Sunday, 16 January 2022

SMTP Enumeration and Exploitation



This is a TryHackMe Network Services 2 lab and it is available only on premium version. 

SMTP stands for "Simple Mail Transfer Protocol". It is utilized to handle the sending of emails. To support email services, a protocol pair is required, comprising of SMTP and POP/IMAP. Together they allow the user to send outgoing mail and retrieve incoming mail, respectively.

The SMTP server performs three basic functions:

  •  It verifies who is sending emails through the SMTP server.
  •  It sends the outgoing mail
  •  If the outgoing mail can't be delivered it sends the message back to the sender.

POP, or "Post Office Protocol" and IMAP, "Internet Message Access Protocol" are both email protocols who are responsible for the transfer of email between a client and a mail server. 

SMTP Workflow

1.    The mail user agent, which is either your email client or an external program. connects to the SMTP server of your domain, example smtp.google.com. This initiates the SMTP handshake. This connection works over the SMTP port- which is usually 25. Once these connections have been made and validated, the SMTP session starts.

     1. The process of sending mail can now begin. The client first submits the sender, and recipient's email address- the body of the email and any attachments, to the server.

     2. The SMTP server then checks whether the domain name of the recipient and the sender is the same. 

     3. The SMTP server of the sender will make a connection to the recipient's SMTP server before relaying the email. If the recipient's server can't be accessed or is not available- the Email gets put into an SMTP queue. 

     4. Then, the recipient's SMTP server will verify the incoming email. It does this by checking if the domain and username have been recognised. The server will then forward the email to the POP or IMAP server, as shown in the diagram above.

     5. The E-Mail will then show up in the recipient's inbox.

Enumeration

We want to fingerprint the server to make our targeting as precise as possible. We're going to use the nmap to scan the ports on the machine and "smtp_version" module in MetaSploit to do this.



The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of user’s aliases and lists of e-mail (mailing lists). Using these SMTP commands, we can reveal a list of valid users







We can do this manually, over a telnet connection- however Metasploit comes to the rescue again, providing a handy module appropriately called "smtp_enum" using this we will be able to get the username.



Exploitation

We used the hydra tool to brute force the login credentials of the ssh port and we were able to find the password. The hydra command used is provided below.

hydra -t 16 -l USERNAME -P /usr/share/wordlists/rockyou.txt -vV 10.10.86.60 ssh


Section

Function

hydra

Runs the hydra tool

-t 16

Number of parallel connections per target

-l username

Points to the user who's account you're trying to compromise

-p path

Points to the file containing the list of possible passwords

-vV

Verbose, shows the login+pass combination for each attempt

Machine IP

IP address

ssh / protocol

Sets the protocol




    

As there is an ssh port present and we have also got the username and password, we need to login using the credentials and access the flag.









No comments:

Post a Comment