Scanning & Enumeration Phase

After reconnaissance, the next step in SMTP penetration testing is active scanning and enumeration. This phase involves directly interacting with the target systems to identify open ports, running services, and potential vulnerabilities.

Port Scanning

SMTP and related services typically operate on specific ports:

Port 25 - Standard SMTP (often blocked by ISPs)
Port 465 - SMTP over SSL (SMTPS)
Port 587 - SMTP with STARTTLS (submission port)
Port 2525 - Alternative SMTP port used by some providers

Basic Port Scan with Nmap

Scan for common SMTP ports on a target

nmap -p 25,465,587,2525 mail.example.com

Explanation: This Nmap scan checks if common SMTP ports are open on the target server. The output shows which ports are open and which are closed, giving you an initial understanding of available services.

Service Version Detection

Identify SMTP server software and version

nmap -sV -p 25,465,587 mail.example.com

Explanation: The -sV flag tells Nmap to probe for service versions. This can reveal the specific SMTP server software (e.g., Postfix, Microsoft Exchange, Sendmail) and its version, which is crucial for identifying known vulnerabilities.

Comprehensive SMTP Scan

Run Nmap's built-in scripts for SMTP

nmap --script smtp-* -p 25,465,587 mail.example.com

Explanation: This command runs all Nmap's built-in SMTP scripts, which check for various vulnerabilities and misconfigurations including open relays, user enumeration capabilities, and known CVEs. The results show what SMTP commands are supported and potential security issues.

Banner Grabbing

Banner grabbing is the process of extracting information from the server's response banner, which often reveals software, version, and configuration details.

Telnet Banner Grabbing

Connect to SMTP server using Telnet to view banner

telnet mail.example.com 25

Explanation: By connecting to the SMTP port with Telnet, you can see the banner that the server presents. This often contains the server software (Postfix in this case) and sometimes the underlying OS (Ubuntu). This information helps target your testing.

SMTP Commands for Enumeration

Basic SMTP commands to gather information

telnet mail.example.com 25\nHELO pentest.local\nVRFY root\nEXPN users\nEHLO pentest.local

Explanation: These SMTP commands help gather information: HELO/EHLO establishes a session, VRFY checks if a user exists, EXPN asks for membership of a mailing list. EHLO also reveals supported extensions. The responses provide clues about configuration and potential vulnerabilities.

User Enumeration

Some SMTP servers are misconfigured to allow enumeration of valid email addresses, which can be valuable for later phases.

SMTP User Enumeration Tool

Using dedicated tool to validate email addresses

smtp-user-enum -M VRFY -U users.txt -t mail.example.com

Explanation: This specialized tool automates the process of checking multiple usernames against an SMTP server. It uses the VRFY command (or others like RCPT TO or EXPN) to determine if accounts exist, supplying a list of potential usernames from a file. The output shows which accounts were validated as existing.

Manual RCPT TO Method

Testing email existence using SMTP conversation

telnet mail.example.com 25\nHELO pentest.local\nMAIL FROM: <test@pentest.local>\nRCPT TO: <admin@example.com>

Explanation: This manual method uses SMTP's message sending commands to check if an email address is valid. First establish a connection, then set a sender (MAIL FROM), and attempt to add a recipient (RCPT TO). If the server accepts the recipient with a 250 code, that email address likely exists. A 550 'user unknown' response indicates it doesn't exist.

TLS/SSL Configuration Testing

Secure SMTP implementations use TLS/SSL, but misconfigurations can lead to vulnerabilities.

Testing SSL/TLS with SSLyze

Analyze the SMTP server's SSL/TLS configuration

sslyze --regular mail.example.com:465

Explanation: SSLyze is a specialized tool for analyzing SSL/TLS configurations. This command checks the configuration on port 465 (SMTPS) and reports on supported protocols, cipher suites, and compliance with security standards. Look for outdated protocols (SSL 2.0/3.0, TLS 1.0), weak ciphers, and small key sizes.

Testing STARTTLS with OpenSSL

Check STARTTLS implementation on submission port

openssl s_client -starttls smtp -connect mail.example.com:587 -showcerts

Explanation: This command tests the STARTTLS implementation on port 587. It attempts to upgrade a regular SMTP connection to use TLS, then shows the certificate details and cipher negotiation. Check for certificate validity, strong protocols (TLSv1.2/1.3 preferred), and robust cipher suites.

Key Findings from Scanning Phase

During the scanning and enumeration phase, focus on collecting these key pieces of information:

SMTP server software type and version
Supported SMTP extensions (STARTTLS, AUTH mechanisms, etc.)
Available SMTP commands (especially dangerous ones like VRFY)
SSL/TLS configuration and security
User account validation capabilities
Open relay potential

Best Practices for Scanning

Start with non-intrusive scans and gradually increase intensity
Monitor for alerts or blocks as aggressive scanning may trigger security measures
Document every finding methodically for the vulnerability analysis phase
Respect the agreed scope of testing

Previous: Reconnaissance Next: Vulnerability Analysis