Hands-on Penetration Testing with Kali NetHunter by Glen D. Singh

Author:Glen D. Singh
Language: eng
Format: epub, mobi
Tags: COM046000 - COMPUTERS / Operating Systems / General, COM053000 - COMPUTERS / Security / General, COM043000 - COMPUTERS / Networking / Genera
Publisher: Packt Publication
Published: 2019-02-28T19:38:32+00:00

Enumerating SMTP

SMTP is a protocol used to transfer messages and is commonly used in both mail servers and mail clients. The simplicity and reliability of the protocol has led to its widespread adoption and a handful of revisions since it was first introduced way back in 1982.

SMTP, in the context of a messaging system, is used two different ways. In the case of mail servers, the protocol is used to transfer messages from one server to another until it reaches the server where the recipient's mailbox is located where it is stored for later retrieval. On the mail client side, the protocol is used to send messages to a mail server and make use of other protocols for retrieving messages from the server.

For pentesters, SMTP can represent a valuable source of information, in particular, user names and email addresses. The technique we will use here is designed to query an SMTP service and retrieve usernames along with domain names. You may not consciously think about it, but you see this information in your email address all the time in the form of two parts; the part before the @ is the username and what comes after is the domain name.

This format is standard in environments with usernames that follow a pattern, such as first name dot last name or some variation thereof. For example, john.doe as the name before the @ sign.

So, how can we extract email address information from SMTP with the tools in NetHunter? Well, it all starts with a Mail Exchange, or MX, record that we would have obtained from our enumeration of DNS.

Depending on the tool you used, the results may be displayed a little differently on screen, but what you are looking for is a record (or records, in some cases) that is specifically flagged at MX. Once you find these, you are looking for the IP address assigned to each. If you have multiple MX servers, you will want to see which one has the lowest priority number assigned to it as this will be the primary for the domain. If the primary doesn't work, move on to the next highest priority for later attempts at enumeration.

In practice, we typically choose the server with the lowest preference number, which is the first record in this case. The MX preference number is used in normal operations of SMTP to indicate which server should be used first. The lower the number, the higher the priority, thus two records with an MX preference set and one is set to the value 1 and the other to 50 will result in the 1 being attempted first then the 50. While we could use one of the others instead, it makes sense to use them in the same order they are used by mail-routing services. Once we have this, we can move to the second section of the results and focus on the lines.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.