Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  1. Cheat sheets and Notes

SMTP

PreviousSeDebugPrivilegeNextDirectory brute-forcing (Fuzzing web directories)

Last updated 1 year ago

Ports

25, 465, 587

Enumerating what commands are available to us

sudo nmap -p25 --script=smtp-commands 10.129.34.39

Enumerating users

we can enumerate users if at least one of the following commands are enabled on the smtp server

  • VRFY

  • RCPT TO

MANUALLY

we can make use of telnet or netcat to establish a connection to the smtp server

telnet 10.129.34.39 25
Trying 10.129.34.39...
Connected to 10.129.34.39.
Escape character is '^]'.
220 Mail Service ready
HELO shrek123@shrek123.com
250 Hello.
MAIL FROM: <shrek123@shrek123>
250 OK
RCPT TO: <nico@megabank.com>
250 OK

  • We can see we have identified a user on the smtp server nico@megabank.com

  • if the user didn't exists we would smtp would have replied with 

550 unknown user

we can also utilize a script to automate the process

sudo perl /opt/smtp-user-enum/smtp-user-enum.pl -M RCPT -u nico@megabank.com -t 10.129.34.39