25 — SMTP (Mail Transfer)

0) What is SMTP?

SMTP (Simple Mail Transfer Protocol) is a standard protocol for sending and routing email messages between mail servers. It operates over TCP port 25 by default. While essential for mail delivery, open or misconfigured SMTP servers can leak sensitive information such as usernames or allow unauthorized message relay (spam). Enumeration focuses on identifying open relays, user enumeration, and potential spoofing opportunities.

1) Recon Phase

# Identify SMTP service and version
nmap -sV -p 25 [targetip]

# Use NSE scripts for additional details
nmap -p 25 --script smtp-commands,smtp-open-relay,smtp-enum-users [targetip]

These scans detect the SMTP service, banner information (e.g., Postfix, Exim, Sendmail), and whether the server supports potentially dangerous commands like VRFY or EXPN.

2) Enumeration Phase

Enumeration focuses on discovering valid users, open relay status, and potential spoofing misconfigurations.

# Connect manually to SMTP and grab the banner
nc [targetip] 25

# Use HELO or EHLO to identify yourself to the server
HELO example.com
EHLO example.com

# Test user enumeration
VRFY root
VRFY admin
EXPN users

The VRFY and EXPN commands can be used to validate existing user accounts. If successful, the server will return responses confirming which users exist.

# Automated user enumeration
smtp-user-enum -M VRFY -U users.txt -t [targetip]

This tool automates enumeration through valid SMTP responses. Use only during authorized testing.

# Check if open relay is allowed
telnet [targetip] 25
MAIL FROM: test@example.com
RCPT TO: test@external.com
DATA
This is a relay test.
.
QUIT

If the server accepts mail to external domains without authentication, it is an open relay vulnerability.

3) Exploitation Phase

Exploitation focuses on leveraging configuration weaknesses or gathered credentials.

# Relay abuse (authorized testing only)
swaks --to test@victim.com --from admin@[target] --server [targetip] --header "Subject: SMTP test" --body "Hello!"

This command uses swaks to simulate an SMTP relay attempt. Abuse of open relays allows spam or spoofing.

# Credential brute-force (only with explicit authorization)
hydra -L users.txt -P passwords.txt smtp://[targetip]

Some SMTP servers accept authenticated logins via AUTH LOGIN. Weak or reused credentials may allow access.

# Post-exploitation actions
- Search for message queues, mail spools, or logs containing sensitive data
- Extract credentials, API keys, or internal addresses from mail messages

SMTP Info — What to Look For

Banner information revealing mail software and version
VRFY/EXPN commands that confirm valid usernames
Misconfigured open mail relays
Weak or default SMTP authentication credentials
Email spoofing or relay possibilities for phishing

Tools Required

sudo apt install nmap netcat swaks hydra smtp-user-enum telnet

Quick Copy-Paste Command Cheatsheet

# Recon
nmap -p 25 -sV --script smtp-commands,smtp-open-relay [target]

# Manual check
nc [target] 25
HELO test
VRFY root

# User enumeration
smtp-user-enum -M VRFY -U users.txt -t [target]

# Brute-force
hydra -L users.txt -P passwords.txt smtp://[target]

# Relay test
swaks --to victim@test.com --from admin@[target] --server [target]

Citations

Disclaimer: Use these techniques only on systems you own or are explicitly authorized to test. Unauthorized access is illegal and unethical.