SMTP is an application layer protocol. The client who wants to send the mail opens a TCP connection to the SMTP server and then sends the mail across the connection. The SMTP server is always on listening mode. As soon as it listens for a TCP connection from any client, the SMTP process initiates a connection on that port (25). After successfully establishing the TCP connection the client process sends the mail instantly.
Using a process called “store and forward,” SMTP moves your email on and across networks. It works closely with something called the Mail Transfer Agent (MTA) to send your communication to the right computer and email inbox.
How this works
- First, an e-mail server uses SMTP to send a message from an e-mail client, such as Outlook or Gmail, to an e-mail server.
- Second, the e-mail server uses SMTP as a relay service to send the e-mail to the receiving e-mail server.
- Third, the receiving server uses an e-mail client to download incoming mail via IMAP and place it in the inbox of the recipient.
SMTP vs IMAP vs POP3
- SMTP is used to send, relay or forward messages from a mail client, but cannot retrieve messages. Uses port 25, also could use 587 and 465 for TLS
- IMAP is an e-mail protocol that deals with managing and retrieving e-mail messages, used in receiving emails, not sending them. Uses port 143 or 993 for TLS
- POP3 is used to retrieve messages from an email server to a mail client, uses port 110, 995 for TLS
SMTP Commands
Command | Meaning | Example |
HELO | Specify your domain name so that the mail server knows who you are. | HELO vk9security.com |
Specify the sender email. | MAIL FROM: <example@vk9security.com> | |
RCPT | Specify the recipient. Issue this command multiple times if you have more than one recipient. | RCPT TO: <example2@vk9security.com> |
DATA | Issue this command before sending the body of the message. The message body must end with the following five letter sequence: “\r\n.\r\n.” | |
QUIT | Terminates the conversation with the server. | |
EXPN | Specify that your recipient is a mailing list. | |
HELP | Asks for help from the mail server. | |
NOOP | Does nothing except to get a response from the server. | |
RSET | Aborts the current conversation and start a new conversation. | |
SEND | Sends a message to a user’s terminal instead of a mailbox. | |
SAML | Sends a message to a user’s terminal and to a user’s mailbox. | |
SOML | Sends a message to a user’s terminal if they are logged on; otherwise, sends the message to the user’s mailbox. | |
TURN | Reverses the role of client and server. This might be useful if the client program can also act as a server and needs to receive mail from the remote computer. | |
VRFY | Verifies that a particular user name of a given mail address exists. Not supported by all mail servers. |
SMTP Responses
Code | Meaning |
211 | System status or system help reply. |
214 | Help message. |
220 | Server is ready. |
221 | Server transmission ending. |
250 | Requested mail action okay, completed. |
251 | Specified user is not local, but the server will forward the mail message. |
354 | This is a reply to the DATA command. After getting this, start sending the body of the mail message, ending with “\r\n.\r\n.” |
421 | The mail service is unavailable. Try again later. |
450 | The recipient mailbox is busy. Try again later. |
451 | The requested action was not done. Some error occurred in the mail server. |
452 | The requested action was not done. The mail server ran out of system storage. |
500 | The last command contained a syntax error or the command line was too long. |
501 | The parameters or arguments in the last command contained a syntax error. |
502 | The mail server has not implemented the last command. |
503 | The last command was sent out of sequence. For example, you might have sent DATA before sending RECV. |
504 | One of the parameters of the last command has not been implemented by the server. |
550 | The recipient mailbox is not found, no access, or command rejected for policy reasons |
551 | The specified user is not local; part of the text of the message will contain a forwarding address. |
552 | The recipient mailbox is full. Try again later. |
553 | The mail address that you specified was not syntactically correct. |
554 | The mail transaction has encountered unknown errors. |
POP3 commands
Command | Comment | |
USER | Your user name for this mail server | USER Stan +OK Please enter a password |
PASS | Your password. | PASS SeCrEt +OK valid logon |
QUIT | End your session. | QUIT +OK Bye-bye. |
STAT | Number and total size of all messages | STAT +OK 2 320 |
LIST | Message# and size of message | LIST +OK 2 messages (320 octets) 1 120 2 200 … LIST 2 +OK 2 200 |
RETR message# | Retrieve selected message | RETR 1 +OK 120 octets follow. *** |
DELE message# | Delete selected message | DELE 2 +OK message deleted |
