Généralités

Simple Mail Transfer Protocol, port 25/587, TCP Envoie/réception de mails, sans utilisation de STARTTLS les informations transitent en clair sur le réseau. Client (MUA) ➞ Submission Agent (MSA) ➞ Open

Il est possible d'utiliser SMTP en se connectant directement en telnet sur le port 25, les commandes disponibles sont:

Command	Description
AUTH PLAIN	AUTH is a service extension used to authenticate the client.
HELO	The client logs in with its computer name and thus starts the session.
MAIL FROM	The client names the email sender.
RCPT TO	The client names the email recipient.
DATA	The client initiates the transmission of the email.
RSET	The client aborts the initiated transmission but keeps the connection between client and server.
VRFY	The client checks if a mailbox is available for message transfer.
EXPN	The client also checks if a mailbox is available for messaging with this command.
NOOP	The client requests a response from the server to prevent disconnection due to time-out.
QUIT	The client terminates the session.

Enumeration

Connection telnet:

nc -vn $ip 25

Connection openssl (si utilisation de starttls):

openssl s_client -starttls smtp -crlf -connect $domain:587

Savoir si le serveur peut être utilisé comme open relay:

sudo nmap $ip -p25 --script smtp-open-relay -v

Connaître les différentes commandes pourvant être utilisées:

nmap -p25 --script smtp-commands $ip

Brute force

Brute force des users:

nmap --script smtp-enum-users $ip

smtp-user-enum -M <MODE> -u <USER> -t $ip

Brute force password:

hydra -l monUser -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt $ip smtp

Metasploit

1	`auxiliary/scanner/smtp/smtp_enum`