SMTP
Nmap discovered a SMTP server on the port 25 of the 192.168.207.136 host.
The running service is Postfix smtpd
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY]
└─$ nmap -Pn --script smtp-* -p25 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-02 18:33 CEST
Nmap scan report for 192.168.207.136
Host is up (0.020s latency).
PORT STATE SERVICE
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
| smtp-enum-users:
|_ Method RCPT returned a unhandled status code.
Nmap done: 1 IP address (1 host up) scanned in 24.81 secondsN/A
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY]
└─$ nc -nv $IP 25
(UNKNOWN) [192.168.207.136] 25 (smtp) open
220 ubuntu ESMTP Postfix (Ubuntu)
HELO x
250 ubuntu
EHLO all
250-ubuntu
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSNAvailable commands.
VRFY can be used for username enumeration.
Username Enumeration
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY]
└─$ smtp-user-enum -t $IP -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -M VRFY
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
Target count ............. 1
Username count ........... 8295455
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Wed Jul 2 18:37:37 2025 #########
192.168.207.136: mail exists
192.168.207.136: root exists
192.168.207.136: news exists
192.168.207.136: man exists
192.168.207.136: bin exists
192.168.207.136: games exists
192.168.207.136: nobody exists
192.168.207.136: backup exists
192.168.207.136: coconut exists
192.168.207.136: daemon exists
192.168.207.136: proxy exists
192.168.207.136: list exists
192.168.207.136: Man exists
192.168.207.136: Daemon exists
192.168.207.136: postmaster exists
192.168.207.136: sys exists
192.168.207.136: Proxy exists
192.168.207.136: Marc%20Ludlum 454 4.7.1 <Marc%20Ludlum>: Relay access denied..
192.168.207.136: Nobody exists
192.168.207.136: checkit! 454 4.7.1 <checkit!>: Relay access denied..
192.168.207.136: MAIL exists
192.168.207.136: Klassen! 454 4.7.1 <Klassen!>: Relay access denied..
192.168.207.136: ckck!! 454 4.7.1 <ckck!!>: Relay access denied..
192.168.207.136: Games exists
192.168.207.136: sync exists
^CN/A
Sending Mail
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY]
└─$ swaks --to root@localhost --server $IP
=== Trying 192.168.207.136:25...
=== Connected to 192.168.207.136.
<- 220 ubuntu ESMTP Postfix (Ubuntu)
-> EHLO kali
<- 250-ubuntu
<- 250-PIPELINING
<- 250-SIZE 10240000
<- 250-VRFY
<- 250-ETRN
<- 250-STARTTLS
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250 DSN
-> MAIL FROM:<kali@kali>
<- 250 2.1.0 Ok
-> RCPT TO:<root@localhost>
<- 250 2.1.5 Ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Wed, 02 Jul 2025 18:36:00 +0200
-> To: root@localhost
-> From: kali@kali
-> Subject: test Wed, 02 Jul 2025 18:36:00 +0200
-> Message-Id: <20250702183600.115663@kali>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
->
-> This is a test mailing
->
->
-> .
<- 250 2.0.0 Ok: queued as 8AC95E116B
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.The target SMTP server allows sending mail without authentication