Hepet_SMTP

SMTP

---

Nmap discovered a SMTP server on the target port 25 The running service is Mercury/32 smtpd (Mail server account Maiser)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ nmap -Pn --script smtp-* -p25 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-04 13:18 CET
Nmap scan report for 192.168.159.140
Host is up (0.018s latency).
 
PORT   STATE SERVICE
25/tcp open  smtp
|_smtp-commands: localhost Hello nmap.scanme.org; ESMTPs are:, TIME
|_smtp-open-relay: Server is an open relay (2/16 tests)
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
| smtp-enum-users: 
|   root
|   Method VRFY returned a unhandled status code.
|_  Method EXPN returned a unhandled status code.
 
Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

Additional Nmap scan result reveals that there is a user; root

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ telnet $IP 25             
Trying 192.168.159.140...
Connected to 192.168.159.140.
Escape character is '^]'.
220 localhost ESMTP server ready.
EHLO all
250-localhost Hello all; ESMTPs are:
250-TIME
250-SIZE 0
250 HELP

• 250-localhost is a response from the server, indicating its identity or hostname.
• 250-SIZE 0 suggests that the server supports message sizes up to 0 bytes.
• 250 HELP signifies that the server is ready to accept additional commands, and it also provides help information.

HELO x
250 localhost Hello, x.
HELP
214-Recognized SMTP commands are:
214-   HELO   EHLO   MAIL   RCPT   DATA   RSET
214-   AUTH   NOOP   QUIT   HELP   VRFY   SOML
214 Mail server account is 'Maiser'.

There are several supported commands

AUTH NTLM
504 Unknown or unsupported authentication method.

The target SMTP server doesn’t allow NTLM authentication

VRFY root@localhost
550 Address not valid for this site.
VRFY root@127.0.0.1
551 Address not local.
VRFY root@local
551 Address not local.

It would appear that the VRFY command only works through localhost

MAIL FROM: me
250 Sender OK - send RCPTs.

N/A