For pentesters, bug bounty hunters, and CTF players, service enumeration is where real work begins. SMB, SMTP, and SNMP aren't just old protocols on familiar ports; they're frequent sources of misconfigurations and overlooked attack paths. Understanding how they actually work lets you move past blind scans and find real impact. This guide focuses on practical techniques you'll see in real targets and CTFs, helping you turn an open port into something that actually matters.

SMB (Ports 139, 445)

SMB is a network file sharing protocol primarily used on windows system. It enables applications to read and write to files and request services from server programs in a networked environment. To make it work for Linux, you need to install a Samba server because Linux natively does not use the SMB protocol. Key versions include SMBv1 (older, vulnerable), SMBv2 (improved), and SMBv3 (latest, secure).

Enumeration

1. Scanning with Nmap

Command:

nmap -v -p 139,445 -sV -oG smb.txt $ip
  • Purpose: Scan ports 139 and 445 for SMB services, detect versions, and output results in a grepable format.
  • Command:
nmap -p 445 --script smb-* <target-ip>
  • Purpose: Runs all SMB-related scripts for detailed information.

2. SMB Enumeration with CrackMapExec

  • Command:
crackmapexec smb <target-ip> -u <username> -p <password> --shares
  • Purpose: Lists SMB shares and their permissions.

3. Enum4linux

  • Command:
enum4linux -a <target-ip>
  • Purpose: Gathers information such as domain, users, and shares.
  • Command:
enum4linux -a -u <username> -p <password> <target-ip>
  • Purpose: Provides more detailed enumeration, including group memberships and policy information.

4. SMB Relay Attacks with Responder

  • Command:
responder -I <interface> -wrf
  • Purpose: Captures and relays SMB authentication requests.

5. SMBclient

smbclient -L //<target-ip>/
  • Purpose: Lists available shares on the target system.
smbclient -N -L \\\\\\\\10.129.42.253
  • Purpose: Lists available shares on the target system, without a password(-N tag)

6. SMBMap

  • Command:
smbmap -H <target-ip>
  • Purpose: Maps out SMB shares and permissions.

7. SMBExec

  • Command:
smbexec.py -target <target-ip> -user <username> -pass <password>
  • Purpose: Executes commands on the target system via SMB.

8. NetBIOS Scan

  • Command:
sudo nbtscan -r 192.168.50.0/24
  • Purpose: Scan a subnet for NetBIOS names.
  • Flags:
  • r: Recursively scan the subnet.
  • 192.168.50.0/24: Target subnet.

9. OS Discovery with Nmap

  • Command:
nmap -v -p 139,445 --script smb-os-discovery $ip
  • Purpose: Perform OS discovery via SMB on ports 139 and 445.
  • Flags:
  • v: Verbose mode.
  • p 139,445: Target ports 139 and 445.
  • -script smb-os-discovery: Use the smb-os-discovery script for OS detection.

SMTP (Port 25)

Overview

SMTP is a protocol used to send and route emails between servers. It operates over TCP port 25, though other ports like 587 and 465 are used for secure communication.

Enumeration

  1. Nmap SMTP Scanning:
  • Command:
nmap -p 25,587,465 --script smtp-* <target-ip>
  • Description: Runs all SMTP-related scripts for detailed enumeration.

2. SMTP Enumeration with Telnet:

  • Command: telnet <target-ip> 25
  • Description: Connects to the SMTP server to manually issue commands and gather information.

3. SMTP Enumeration with Netcat:

  • Command: nc <target-ip> 25
  • Description: Similar to Telnet, it allows interaction with the SMTP server.

4. SMTP Enumeration with Nmap Scripts:

  • Command:
nmap --script smtp-enum <target-ip>
  • Description: Uses Nmap's SMTP enumeration script to gather information on users and other details.

5. SMTP Enumeration with Python:

  • Script Example:
import smtplib
server = smtplib.SMTP('<target-ip>', 25)
server.helo()
server.quit()
  • Description: Connects to the SMTP server and performs basic checks.

