Yet another effective way of gathering information from a target is through the use of SMTP. This protocol is designed to send messages between servers that send and receive email. SMTP is the standard used by the majority of email servers and clients today. So how is this protocol used to gather information from a server? The process is quite simple if you have a fundamental understanding of a few commands and how to use them.
Using VRFY
One easy way to verify the existence of email accounts on a server is by using the telnet command to attach to the target and extract the information. The VRFY command is used within the protocol to check whether a specific user ID is present. However, this same command can be used by an attacker to locate valid accounts for attack, and if scripted, it could also be used to extract multiple accounts in a short time.
Using EXPN
EXPN is another valuable command for a pentester or an attacker. The command is similar in functioning to the VRFY command, but rather than returning one user, it can return all the users on a distribution list:
telnet 10.0.0.1 25 (where 10.0.0.1 is the server IP and 25 is the port for SMTP) 220 server1 ESMTP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
250 server1 Hello [10.0.0.72], pleased to meet you
EXPN link
250 Super-User <link@myhost>
EXPN zelda
550 zelda… User unknown
Using RCPT TO
The command RCPT TO identifies the recipient of an email message. This command can be repeated multiple times for a given message in order to deliver a single message to multiple recipients.
SMTP Relay
The SMTP Relay service lets users send emails through external servers. Open email relays aren’t the problem they used to be, but you still need to check for them. Spammers and hackers can use an email server to send spam or malware through email under the guise of the unsuspecting open-relay owner.
1 Comment