465 — SMTP (SMTPS)

0) What is SMTPS (port 465)?

Port 465 is commonly used for SMTPS — SMTP over implicit TLS (older but still in use). Unlike port 25 (plain SMTP) or 587 (SMTP submission with STARTTLS), connections to 465 begin with TLS immediately. SMTPS is used for client-to-mailserver submission and for some server-to-server configurations. In assessments, focus on authentication, server certificate handling, allowed senders, and whether authentication can be abused or credentials harvested.

1) Recon Phase

# service & version detection (TLS-enabled)
nmap -sV -p 465 --script=smtp-commands,ssl-cert,ssl-enum-ciphers 

# banner & cert inspection
openssl s_client -connect :465 -crlf
# observe certificate CN, SANs, and expiry

# identify mail host via MX records (dig MX )
dig MX

Record mail server software (Postfix/Exim/Sendmail/Microsoft). Note TLS certificate details (issuer, SANs) — these often expose internal hostnames.

2) Enumeration Phase

# check supported auth mechanisms & capabilities
# use openssl to start TLS and read SMTP greeting
openssl s_client -connect :465 -crlf

# test AUTH mechanisms (AUTH LOGIN, PLAIN, XOAUTH2)
# automated scripts:
nmap -p 465 --script=smtp-auth-enum,smtp-commands --script-args smtp.user=someuser 

# attempt authenticated sessions (authorized testing):
swaks --to test@domain.com --from me@domain.com --server  --port 465 --auth LOGIN --auth-user user --auth-password pass

# enumerate valid users via response timing or application-level interactions where possible

Since 465 uses implicit TLS, enumeration is often focused on authentication vectors and certificate-based issues rather than VRFY/EXPN (which are more common on port 25).

3) Exploitation Phase

# relay abuse (if server allows authenticated or unauthenticated submission)
# test sending mail to external recipient via authenticated submission
swaks --to victim@example.com --from attacker@domain.com --server  --port 465 --auth LOGIN --auth-user user --auth-password pass

# credential brute-force (authorized only)
hydra -s 465 -S -l user -P passlist smtp://

# OAuth/XOAUTH2 / token misuse checks for modern providers
# check for client certificates or weak TLS ciphers that can be downgraded (rare)
# post-auth actions: access mailbox (IMAP/POP3) with same creds, search for tokens/passwords

Exploitation typically means using valid credentials to send phishing/relay messages, harvest mailbox content via other services, or reuse credentials to access admin panels. Focus on lateral impact (password reuse) and abuse of submission privileges.

SMTPS Info — What to Look For

Server accepts authenticated submission and relays mail to external domains
Weak or default credentials for submission accounts
Poor TLS configuration (expired certificate, weak ciphers, mismatched CN/SAN)
Token-based auth (XOAUTH2) misconfigurations or leaked tokens
Certificates exposing internal hostnames or services (useful for pivoting)

Tools Required

sudo apt install nmap openssl swaks hydra
# Optional:
# - smtp-user-enum (for user enumeration on other SMTP ports)
# - sslyze / testssl.sh for deeper TLS checks
# - mail client tools (mutt, mailx) for manual testing

Quick copy-paste command cheatsheet

# check TLS cert and banner
openssl s_client -connect :465 -crlf

# nmap TLS + SMTP scripts
nmap -sV -p 465 --script=ssl-cert,ssl-enum-ciphers,smtp-commands,smtp-auth-enum 

# test authenticated send (swaks)
swaks --to victim@test.com --from me@domain.com --server  --port 465 --auth LOGIN --auth-user user --auth-password pass

# brute-force authenticated SMTP (authorized only)
hydra -s 465 -S -L users.txt -P passwords.txt smtp://

Citations

Disclaimer: Use these techniques only on systems you own or are explicitly authorized to test. Sending mail, brute-forcing credentials, or abusing submission privileges without permission is illegal and unethical.