NOOP | No-op. Keeps you connection open. | NOOP +OK |
RSET | Reset the mailbox. Undelete deleted messages. | RSET +OK maildrop has 2 messages (320 octets) |
TOP [message] [number] | Returns the headers and number of lines from the message | TOP 1 10 +OK *** |
IMAP Commands
Command | Description | Usage |
APPEND | Appends the literal argument as a new message to the end of the specified destination mailbox. | Yes |
AUTHENTICATE | Indicates a Simple Authentication and Security Layer (SASL) authentication mechanism to the server. | Yes |
CAPABILITY | Requests a listing of capabilities that the server supports. | Yes |
CHECK | Requests a checkpoint of the currently selected mailbox. | No |
CLOSE | Permanently removes all messages that have the \Deleted flag set from the currently selected mailbox, and returns to the authenticated state from the selected state. | No |
COPY/UID COPY | Copies the specified message(s) to the end of the specified destination mailbox. | Yes |
CREATE | Creates a mailbox with the given name. | Yes |
DELETE | Permanently removes the mailbox with the given name. | No |
EXAMINE | Identical to SELECT and returns the same output; however, the selected mailbox is identified as read-only. | Yes |
EXPUNGE | Permanently removes all messages that have the \Deleted flag set from the currently selected mailbox. | Yes |
FETCH/UID FETCH | Retrieves data associated with a message in the mailbox. | Yes |
UID | Unique identifier. | Yes |
LIST | Returns a subset of names from the complete set of all names available to the client. | Yes |
LOGIN | Identifies the client to the server and carries the plaintext password authenticating this user. | Yes |
LOGOUT | Informs the server that the client is done with the connection. | No |
LSUB | Returns a subset of names from the set of names that the user has declared as being “active” or “subscribed”. | Yes |
NOOP | Does nothing. It always succeeds. | Yes |
RENAME | Changes the name of a mailbox. | No |
SEARCH | Searches the mailbox for messages that match the given searching criteria. | Yes |
SELECT | Selects a mailbox so that messages in the mailbox can be accessed. | Yes |
STORE | Alters data associated with a message in the mailbox. | Yes |
SUBSCRIBE | Adds the specified mailbox name to the server’s set of “active” or “subscribed” mailboxes as returned by the LSUB command. | No |
UNSUBSCRIBE | Removes the specified mailbox name from the server’s set of “active” or “subscribed” mailboxes as returned by the LSUB command. | No |
IMAP vs POP3 comparison
Login | Exactly equiv | No POP parameter for IMAP |
VerifyID | Exactly equiv | |
Delete | Exactly equiv | IMAP commands delete in real time. POP3 waits for POP3_Logout to remove messages permanently. IMAP_SetFlags with \Deleted flag allows you to obtain the same result as the POP3_Delete command |
Logout | Exactly equiv | |
SetPrefs | Exactly equiv | No attachFolder for IMAP, POP3 attachFolder has become optional |
GetPrefs | Exactly equiv | See attachFolder note in SetPrefs |
MsgLstInfo | Exactly equiv | |
MsgInfo | Exactly equiv | |
MsgLst | Exactly equiv | |
UIDToMsgNum | Exactly equiv | IMAP msgUID is a Longint, POP3 msgUID is a string |
Download | Exactly equiv | |
POP3_Reset | No direct equiv | Need combination of IMAP_Search on \Deleted flags and IMAP_SetFlags to remove the \Deleted flag |
POP3_BoxInfo | No direct equiv | Need combination of IMAP_SetCurrentMB &IMAP_MsgLstInfo commands |
IMAP_ MsgNumToUID | No direct equiv | |
GetMessage | Almost Equiv | IMAP is more powerful since it allows you to choose one additional msgPart which is “only body” |
POP3_Charset | No Equiv | IMAP automatically manages charset |
IMAP_Capability | No Equiv | Specific to IMAP protocol |
IMAP_ListMBs | No Equiv | Specific to IMAP protocol |
IMAP_GetMBStatus | No Equiv | Specific to IMAP protocol |
IMAP_SetCurrentMB | No Equiv | Specific to IMAP protocol |
IMAP_GetCurrentMB | No Equiv | Specific to IMAP protocol |
IMAP_CloseCurrentMB | No Equiv | Specific to IMAP protocol |
IMAP_CopyToMB | No Equiv | Specific to IMAP protocol |
IMAP_SubscribeMB | No Equiv | Specific to IMAP protocol |
IMAP_CreateMB | No Equiv | Specific to IMAP protocol |
IMAP_DeleteMB | No Equiv | Specific to IMAP protocol |
IMAP_RenameMB | No Equiv | Specific to IMAP protocol |
IMAP_SetFlags | No Equiv | Specific to IMAP protocol |
IMAP_GetFlags | No Equiv | Specific to IMAP protocol |
IMAP_Search | No Equiv | Specific to IMAP protocol |
IMAP_MsgFetch | No Equiv | Specific to IMAP protocol |
Example of SMTP conversation
===========================================
220 mx1.example.com ESMTP Postfix
HELO vk9security.com
250 mx1.vk9security.com
MAIL FROM:<example@vk9security.com >
250 2.1.0 Ok
RCPT TO:<example2@vk9security.com >
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
This is a test message.
