SMTP | 25, 587

Port 25 is the standard SMTP port for server-to-server email relay but is often blocked due to spam abuse; port 587 is the recommended default for secure email submission, while port 465 is a legacy.

Command

Description

HELO

Introduces the client to the server (used in SMTP).

EHLO

Extended HELO; used in ESMTP to request server capabilities.

MAIL FROM:

Specifies the sender's email address.

RCPT TO:

Specifies the recipient's email address.

DATA

Indicates that the email content (headers + body) follows.

RSET

Resets the current mail transaction.

VRFY

Verifies if a user/email address exists on the server.

EXPN

Expands a mailing list to show all recipients.

NOOP

No operation; used to keep the connection alive.

QUIT

Terminates the SMTP session.

STARTTLS

Initiates a TLS-secured connection (if supported).

AUTH

Begins the authentication process (e.g, LOGIN, PLAIN, CRAM-MD5).

Code

Type

Meaning

211

Success

System status or help reply

214

Success

Help message

220

Success

Service ready

221

Success

Service closing transmission channel

250

Success

Requested action completed

251

Success

User not local; will forward

252

Success

Cannot verify user, but will accept message

354

Intermediate

Start mail input; end with .

421

Error

Service not available, closing transmission channel

450

Error

Requested action not taken: mailbox unavailable

451

Error

Requested action aborted: local error in processing

452

Error

Requested action not taken: insufficient system storage

500

Error

Syntax error, command unrecognized

501

Error

Syntax error in parameters or arguments

502

Error

Command not implemented

503

Error

Bad sequence of commands

504

Error

Command parameter not implemented

550

Error

Requested action not taken: mailbox unavailable

551

Error

User not local; please try

552

Error

Requested mail action aborted: exceeded storage allocation

553

Error

Requested action not taken: mailbox name not allowed

554

Error

Transaction failed (message rejected)

Nmap Script

sudo nmap --script smtp-enum-users -p25 <IP>
sudo nmap --script smtp-open-relay,smtp-commands,smtp-ntlm-info -p25 <IP>

Username enumerate

## ------------------| smtp-user-enum
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.17
smtp-user-enum -U /usr/share/seclists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt -m 50 -M RCPT -D humongousretail.com -t 10.10.10.17      

## ------------------| Metasploit
msfconsole
use auxiliary/scanner/smtp/smtp_enum
set RHOSTS $IP
set USER_FILE /usr/share/seclists/Usernames/Names/names.txt
set THREADS 10
set RPORT 25
run

## ------------------| Bash Script
for i in $(cat /usr/share/seclists/Usernames/Names/names.txt);do echo -e "HELO test.com\nVRFY $i\nQUIT" | nc -nv $IP 25 | grep -E "250|550"; done

Check Auth

telnet <SMG_IP_address>  587
EHLO mailserver.com
AUTH LOGIN
<Username_in_base64> # echo -n "username" | base64
<Password_in_base64> # echo -n "password" | base64

Send mail

## !! Be aware about from address. If you are using same domain for both from and to. they will ask auth. So please use [email protected] first !!
## ------------------| Using Swaks
swaks --from [email protected] --to [email protected] --header 'Subject: Hello world' --body 'This is msg body' --server 10.10.10.197
    
## ------------------| Using sendEmail
sendEmail -m 'Hello machan' -f [email protected]  -t [email protected] -s <IP> -u "Message Subject" -a attachment.pdf                            
sendEmail -o message-file=message.txt -f [email protected]  -t [email protected] -s <IP> -u "Message Subject" -a attachment.pdf                            

## ------------------| Using Telnet
telnet <IP> 25
HELO writer.htb
MAIL FROM:[email protected]
RCPT TO:[email protected]
DATA
Subject: Test mail
Hello h4rith
.
QUIT

## ------------------| Using NetCat  
nc <IP> 25
HELO writer.htb
MAIL FROM:[email protected]
RCPT TO:[email protected]
DATA
Subject: Test mail
Hello h4rith
.
QUIT

