βοΈEmail
Enumeration
Much harder as we may need to enumerate multiple servers and ports, many companies have their email services in the cloud too.
The most common ports are as follows:
25 - SMTP
143 - IMAP4
110 - POP3
465 - SMTP Encrypted
587 - SMTP Encrypted/STARTTLS
993 - IMPA4 Encrypted
995 - POP3 Encrypted
Basic scan
sudo nmap -Pn -sVC -p25,143,110,465,587,993,995 IPThe MX record specifies the mail server responsible for accepting all email messages on behalf of the domain.
We can use the Mail eXchanger (MX) DNS record to identify a mail server.
Host MX Records
Host A Records
DIG MX
Misconfiguration
If misconfigured then the service may allow anonymous authentication or support methods to enumerate valid users.
Authentication
Simple Mail Transport Protocol (SMTP)
Using command like VRFY,EXPN and RCPT TO we can try an enumerate username. Once found we can password spray, guess or try to brute force passwords.
VRFYThe request asks the server to verify an email,EXPNAsks the server for the membership of a mailing listRCPT TOIdentifies the recipient of the email message
We can enumerate users with the USER command followed by a username, if we receive an OK then the user exists on the server.
User Enumeration
To automate the process of enumeration we can use smtp-user-enumtool
Cloud Enumeration
O365 Spray
A username and password enumeration tool that is aimed at Microsoft Office 365.
Check if the domain is valid
Identify Usernames
Password Attacks
POP3 password spray
O365 Spray
Open Relay Attacks
An open relay is an SMTP server which is misconfigured and allows unauthenticated email relay. This masks the source of the message and makes it so the mail originated from the open relay server.
In theory, we could abuse this for phishing emails by spoofing someone else's email address.
Identify if the SMTP port allows an open relay
We can now use a mail client to connect to the mail server and send our email
Last updated
Was this helpful?