SMTP Pentest Guide

Lab 1: Basic SMTP Enumeration

This lab will guide you through the process of setting up a vulnerable SMTP server and practicing basic enumeration techniques to gather information about the server and its users.

Lab Objectives

  • Set up a vulnerable SMTP server for testing
  • Practice banner grabbing to identify server software
  • Use SMTP commands to enumerate valid users
  • Discover information about the mail server configuration
  • Document findings in a structured format

Lab Environment Setup

For this lab, you'll need:

  • A virtualization platform (VirtualBox, VMware, etc.)
  • An attacking machine (Kali Linux recommended)
  • A target machine (Ubuntu Server recommended)
  • An isolated virtual network

Step 1: Install Postfix on Target

Set up a vulnerable Postfix server on Ubuntu

# On Ubuntu Server (Target)\nsudo apt update\nsudo apt install postfix\n\n# During installation:\n# - Choose 'Internet Site'\n# - Set system mail name to 'lab.local'\n\n# Edit /etc/postfix/main.cf to make it vulnerable\nsudo nano /etc/postfix/main.cf\n\n# Add/modify these lines:\nmyhostname = mail.lab.local\nmydomain = lab.local\nmyorigin = $mydomain\ninet_interfaces = all\nmydestination = $myhostname, localhost.$mydomain, localhost, $mydomain\nmynetworks = 127.0.0.0/8 192.168.56.0/24\n\n# Enable VRFY command (vulnerable configuration)\ndisable_vrfy_command = no\n\n# Restart Postfix\nsudo systemctl restart postfix
Explanation: This sets up a Postfix SMTP server with a deliberately vulnerable configuration. The server allows the VRFY command (by setting disable_vrfy_command = no), which can be used to enumerate valid users. In a secure configuration, this command would be disabled.

Step 2: Create Test Users

Add some test users to the target system

# On Ubuntu Server (Target)\nsudo adduser john\n# Set password when prompted\n\nsudo adduser alice\n# Set password when prompted\n\nsudo adduser admin\n# Set password when prompted\n\nsudo adduser postmaster\n# Set password when prompted
Explanation: These commands create test users on the target system. In a real SMTP server, these would correspond to email accounts. We're creating common usernames that might exist on a real system, including 'admin' and 'postmaster' which are often default accounts.

Step 3: Banner Grabbing

Connect to the SMTP server and grab the banner

# On Kali Linux (Attacker)\nnc -v 192.168.56.20 25
Explanation: This command uses netcat (nc) to connect to the SMTP server on port 25. The server responds with a banner that reveals information about the software (Postfix) and the operating system (Ubuntu). This information is valuable for identifying potential vulnerabilities specific to the software version.

Step 4: Basic SMTP Commands

Test basic SMTP commands to gather information

# After connecting with netcat\nHELO attacker.local\nHELP
Explanation: The HELO command initiates the SMTP session, and the server responds with its hostname. The HELP command lists the supported SMTP commands. Note that VRFY is listed, which confirms that user enumeration might be possible.

Step 5: User Enumeration with VRFY

Use the VRFY command to check if users exist

# After connecting with netcat\nVRFY root\nVRFY john\nVRFY alice\nVRFY admin\nVRFY nonexistent\nVRFY postmaster
Explanation: The VRFY command checks if a username exists on the system. A response code of 252 typically indicates the user exists, while 550 indicates the user doesn't exist. This allows an attacker to enumerate valid usernames on the system, which could be used for further attacks like password guessing.

Step 6: Automated User Enumeration

Use smtp-user-enum tool for more efficient enumeration

# On Kali Linux (Attacker)\nsmtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 192.168.56.20
Explanation: This command uses the smtp-user-enum tool to automate the user enumeration process. It tests a list of common Unix usernames against the SMTP server using the VRFY command. The tool reports which usernames exist on the system, making the enumeration process much more efficient than manual testing.

Step 7: Enumerating Server Capabilities

Use EHLO to discover supported extensions

# After connecting with netcat\nEHLO attacker.local
Explanation: The EHLO command is an extended version of HELO that reveals the server's supported SMTP extensions. This output shows that the server supports STARTTLS for encryption, has a maximum message size of 10MB, and confirms again that VRFY is enabled. This information helps map the server's capabilities and potential security features.

Step 8: Testing for Email Relay

Check if the server allows unauthorized relaying

# After connecting with netcat\nMAIL FROM: <attacker@evil.com>\nRCPT TO: <victim@external.com>
Explanation: This test checks if the server allows relaying emails from external sources to external destinations (open relay). The 554 response indicates that relay is denied, which is the secure configuration. If the server had responded with 250 Ok, it would indicate an open relay vulnerability that could be exploited for spam or phishing.

Lab Findings Documentation

As part of this lab, document your findings in a structured format. Include:

  1. Server Information
    • IP Address: 192.168.56.20
    • Hostname: mail.lab.local
    • Software: Postfix on Ubuntu
  2. Supported Commands
    • AUTH, HELO, EHLO, MAIL, RCPT, DATA
    • NOOP, QUIT, RSET, HELP, VRFY
  3. Supported Extensions
    • PIPELINING, SIZE, VRFY, ETRN, STARTTLS
    • ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
  4. Enumerated Users
    • admin, john, alice, root, postmaster
  5. Security Issues
    • VRFY command enabled (allows user enumeration)
    • Banner reveals software and OS information

Lab Challenges

To further practice your skills, try these additional challenges:

  1. Use the EXPN command to see if it provides different information than VRFY
  2. Try the RCPT TO command as another method of user enumeration
  3. Use Nmap's smtp-enum-users script to automate the enumeration process
  4. Create a custom wordlist of potential usernames based on the organization's naming convention
  5. Document how you would secure this server to prevent the enumeration techniques you've used

Security Implications

The information gathered in this lab could be used by an attacker to:

  • Build a list of valid email addresses for phishing attacks
  • Identify potential usernames for password guessing attacks
  • Target specific software vulnerabilities based on the server version
  • Map the email infrastructure for more sophisticated attacks

Remediation Recommendations

To secure an SMTP server against these enumeration techniques:

  • Disable the VRFY command (disable_vrfy_command = yes)
  • Minimize information in the banner
  • Implement rate limiting to prevent automated enumeration
  • Use strong authentication mechanisms
  • Regularly update the SMTP server software
Back to LabsNext Lab: Open Relay Testing