SMTP

Nmap discovered a SMTP server on the target port 25 The running service is Postfix smtpd

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ nmap -Pn --script smtp-* -p25 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-07 20:42 CEST
Nmap scan report for ONLYRANDS.COM (192.168.219.91)
Host is up (0.022s latency).
 
PORT   STATE SERVICE
25/tcp open  smtp
|_smtp-commands: onlyrands.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed
| smtp-enum-users: 
|_  root
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
 
Nmap done: 1 IP address (1 host up) scanned in 21.01 seconds

N/A

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ telnet $IP 25 
Trying 192.168.219.91...
Connected to 192.168.219.91.
Escape character is '^]'.
220 onlyrands.com ESMTP Postfix (Ubuntu)
HELO x
250 onlyrands.com
EHLO ALL
250-onlyrands.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING

Available commands

Username Enumeration

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ smtp-user-enum -t $IP -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -M VRFY
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
 
 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------
 
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
Target count ............. 1
Username count ........... 8295455
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ 
 
######## Scan started at Mon Apr  7 20:44:00 2025 #########
192.168.219.91: mail exists
192.168.219.91: root exists
192.168.219.91: news exists
192.168.219.91: man exists
192.168.219.91: bin exists
192.168.219.91: games exists
192.168.219.91: nobody exists
192.168.219.91: backup exists
192.168.219.91: daemon exists
192.168.219.91: proxy exists
192.168.219.91: dont exists
192.168.219.91: briand exists
192.168.219.91: list exists
192.168.219.91: Man exists
192.168.219.91: Daemon exists
192.168.219.91: postmaster exists
192.168.219.91: sys exists
192.168.219.91: finance exists
192.168.219.91: bobbyp exists
192.168.219.91: Proxy exists
192.168.219.91: Marc%20Ludlum 454 4.7.1 <Marc%20Ludlum>: Relay access denied..
192.168.219.91: Nobody exists
192.168.219.91: landscape exists
192.168.219.91: operations exists
192.168.219.91: administration exists
192.168.219.91: checkit! 454 4.7.1 <checkit!>: Relay access denied..
192.168.219.91: MAIL exists
192.168.219.91: Klassen! 454 4.7.1 <Klassen!>: Relay access denied..
192.168.219.91: matthewa exists
192.168.219.91: ckck!! 454 4.7.1 <ckck!!>: Relay access denied..
192.168.219.91: Games exists
192.168.219.91: sync exists
192.168.219.91: Root exists
192.168.219.91: Mail exists
192.168.219.91: MAN exists
192.168.219.91: Briand exists
192.168.219.91: BrianD exists
192.168.219.91: susanw exists
192.168.219.91: irc exists
192.168.219.91: doc%5F0815 454 4.7.1 <doc%5F0815>: Relay access denied..
192.168.219.91: danab exists
192.168.219.91: NoBody exists
192.168.219.91: List exists
192.168.219.91: CLEVER%20S 454 4.7.1 <CLEVER%20S>: Relay access denied..
192.168.219.91: Backup exists
192.168.219.91: tss exists
192.168.219.91: toKer! 454 4.7.1 <toKer!>: Relay access denied..
192.168.219.91: tgwood%5FDw5wb 454 4.7.1 <tgwood%5FDw5wb>: Relay access denied..
192.168.219.91: sy%5F999 454 4.7.1 <sy%5F999>: Relay access denied..
192.168.219.91: spirit%5F4AsoU 454 4.7.1 <spirit%5F4AsoU>: Relay access denied..

Found a bunch of none default users

Sending Mail

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ swaks --to root@localhost --server $IP
=== Trying 192.168.219.91:25...
=== Connected to 192.168.219.91.
<-  220 onlyrands.com ESMTP Postfix (Ubuntu)
 -> EHLO kali
<-  250-onlyrands.com
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> MAIL FROM:<kali@kali>
<-  250 2.1.0 Ok
 -> RCPT TO:<root@localhost>
<-  250 2.1.5 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Mon, 07 Apr 2025 20:44:27 +0200
 -> To: root@localhost
 -> From: kali@kali
 -> Subject: test Mon, 07 Apr 2025 20:44:27 +0200
 -> Message-Id: <20250407204427.028414@kali>
 -> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
 -> 
 -> This is a test mailing
 -> 
 -> 
 -> .
<-  250 2.0.0 Ok: queued as 3D66271F6
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

The target SMTP server allows sending mail without authentication

InfoSec LAB

Explorer

Scrutiny_SMTP

SMTP

Username Enumeration

Sending Mail

Interactive Graph View

Table of Contents

Backlinks