OpenSkillIndex← back to search

Hacktricks-skills smtp-pentest

Perform SMTP security assessments including banner grabbing, user enumeration, MX record analysis, SPF/DKIM/DMARC validation, and open relay detection. Use this skill whenever the user needs to assess email server security, test SMTP configurations, enumerate email users, check email authentication records, or perform authorized email security testing. Make sure to use this skill for any SMTP-related security assessment, email infrastructure testing, or mail server vulnerability scanning.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-smtp/pentesting-smtp/SKILL.MD
source content

SMTP Pentesting Skill

A comprehensive skill for performing authorized SMTP security assessments and email infrastructure testing.

When to Use This Skill

Use this skill when:

  • You need to assess SMTP server security configurations
  • You want to enumerate email users on a target system
  • You need to check SPF, DKIM, and DMARC records
  • You're testing for open relay vulnerabilities
  • You need to perform banner grabbing on mail servers
  • You're conducting authorized email security assessments
  • You want to analyze MX record configurations

Prerequisites

  • Authorization: Only use on systems you have explicit permission to test
  • Tools: nmap, dig, openssl, telnet/nc, smtp-user-enum (optional)
  • Access: Network access to target SMTP servers (ports 25, 465, 587)

Workflow

1. Initial Reconnaissance

Start with basic information gathering:

# Find MX records for the target domain
dig +short mx example.com

# Check for multiple MX servers (may indicate load balancing or redundancy)
dig mx example.com

2. Banner Grabbing

Identify the SMTP server software and version:

# Standard SMTP (port 25)
nc -vn <target-ip> 25

# SMTPS (port 465 - SSL/TLS)
openssl s_client -crlf -connect <target-ip>:465

# STARTTLS (port 587)
openssl s_client -starttls smtp -crlf -connect <target-ip>:587

What to look for:

  • Server software name and version (e.g., "Microsoft ESMTP", "Sendmail 8.9.3")
  • Potential vulnerabilities associated with the version
  • Authentication methods supported

3. SMTP Enumeration

Use Nmap scripts for automated enumeration:

# Check SMTP commands supported
nmap -p25 --script smtp-commands <target-ip>

# Check for open relay
nmap -p25 --script smtp-open-relay <target-ip> -v

# Comprehensive SMTP scan
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 <target-ip>

4. User Enumeration

Manual Enumeration via RCPT TO

telnet <target-ip> 25
HELO test
MAIL FROM: test@attacker.com
RCPT TO: username
# Response 250 = user exists, 550 = user unknown

VRFY Command (if enabled)

telnet <target-ip> 25
HELO test
VRFY username
# 250 = user exists, 550 = user unknown

EXPN Command (for mailing lists)

telnet <target-ip> 25
HELO test
EXPN mailing-list-name

Automated User Enumeration

# Using smtp-user-enum
smtp-user-enum -M VRFY -U /path/to/userlist.txt -t <target-ip>
smtp-user-enum -M RCPT -U /path/to/userlist.txt -t <target-ip>

# Using Nmap
nmap --script smtp-enum-users <target-ip>

# Using Metasploit
msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_enum; set RHOSTS <target-ip>; run; exit'

5. Email Authentication Records

Check SPF, DKIM, and DMARC configurations:

# Check SPF record
dig txt <domain> | grep spf

# Check DMARC record
dig _dmarc.<domain> txt

# Check DKIM selector (found in email headers)
dig <selector>._domainkey.<domain> txt

SPF Qualifiers:

  • +
    = PASS (default)
  • -
    = FAIL (reject)
  • ~
    = SOFTFAIL (mark as suspicious)
  • ?
    = NEUTRAL (no policy)

DMARC Policies:

  • p=none
    = monitoring only
  • p=quarantine
    = send to spam
  • p=reject
    = reject email

6. Open Relay Testing

# Nmap script
nmap -p25 --script smtp-open-relay <target-ip> -v

# Manual test (be careful - this may be logged)
telnet <target-ip> 25
HELO test
MAIL FROM: external@attacker.com
RCPT TO: external@external-domain.com
# If accepted, server may be an open relay

7. NTLM Authentication Info Disclosure

If the server supports NTLM auth:

telnet <target-ip> 587
HELO
AUTH NTLM 334
TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
# Response may reveal internal server names and versions

Or use Nmap:

nmap -p25 --script smtp-ntlm-info <target-ip>

8. DSN Reports for Information Gathering

Send an email to an invalid address to receive a Delivery Status Notification:

# Send test email to non-existent user
sendEmail -t nonexistent@target.com -f test@attacker.com -s <target-ip> -u "Test" -m "Test message"

# Analyze returned DSN headers for:
# - Internal IP addresses
# - Mail server software versions
# - Anti-virus software information

Security Considerations

Authorization

  • Only test systems you own or have explicit written permission to assess
  • Unauthorized SMTP testing may violate laws and terms of service
  • Document all testing activities

Rate Limiting

  • Be mindful of rate limits to avoid triggering spam filters
  • Space out enumeration attempts
  • Use appropriate delays between requests

Logging

  • SMTP servers typically log all connections
  • Your testing activity will be visible in server logs
  • Coordinate with system administrators when possible

Email Spoofing (Authorized Testing Only)

For authorized penetration testing, you may test email spoofing:

# Using sendEmail
sendEmail -t victim@target.com -f spoofed@target.com -s <target-ip> -u "Test" -m "Test message"

# Using swaks
swaks --to victim@target.com --from spoofed@target.com --server <target-ip> --header "Subject: Test"

Common Findings and Remediation

FindingRiskRemediation
Open relayHighRestrict relay to authorized networks only
User enumeration enabledMediumDisable VRFY/EXPN commands
Weak DMARC policyMediumImplement p=reject or p=quarantine
Missing SPF recordMediumAdd SPF record with appropriate qualifiers
Missing DKIMMediumConfigure DKIM signing
Plaintext SMTPMediumEnable STARTTLS or SMTPS
NTLM info disclosureLow-MediumDisable NTLM or restrict authentication

Tools Reference

  • nmap: Network scanning and SMTP enumeration scripts
  • dig: DNS record queries (MX, SPF, DMARC, DKIM)
  • openssl: SMTPS and STARTTLS connections
  • telnet/nc: Manual SMTP protocol testing
  • smtp-user-enum: Automated user enumeration
  • sendEmail/swaks: Email sending for testing
  • mailspoof: SPF/DMARC misconfiguration checker
  • checkdmarc: Automated SPF/DMARC validation

Output Format

When documenting findings, use this structure:

## SMTP Security Assessment Report

### Target Information
- Domain: example.com
- MX Records: mx1.example.com, mx2.example.com
- SMTP Ports: 25 (open), 465 (closed), 587 (open)

### Server Identification
- Software: Microsoft ESMTP 6.0.3790.3959
- Version: 6.0.3790.3959

### Security Configuration
- SPF: v=spf1 include:_spf.google.com ~all
- DKIM: Configured (selector: s1)
- DMARC: p=quarantine

### Findings
1. [CRITICAL] Open relay detected
2. [HIGH] User enumeration via VRFY enabled
3. [MEDIUM] DMARC policy set to quarantine instead of reject
4. [LOW] NTLM authentication information disclosure

### Recommendations
1. Restrict SMTP relay to authorized networks
2. Disable VRFY and EXPN commands
3. Update DMARC policy to p=reject
4. Disable NTLM authentication or restrict access

Next Steps

After completing the assessment:

  1. Document all findings with evidence
  2. Prioritize findings by risk level
  3. Provide remediation recommendations
  4. Schedule retesting after fixes are applied
  5. Verify all security controls are properly configured