Exploitation

  1. Open Relay Attack:
  • Command: telnet <target-ip> 25
  • Description: Test if the server allows relaying emails. Use commands like:
HELO <your-domain>
MAIL FROM:<your-email>
RCPT TO:<target-email>
DATA
Subject: Test
Test message.
.
QUIT
  • Description: If successful, the server may be used to send spam or malicious emails.

2. SMTP Brute Forcing:

  • Tool: Hydra
  • Command:
hydra -l <username> -P <password-list> smtp://<target-ip>:25
  • Description: Attempts to brute-force SMTP authentication.

3. Exploiting SMTP Misconfigurations:

  • Example: Exploit configurations like weak passwords or open relays.

4. SMTP Header Spoofing:

  • Tool: SET (Social-Engineer Toolkit)
  • Command: setoolkit
  • Description: Spoofs email headers to impersonate legitimate senders.

Common Issues and Fixes

  1. Open Relay:
  • Issue: Allows unauthorized users to send emails through the server.
  • Fix: Configure the SMTP server to restrict relaying to authorized users only.

2. Weak Authentication:

  • Issue: Easily exploited by attackers.
  • Fix: Implement strong authentication mechanisms and use encryption.

3. Misconfigured Server:

  • Issue: Can be exploited for spam or phishing attacks.
  • Fix: Regularly review and secure SMTP server configurations.

4. Lack of Encryption:

  • Issue: Data transmitted in plaintext can be intercepted.
  • Fix: Use STARTTLS on port 587 or SMTPS on port 465 for encrypted communication.

Advanced Tools and Techniques

  1. SMTP Reconnaissance with Enum4linux:
  • Command: enum4linux -e <target-ip>
  • Description: Enumerates SMTP server information along with other details.

2. Email Spoofing with Python:

  • Script Example:
import smtplib
from email.mime.text import MIMEText

msg = MIMEText('This is a test email.')
msg['Subject'] = 'Test'
msg['From'] = 'spoofed-email@example.com'
msg['To'] = 'target-email@example.com'

with smtplib.SMTP('<target-ip>', 25) as server:
    server.send_message(msg)
  • Description: Sends spoofed emails to test server vulnerabilities.

3. Email Harvesting:

  • Tool: theHarvester
  • Command:
theharvester -d <domain> -b google
  • Description: Gathers email addresses from search engines and other sources.

By understanding these techniques and tools, you can effectively assess and exploit SMTP servers in penetration testing and red teaming scenarios.

SNMP (Port 161)

Scanning with Nmap

  • Command:
sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt
  • Purpose: Scan for open SNMP services on UDP port 161 across a subnet and save the output.
  • Flags:
  • sU: UDP scan.
  • -open: Show only open ports.
  • p 161: Target UDP port 161.
  • 192.168.50.1-254: Target IP range.
  • oG open-snmp.txt: Output results in a grepable format to open-snmp.txt.

Tools and Commands for SNMP

  • Brute-force Tool: onesixtyone
  • Purpose: Brute-force SNMP community strings.
  • Probing and Querying Tool: snmpwalk
  • General Command: snmpwalk -c public -v1 -t 10 $ip
  • Purpose: Walk through SNMP data on the target device.

General Command: snmpwalk -c public -v1 -t 10 $ip Purpose: Walk through SNMP data on the target device.

  • Flags:
  • c public: Use the community string "public".
  • v1: SNMP version 1.
  • t 10: Set the timeout to 10 seconds.
  • $ip: Target IP address.
  • Specific OID Query:
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25
  • Purpose: Query a specific OID on the target device.

Flags:

  • -c public: Use the community string "public".
  • -v1: SNMP version 1.
  • 192.168.50.151: Target IP address.
  • 1.3.6.1.4.1.77.1.2.25: Specific OID to query.