any e-mail messages it has. The ETRN command has been specifically designed to allow integration with dial-up mail servers.
- 8BITMIME – is a way for SMTP servers that support it to transmit email using 8-bit character sets in a standards-compliant way that won’t break old servers.
- DSN – DSN (Delivery Status Notification) is an extension to SMTP email delivery that can notify senders about the status of their message’s delivery.
- STARTTLS – StartTLS is mainly used as a protocol extension for communication by e-mail, based on the protocols SMTP, IMAP, and POP. In order to encrypt the information transmitted.
We will be continuing with this blog series, stick with us to learn more on email penetration testing.