| description |
|---|
Simple Mail Transfer Protocol |
Check if sender could be forged with an domain user:
$ telnet mail.example.com 25
HELO example.com
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
RCPT TO: <[email protected]>
Check if sender could be forged with a non-domain user:
$ telnet mail.example.com 25
HELO example.com
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
RCPT TO: <[email protected]>
Check if domain users could be enumerated with VRFY and EXPN:
$ telnet mail.example.com 25
HELO example.com
VRFY [email protected]
EXPN [email protected]
Check if users could be enumerated with RCPT TO:
$ telnet mail.example.com 25
HELO example.com
MAIL FROM: <...>
RCPT TO: <[email protected]>
DATA
From: <...>
To: <[email protected]>
Subject: Job offer
Hello, I would like to offer you a great job!
.
QUIT
$ ./main.py -d megacorp.com -s 10.10.13.37 -f accounts.txt -m rcptto -o valid.txt
$ smtp-user-enum -M RCPT -f '<[email protected]>' -u '<[email protected]>' -t mx.megacorp.com
$ smtp-user-enum -M RCPT -D megacorp.com -U users.txt -t mx.megacorp.com
- https://postmarkapp.com/guides/spf
- https://www.mailigen.ru/blog/chto-takoe-spf-dkim-i-dmarc-i-pochemu-oni-obyazatelno-dolzhny-byt-propisany/
- https://github.com/BishopFox/spoofcheck
$ swaks --to [email protected] --from [email protected] --header 'Subject: Hello, friend' --body 'Hack the Planet!' --server 192.168.1.11 --attach hello.doc