SMTP server

## ------------------| Using smtpd (deprecated)
import smtpd
import asyncore

class CustomSMTPServer(smtpd.SMTPServer):
    def __init__(self, localaddr, remoteaddr):
        smtpd.SMTPServer.__init__(self, localaddr, remoteaddr)

    def process_message(self, peer, mailfrom, rcpttos, data):
        print('Received email from:', mailfrom)
        print('To:', rcpttos)
        print('Message:', data)

server = CustomSMTPServer(('0.0.0.0', 1025), None)
asyncore.loop()

## ------------------| Using asyncio
import asyncio
from aiosmtpd.controller import Controller

class CustomSMTPHandler:
    async def handle_RCPT(self, server, session, envelope, address, rcpt_options):
        envelope.rcpt_tos.append(address)
        return '250 OK'

    async def handle_DATA(self, server, session, envelope):
        print('Received email from:', envelope.mail_from)
        print('To:', envelope.rcpt_tos)
        print('Message:', envelope.content.decode('utf-8'))
        return '250 OK'

async def main(loop):
    handler = CustomSMTPHandler()
    controller = Controller(handler, hostname='localhost', port=1025)
    controller.start()

loop = asyncio.get_event_loop()
loop.run_until_complete(main(loop))

Last updated 1 month ago

Was this helpful?

## ------------------| smtp-user-enum smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.17 smtp-user-enum -U /usr/share/seclists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt -m 50 -M RCPT -D humongousretail.com -t 10.10.10.17 ## ------------------| Metasploit msfconsole use auxiliary/scanner/smtp/smtp_enum set RHOSTS $IP set USER_FILE /usr/share/seclists/Usernames/Names/names.txt set THREADS 10 set RPORT 25 run ## ------------------| Bash Script for i in $(cat /usr/share/seclists/Usernames/Names/names.txt);do echo -e "HELO test.com\nVRFY $i\nQUIT" | nc -nv $IP 25 | grep -E "250|550"; done

## !! Be aware about from address. If you are using same domain for both from and to. they will ask auth. So please use [email protected] first !! ## ------------------| Using Swaks swaks --from [email protected] --to [email protected] --header 'Subject: Hello world' --body 'This is msg body' --server 10.10.10.197 ## ------------------| Using sendEmail sendEmail -m 'Hello machan' -f [email protected] -t [email protected] -s <IP> -u "Message Subject" -a attachment.pdf sendEmail -o message-file=message.txt -f [email protected] -t [email protected] -s <IP> -u "Message Subject" -a attachment.pdf ## ------------------| Using Telnet telnet <IP> 25 HELO writer.htb MAIL FROM:[email protected] RCPT TO:[email protected] DATA Subject: Test mail Hello h4rith . QUIT ## ------------------| Using NetCat nc <IP> 25 HELO writer.htb MAIL FROM:[email protected] RCPT TO:[email protected] DATA Subject: Test mail Hello h4rith . QUIT

## ------------------| Using smtpd (deprecated) import smtpd import asyncore class CustomSMTPServer(smtpd.SMTPServer): def __init__(self, localaddr, remoteaddr): smtpd.SMTPServer.__init__(self, localaddr, remoteaddr) def process_message(self, peer, mailfrom, rcpttos, data): print('Received email from:', mailfrom) print('To:', rcpttos) print('Message:', data) server = CustomSMTPServer(('0.0.0.0', 1025), None) asyncore.loop() ## ------------------| Using asyncio import asyncio from aiosmtpd.controller import Controller class CustomSMTPHandler: async def handle_RCPT(self, server, session, envelope, address, rcpt_options): envelope.rcpt_tos.append(address) return '250 OK' async def handle_DATA(self, server, session, envelope): print('Received email from:', envelope.mail_from) print('To:', envelope.rcpt_tos) print('Message:', envelope.content.decode('utf-8')) return '250 OK' async def main(loop): handler = CustomSMTPHandler() controller = Controller(handler, hostname='localhost', port=1025) controller.start() loop = asyncio.get_event_loop() loop.run_until_complete(main(loop))