The Simple Mail Transfer Protocol (SMTP) is used for sending and receiving email. It is commonly paired with POP3 or IMAP for message retrieval.
Default Ports: 25 (SMTP), 465 (SMTPS), 587 (SMTP with STARTTLS)
Basic Connections
# SMTP (plain)
nc -vn <IP> 25
# SMTPS (TLS)
openssl s_client -crlf -connect smtp.mailgun.org:465
# SMTP with STARTTLS
openssl s_client -starttls smtp -crlf -connect smtp.mailgun.org:587
Enumeration
# Nmap
nmap -p25 --script smtp-commands 10.10.10.10
nmap -p25 --script smtp-open-relay 10.10.10.10 -v
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720 -p 25 <IP>
# Find MX servers
dig +short mx google.com
NTLM Info Disclosure
If the server supports NTLM auth (Windows), send a challenge to extract version info:
telnet example.com 587
>> HELO
>> AUTH NTLM 334
>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
# Response contains: IIS version, Windows version
# Automate with nmap
nmap -p25 --script smtp-ntlm-info.nse <IP>
Username Enumeration
telnet 1.1.1.1 25
HELO x
VRFY root
# 250 Super-User root@myhost = exists
VRFY blah
# 550 blah... User unknown
telnet 1.1.1.1 25
HELO x
MAIL FROM:[email protected]
RCPT TO:test
# 550 = unknown, 250 = exists
EXPN root
# 250 2.1.5 ed.williams@myhost
EXPN sshd
# 250 2.1.5 sshd privsep sshd@myhost
smtp-user-enum -M VRFY -U users.txt -t <IP>
smtp-user-enum -M EXPN -U users.txt -t <IP>
smtp-user-enum -M RCPT -U users.txt -t <IP>
msf> use auxiliary/scanner/smtp/smtp_enum
Sending Emails
Email Security Mechanisms
SPF (Sender Policy Framework)
# Check SPF record
dig txt google.com | grep spf
# Online validator
# https://www.kitterman.com/spf/validate.html
+ = PASS (default)? = NEUTRAL~ = SOFTFAIL (accept but mark)- = FAIL (reject)
DKIM (DomainKeys Identified Mail)
# Get DKIM public key (need selector from email headers)
dig 20120113._domainkey.gmail.com TXT | grep p=
DMARC
# Get DMARC record
dig _dmarc.facebook.com txt | grep DMARC
# p=reject: strict rejection
# p=quarantine: mark as spam
# p=none: monitoring only
Avoiding Email Security Gateways (SEGs)
Organizations using Entra ID / Exchange Online often have multiple accepted domains. If any accepted domain has an MX record pointing directly to the mail server (bypassing the SEG), you can deliver mail avoiding the gateway.The default <tenant>.onmicrosoft.com domain always has MX pointing to Exchange Online.
# Enumerate accepted domains
dnsx -d target.com -mx
# Send to tenant.onmicrosoft.com to bypass SEG
# swaks --to [email protected] ...
SMTP Spoofing
# Check for spoofing vulnerabilities
python3 -m serain.mailspoof target.com
python3 checkdmarc.py target.com
# Automated spoofing
python3 magicspoofmail.py -d victim.com -t -e [email protected]
python3 magicspoofmail.py -d victim.com -t -e [email protected] \
--subject TEST --sender [email protected]
Open Relay Testing
nmap -p25 --script smtp-open-relay 10.10.10.10 -v
mynetworks = 0.0.0.0/0 # Accepts connections from any IP
SMTP Smuggling
SMTP smuggling allows bypassing SPF, DKIM, and DMARC protections by exploiting line ending interpretation differences between SMTP servers. Some servers accept <LF>.<LF> while others only accept <CR><LF>.<CR><LF>, enabling message injection.
Config Files
/etc/postfix/master.cf
/etc/postfix/main.cf
sendmail.cf
submit.cf
- Internal server names and IP addresses
- Antivirus software info (
X-Virus-Scanned header)
- Internal relay hops
NDN (Non-Delivery Notification) Harvesting
Send emails to non-existent addresses. The bounce-back NDN often contains:
- Internal server names
- IP addresses of mail infrastructure
- AV software information
