SMTP Enumeration

00:00

SMTP Enumeration

00:03

are learning objectives are to understand what SMTP is used for and to demonstrate how to enumerate SMTP.

00:12

So smtp stands for simple mail transfer protocol and as you can probably guess, this is all about email, sending email, receiving email. Um it's on port 25

00:23

and you might see this in the news about keeping port 25 blocked or not allowing port 25 to be an open relay, which means that anyone, if you're running an SMTP server, that is an open relay means anyone can use your mail server to send email from your mail server. So a lot of spammers will use this service

00:43

And that's why a lot of people get nervous about SMTP and leaving Port 25

00:48

open.

00:51

So for enumeration we can use End map it. As you can see here, we're using script. SMTP with the asterix and we can see here on the Medicis pliable box, it runs a few different scripts. SMtP commands, SMtP and new users, which it didn't find anybody using that. I'll show you the next slide how you can do that.

01:11

It also around the SMtP open relay script and we can see that it doesn't appear to be an open relay as well as running a vulnerability scan for a Cbe from 2010.

01:25

So this isn't installed by Cali by default anymore, but SMTP user in oum

01:30

I use the verify command and I use this UNIX users list. Now,

01:37

this is to say it found a bunch of different users. These aren't people that are exactly going to be receiving email, but you can see all the services that are on this box. You can see my sequel, you can see ssh, you can see FTP can see double data. So probably a web server.

01:53

So you can it's not only enumerating the users but also the services on this medicine portable box.

02:00

So you've got mail if you remember that, that means you're old like me.

02:06

But here's an example of the syntax that you can use to um to send a mail message, uh and you'll see when it's received. Um It's in the var mail and user, you can cat that

02:22

as you can see here the root user.

02:25

And here is that my email?

02:31

I'm going to show you how to exploit this.

02:38

All right. So you're not gonna get a shell with SMTP is it's not per se, like NFS or SMB that we saw before,

02:46

But I want to show you something interesting. So we ran and map against Port 25. This takes a while. So they want to do it um and make you wait,

02:53

but you can see here, it doesn't know the service who ran the SV with the SV flag, it doesn't know what the service is. So

03:01

let's split this vertically and let's run End Cat. And you can run End Cat as a SMTP client.

03:10

You can see here. It's old school in my home network Fios.

03:16

But let's just do help.

03:22

So, we see with help, it says 32 bit Windows email server from NJ Star software, which is interesting. Right? It tells us what she commands we can use This is a very verbose output from help.

03:36

So, we have some good information from our enumeration here.

03:38

So, I'm gonna clear this on this side.

03:42

And let's go to medicine right now. I don't like using medicine plate all the time because, you know, SCP we can only use it once. Right? We have to use it sparingly.

03:52

But I want to show you there's a search feature in Medicine Boy Soul Search for NJ Star.

03:58

Yeah.

03:59

And we can see here that there is an exploit module for this service. So you use zero.

04:05

Yeah.

04:08

Show I always like to do show options.

04:11

It looks like we just need to set our our host, which is 1921681178.

04:18

So I'm gonna set our hosts

04:24

paste this

04:26

and run it.

04:31

So we should see sure enough, it's vulnerable. And we now have a interpreter session on this box

04:39

to our friend old school.

04:42

So that's not to say you're gonna get a shell every time or be able to exploit the service every time. But I did want to show you that. And map doesn't always give you this version of the service. Sometimes this manual enumeration can give us a whole lot of good information and from that

04:59

we can get a shell.