SMTP
Nmap discovered a SMTP server on the target port 25
The running service is Postfix smtpd
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/walla]
└─$ telnet $IP 25
Trying 192.168.179.97...
Connected to 192.168.179.97.
Escape character is '^]'.
220 walla ESMTP Postfix (Debian/GNU)
HELO x
250 walla
EHLO all
250-walla
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKINGAvailable commands
Username Enumeration
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/walla]
└─$ smtp-user-enum -t $IP -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -M VRFY
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
Target count ............. 1
Username count ........... 8295455
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Thu Mar 27 15:47:36 2025 #########
192.168.179.97: mail exists
192.168.179.97: root exists
192.168.179.97: terry exists
192.168.179.97: news exists
192.168.179.97: man exists
192.168.179.97: bin exists
192.168.179.97: games exists
192.168.179.97: nobody exists
192.168.179.97: walter exists
192.168.179.97: backup exists
192.168.179.97: daemon exists
192.168.179.97: proxy exists
192.168.179.97: Terry exists
192.168.179.97: list exists
192.168.179.97: TERRY exists
192.168.179.97: Man exists
192.168.179.97: Daemon exists
192.168.179.97: postmaster exists
192.168.179.97: paige exists
192.168.179.97: sys exists
192.168.179.97: Proxy exists
192.168.179.97: janis exists
192.168.179.97: Marc%20Ludlum 454 4.7.1 <Marc%20Ludlum>: Relay access denied..
192.168.179.97: Walter exists
192.168.179.97: Nobody exists
192.168.179.97: checkit! 454 4.7.1 <checkit!>: Relay access denied..
192.168.179.97: MAIL exists
192.168.179.97: Klassen! 454 4.7.1 <Klassen!>: Relay access denied..
192.168.179.97: ckck!! 454 4.7.1 <ckck!!>: Relay access denied..
192.168.179.97: WALTER exists
192.168.179.97: Games exists
192.168.179.97: sync exists
192.168.179.97: Root exists
192.168.179.97: Paige exists
192.168.179.97: Mail exists
192.168.179.97: MAN exists
^CSeveral users found; terry, walter, paige, and janis
Sending Mail
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/walla]
└─$ swaks --to root@localhost --server $IP
=== Trying 192.168.179.97:25...
=== Connected to 192.168.179.97.
<- 220 walla ESMTP Postfix (Debian/GNU)
-> EHLO kali
<- 250-walla
<- 250-PIPELINING
<- 250-SIZE 10240000
<- 250-VRFY
<- 250-ETRN
<- 250-STARTTLS
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250-DSN
<- 250-SMTPUTF8
<- 250 CHUNKING
-> MAIL FROM:<kali@kali>
<- 250 2.1.0 Ok
-> RCPT TO:<root@localhost>
<- 250 2.1.5 Ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Thu, 27 Mar 2025 15:46:22 +0100
-> To: root@localhost
-> From: kali@kali
-> Subject: test Thu, 27 Mar 2025 15:46:22 +0100
-> Message-Id: <20250327154622.009724@kali>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
->
-> This is a test mailing
->
->
-> .
<- 250 2.0.0 Ok: queued as B1358E14E2
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.The target SMTP server allows sending mail without authentication