SMTP (Simple Mail Transfer Protocol)
At a Glance
- SMTP Relay (server-server communication): 25
- SMTP Message Submission (client-server communcation): 578
- SMTPS (Deprecated): 465
SMTP is a communication protocol for email transmission. It is commonly used to relay and submit messages to another email servers.
SMTP is a delivery protocol only. Meaning mail is “pushed” to a destination mail server, or next-hop server, as it arrives. Mail is routed based on the destination server, not individual users to which it is addressed. Other protocols, such as the Post Office Protocol (POP) and the Internet Message Access Protocol (IMAP) are specifically designed for use by individual users retrieving messages and managing mailboxes. 1
Communication between sender and receiver is made by issuing command strings. See SMTP commands reference.
telnet 10.0.0.3 25
nc -n 10.0.0.3 25
openssl s_client -starttls smtp -crlf -connect 10.0.0.3:587
s_client: SSL/TLS client program.
-starttls <protocol>: send the protocol-specific message(s) to switch to TLS for communication.
-crlf: translate a line feed from the terminal into
smtp-commands NSE Script
nmap -p 25,465,587 --script smtp-commands 10.0.0.3
smtp-enum-users NSE Script
nmap -p 25,465,587 --script smtp-enum-users 10.0.0.3
NTLM Information Disclosure
On Windows, with NTLM authentication enabled, sending a SMTP NTLM authentication request with null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version. 3 4
telnet example.com 587 ... >> HELO 250 example.com Hello [x.x.x.x] >>AUTH NTLM 334 NTLM supported >>TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= 334 TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA
smtp-ntlm-info NSE Script
nmap -p 587 --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com 10.0.0.3
HELO Identify to the SMTP server. EHLO Alternative HELO for Extended SMTP protocol. MAIL FROM: Sender's email address. RCPT TO: Recipient's email address. DATA Initiate message content transfer. Command is terminated with a line containing only a . RSET Reset the session. Connection will not be closed. VRFY Verify username or mailbox. NOOP No-op. Keeps connection open. QUIT Ends session.
Note: Sessions must start with HELO and end with QUIT.
SMTP Exploits Search
Refer to Exploits Search
OpenSSL Foundation, Inc. “/Docs/Manmaster/Man1/Openssl.Html.” OpenSSL.Org, https://www.openssl.org/docs/manmaster/man1/openssl.html. ↩︎
“Smtp-Ntlm-Info NSE Script.” Nmap: The Network Mapper - Free Security Scanner, https://nmap.org/nsedoc/scripts/smtp-ntlm-info.html. ↩︎
m8r0wn. “Internal Information Disclosure Using Hidden NTLM Authentication | by M8r0wn | Medium.” Medium, Medium, 9 Mar. 2020, https://medium.com/@m8r0wn/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666. ↩︎