.
250 2.0.0 Ok: queued as 4227FE00C
QUIT
221 2.0.0 Bye
===========================================
Enumeration
POP3
Telnet
1. Connect to the server via telnet
- telnet 10.10.10.51 110
2. Enumerate users
+OK = exists
-ERR = doesn’t exist
- USER billydean
- USER vry4n
3. If you got credentials you could access and read emails, since, POP3 is designed to retrieve emails
USER = username
PASS = password
- USER mindy
- PASS Password3
4. List Emails in this profile & read any
- LIST
- RETR 2
5. Check for number and size of messages
- STAT
Nmap
1. Enumerate Domains
- nmap -p 110,995 –script pop3-ntlm-info 10.10.10.51
2. Display what commands are allowed
- nmap -p 110,995 –script pop3-capabilities 10.10.10.51
SMTP
Telnet
1. Access the service, in this case we care even displayed the domain
- telnet 192.168.0.7 25
2. Verify if an email account exists
Pass = If you received a message code 250,251,252 which means the server has accepted the request and user account is valid.
Fail = if you received a message code 550 it means invalid user account
- vrfy root
- vrfy vry4n
- vrfy msfadmin
- vrfy msfadmin@metasploitable.localdomain
Metasploit
1. Enumerate the service version, and, grab banner
- use auxiliary/scanner/smtp/smtp_version
- show options
- set RHOST 192.168.0.7
- exploit
2. Enumerate users using a list
- use auxiliary/scanner/smtp/smtp_enum
- show options
- set RHOST 192.168.0.7
- exploit
- <optional> set USER_FILE new_list.txt
3.Detect an open relay
- use auxiliary/scanner/smtp/smtp_relay
- show options
- set MAILFROM root@metasploitable.localdomain
- set MAILTO msfadmin@metasploitable.localdomain
- set RHOST 192.168.0.7
- exploit
smtp-user-enum
1. Download the app
- git clone https://github.com/pentestmonkey/smtp-user-enum.git
- cd smtp-user-enum
- ls -l
2. Display help menu
- ./smtp-user-enum.pl -h
3. Enumerate users using VRFY method
-M mode = Method to use for username guessing EXPN, VRFY or RCPT (default: VRFY)
- ./smtp-user-enum.pl -M VRFY -u msfadmin -t 192.168.0.7
4. Enumerate users using a list
- ./smtp-user-enum.pl -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.0.7
5. Verify user email address, and domain
- ./smtp-user-enum.pl -M VRFY -D metasploitable.localdomain -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.0.7
ISMTP
1. Download the application
2. Display basic help
3. Validate email addresses using a list from a file
-e <file> = Enable SMTP user enumeration testing and imports email list.
-h <host> = The target IP and port (IP:port).
- python iSMTP.py -e email_list.txt -h 192.168.0.7
4. Using a specific method
-l <1|2|3> = Specifies enumeration type (1 = VRFY, 2 = RCPT TO, 3 = all).
- python iSMTP.py -e email_list.txt -l 2 -h 192.168.0.7
IMAP
Telnel or open SSL
1. Connect to the service using Telnet (unsecure 143) or openssl (secure 993)
- openssl s_client -crlf -connect 10.10.10.120:993
- ncat –ssl 10.10.10.120 993
- telnet 10.10.10.120 143
2. Knowing credentials you can log in
https://tools.ietf.org/html/rfc3501
https://busylog.net/telnet-imap-commands-note/
- A001 login ayush jiujitsu
3. Testing wrong credentials
- A001 login vry4n test
4. You can connect to the IMAP service using an email client like thunderbird to retrieve emails. You could also do it from the CLI
- A001 LIST “” “*”
Here we can see 3 folders Drafts, Sent, Inbox
5. Choose one of those
- A001 SELECT Drafts
6. Open emails
- A001 FETCH 1 BODY[]
nmap
1. Run scripts to have a little more insight
- nmap -p 143,993 –script imap-capabilities,imap-ntlm-info 10.10.10.120
Metasploit
1. Grab version and banner
- use auxiliary/scanner/imap/imap_version
- show options
- set RHOSTS 10.10.10.120
- exploit