Index / Blog / SMTP (Simple Mail Transfer Protocol) Pentesting - Port 25
Sunday, March 23, 2025 • SECURITY RESEARCH ADVISORY

SMTP (Simple Mail Transfer Protocol) Pentesting - Port 25



 SMTP (Simple Mail Transfer Protocol) is a communication protocol for electronic mail transmission.it is used for sending e-mail. POP3 or IMAP are used for receiving e-mail. Default ports are 25 (SMTP), 465 (SMTPS), 587 (SMTPS) 

 Connect


We can use Telnet to connect to the remote server. Here is a command using Telnet:




telnet example.com 25

Enumeration

Identifying a SMTP Server


You can use Nmap to check if there's an Telnet server on a target host like this:




nmap -p25,465,587 -sV -Pn target.com


Additional Nmap commands for enumeration

nmap --script smtp-brute -p 25,465,587 "target-ip"
nmap --script smtp-commands -p 25,465,587 "target-ip"
nmap --script smtp-enum-users -p 25,465,587 "target-ip"
nmap --script smtp-ntlm-info --script-args smtp-ntlm-info.domain=example.com -p 25,465,587 "target-ip"
nmap --script smtp-vuln-cve2011-1764 -p 25,465,587 "target-ip"
nmap --script smtp-* -p 25,465,587 "target-ip"


Enumerate Users

Nmap has a script for SMTP user enumeration



nmap -p25 --script smtp-enum-users.nse target.com


DNS Mail Exchange (MX) Record Enumeration


We can use the dig tool to find out the mail servers (MX servers) of a domain. This tool sends a DNS query and returns the list of MX servers.




dig +short mx example.com

Information Disclosure with NTLM Auth


Some SMTP servers with NTLM Authentication enabled can disclose sensitive information, like Windows Server version and internal IP, if Anonymous Logon is allowed.


nmap -p25 --script smtp-ntlm-info --script-args smtp-ntlm-info.fingerprint=on target.com

Attack Vectors

Open Relay Exploit

SMTP Open Relay occurs when the SMTP server is configured to accept and transfer messages on the network that were neither for nor from local users.


Here is a simple example of how to test for open relay:


telnet target.com 25
MAIL FROM:<test@example.com>
RCPT TO:<test2@anotherexample.com>
DATA
Subject: Test open relay
Test message
.
QUIT

SMTP User Enum- Default kali tools



# VRFY - check if the user exists in the SMTP server
smtp-user-enum -M VRFY -u "username" -t "target-ip"
smtp-user-enum -M VRFY -U usernames.txt -t "target-ip"

# RCPT - check if the user is allowed to receive mails in the SMTP server
smtp-user-enum -M RCPT -u "username" -t "target-ip"
smtp-user-enum -M RCPT -U usernames.txt -t "target-ip"

# EXPN - reveal the actual email address
smtp-user-enum -M EXPN -u "username" -t "target-ip"
smtp-user-enum -M EXPN -D "hostname" -U usernames.txt -t "target-ip"






STARTTLS
# port 25
openssl s_client -starttls smtp -connect "target-ip":25
# Port 465
openssl s_client -crlf -connect "target-ip":465
# Port 587
openssl s_client -starttls smtp -crlf -connect "target-ip":587


Others

# process remote queue
etrn example.com

# list the mailing list
expn example.com

Send Mails from External
swaks is a swiss army knife for SMTP.

swaks --to remote-user@example.com --from local-user@"local-ip" --server mail.example.com --body "hello"

# --attach: Attach a file
swaks --to remote-user@example.com --from local-user@"local-ip" --server mail.example.com --body "hello" --attach @evil.docx


Start SMTP Server

# -n: No setuid
# -c: Classname
sudo python3 -m smtpd -n -c DebuggingServer 10.0.0.1:25


Get In Touch

Open for technical advisories and offensive security engineering opportunities.

DIRECT EMAIL contact@nulljournal.info