🟥
LSWSec - Offensive
  • Introduction
  • File transfer
    • Transferring Files
      • Transferring Files - Linux
      • Transferring Files - Windows
  • Recon
    • Passive information Gathering
      • Website
      • Finding SubDomains
        • DNS
        • DNS Zone Transfer
    • Subdomain Enumeration
    • OSINT
      • Email
      • People
      • Social Media
      • Username and Accounts
      • Passwords
      • Business
      • Image and Location
    • Active Information Gathering
      • Nmap
      • Netcat
      • ss
      • Unknown Port Scanning
      • Footprinting
        • FTP
        • SMB
        • NFS
        • DNS
    • Vulnerability Searching
  • Ports
    • 21 - FTP
    • 22 - SSH
    • 23 - Telnet
    • 25 - SMTP
    • 69 - TFTP
    • 80 - HTTP
    • 88 - Kerberos
    • 110 - Pop3
    • 111 - RPCBind
    • 119 - NNTP
    • 135 - MSRPC
    • 139/445 - SMB
      • PSExec
      • Nmap
      • Other tools
    • 143/993 - IMAP
    • 161/162 - SNMP
    • 389/636 - LDAP
    • 443 - HTTPS
    • 554 - RTSP
    • 587 - Submission
    • 631 - Cups
    • 1433 - MsSQL
    • 2049 - NFS
    • 3306 - MySQL
    • 3389 - RDP
  • Web
    • useful information
    • Web Proxy
      • Burp
    • Web Content Discovery
    • SQL
    • Web Fuzzing with FFUF
      • Directory Fuzzing
      • Domain Fuzzing
      • Paramater fuzzing
    • Local File Inclusion
      • LFI
      • Basic Bypass
    • Authentication Bypass
    • IDOR
  • Priv-esc
    • Windows
      • mimikatz
  • Pivoting
    • Info
    • Locating other machines
    • proxy
    • SSH tunneling/port forwarding
    • plink
    • socat
    • chisel
    • sshuttle
    • connecting to windows environments with a user account
  • Command and Control
    • powershell empire
    • Armitage
  • Active Directory
    • Debugging DNS
    • NTLM Authenticated Services
    • LDAP Bind Credentials
Powered by GitBook
On this page
  • MANUALLY
  • AUTOMATED
  • METASPLOIT
  • SMTP DOCUMENTS
  1. Ports

25 - SMTP

MANUALLY

We can use this service to find out which usernames are in the database. This can be done in the following way.

nc ip                                                                              

telnet ip

AUTOMATED

This process can of course be automatized

Check for commands

nmap

nmap -script smtp-commands.nse <ip>

smtp-user-enum

The command will look like this. -M for mode. -U for userlist. -t for target

smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t <ip>

METASPLOIT

It can also be done using metasploit

msf > use auxiliary/scanner/smtp/smtp_enum

SMTP DOCUMENTS

  • https://cr.yp.to/smtp/vrfy.html

  • http://null-byte.wonderhowto.com/how-to/hack-like-pro-extract-email-addresses-from-smtp-server-0160814/

  • http://www.dummies.com/how-to/content/smtp-hacks-and-how-to-guard-against-them.html

  • http://pentestmonkey.net/tools/user-enumeration/smtp-user-enum

  • https://pentestlab.wordpress.com/2012/11/20/smtp-user-enumeration/

Previous23 - TelnetNext69 - TFTP

Last updated 1 year ago