Email Services
Email servers are complex and usually require us to enumerate multiple servers, ports, and services. Furthermore, today most companies have their email services in the cloud with services such as Microsoft 365 or G-Suite. Therefore, our approach to attacking the email service depends on the service in use.
We can use the Mail eXchanger (MX) DNS record to identify a mail server
We can use tools such as host or dig and online websites such as MXToolbox to query information about the MX records:
host -t MX hackthebox.eudig mx plaintext.do | grep "MX" | grep -v ";"host -t A mail1.inlanefreight.htb.If we are targetting a custom mail server implementation such as inlanefreight.htb, we can enumerate the following ports:
Port
Service
TCP/25
SMTP Unencrypted
TCP/143
IMAP4 Unencrypted
TCP/110
POP3 Unencrypted
TCP/465
SMTP Encrypted
TCP/587
SMTP Encrypted/STARTTLS
TCP/993
IMAP4 Encrypted
TCP/995
POP3 Encrypted
We can use Nmap's default script -sC option to enumerate those ports on the target system:
sudo nmap -Pn -sV -sC -p25,143,110,465,587,993,995 <IP>Misconfigurations
Authentication
The SMTP server has different commands that can be used to enumerate valid usernames VRFY, EXPN, and RCPT TO. If we successfully enumerate valid usernames, we can attempt to password spray, brute-forcing, or guess a valid password. So let's explore how those commands work.
VRFY this command instructs the receiving SMTP server to check the validity of a particular email username. The server will respond, indicating if the user exists or not. This feature can be disabled.
EXPN is similar to VRFY, except that when used with a distribution list, it will list all users on that list. This can be a bigger problem than the VRFY command since sites often have an alias such as "all."
RCPT TO identifies the recipient of the email message. This command can be repeated multiple times for a given message to deliver a single message to multiple recipients.
We can also use the POP3 protocol to enumerate users depending on the service implementation. For example, we can use the command USER followed by the username, and if the server responds OK. This means that the user exists on the server.
Automatic enumeration
To automate our enumeration process, we can use a tool named smtp-user-enum. We can specify the enumeration mode with the argument -M followed by VRFY, EXPN, or RCPT, and the argument -U with a file containing the list of users we want to enumerate. Depending on the server implementation and enumeration mode, we need to add the domain for the email address with the argument -D. Finally, we specify the target with the argument -t.
Cloud Enumeration
O365spray is a username enumeration and password spraying tool aimed at Microsoft Office 365 (O365)
Validating service
Attempt to identify usernames.
Password Attacks
We can use Hydra to perform a password spray or brute force against email services such as SMTP, POP3, or IMAP4. First, we need to get a username list and a password list and specify which service we want to attack. Let us see an example for POP3.
For cloud services we can try custom tools such as o365spray or MailSniper for Microsoft Office 365 or CredKing for Gmail or Okta.
Protocol Specifics Attacks
An open relay is a Simple Mail Transfer Protocol (SMTP) server, which is improperly configured and allows an unauthenticated email relay.
Open Relay
From an attacker's standpoint, we can abuse this for phishing by sending emails as non-existing users or spoofing someone else's email.
With the nmap smtp-open-relay script, we can identify if an SMTP port allows an open relay.
Next, we can use any mail client to connect to the mail server and send our email.
Last updated