SMTP
Nmap discovered a SMTP server on the target port 25
The running service is Postfix smtpd
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/postfish]
└─$ telnet $IP 25
Trying 192.168.111.137...
Connected to 192.168.111.137.
Escape character is '^]'.
220 postfish.off ESMTP Postfix (Ubuntu)
HELO x
250 postfish.off
EHLO all
250-postfish.off
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKINGSupported commands
VRFY is available
Username Enumeration
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/postfish]
└─$ python3 ~/Tools/username_gen_v2.py -w ./users.txt > possible-usernames.txtI will first generate all the possible username combinations using the users found in the web server
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/postfish]
└─$ smtp-user-enum -t $IP -U possible-usernames.txt -M VRFY
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... possible-usernames.txt
Target count ............. 1
Username count ........... 44
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Wed Mar 26 12:34:52 2025 #########
192.168.111.137: claire.madison exists
192.168.111.137: mike.ross exists
192.168.111.137: brian.moore exists
192.168.111.137: sarah.lorem exists
######## Scan completed at Wed Mar 26 12:34:53 2025 #########
4 results.
44 queries in 1 seconds (44.0 queries / sec)4 Users identified. I will save that into the valid_users.txt file
The naming convention that the target organization uses is <FIRSTNAME>.<LASTNAME>
Additional
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/postfish]
└─$ smtp-user-enum -t $IP -U /usr/share/wordlists/metasploit/namelist.txt -M VRFY
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/metasploit/namelist.txt
Target count ............. 1
Username count ........... 1909
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Wed Mar 26 13:36:27 2025 #########
192.168.111.137: backup exists
192.168.111.137: filter exists
192.168.111.137: games exists
192.168.111.137: hr exists
192.168.111.137: irc exists
192.168.111.137: it exists
192.168.111.137: legal exists
192.168.111.137: mail exists
192.168.111.137: news exists
192.168.111.137: proxy exists
192.168.111.137: root exists
192.168.111.137: sales exists
192.168.111.137: syslog exists
######## Scan completed at Wed Mar 26 13:36:59 2025 #########
13 results.
1909 queries in 32 seconds (59.7 queries / sec)Besides those are default system accounts, there are some none default accounts found;
filterhritlegalsales
Saving those into the valid_users.txt file
Sending Mail
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/postfish]
└─$ swaks --to root@localhost --server $IP
=== Trying 192.168.111.137:25...
=== Connected to 192.168.111.137.
<- 220 postfish.off ESMTP Postfix (Ubuntu)
-> EHLO kali
<- 250-postfish.off
<- 250-PIPELINING
<- 250-SIZE 10240000
<- 250-VRFY
<- 250-ETRN
<- 250-STARTTLS
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250-DSN
<- 250-SMTPUTF8
<- 250 CHUNKING
-> MAIL FROM:<kali@kali>
<- 250 2.1.0 Ok
-> RCPT TO:<root@localhost>
<- 250 2.1.5 Ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Wed, 26 Mar 2025 12:21:22 +0100
-> To: root@localhost
-> From: kali@kali
-> Subject: test Wed, 26 Mar 2025 12:21:22 +0100
-> Message-Id: <20250326122122.069816@kali>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
->
-> This is a test mailing
->
->
-> .
<- 250 2.0.0 Ok: queued as 1E48745441
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.The target SMTP server allows sending mail without authentication