coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add SMTP trick to get internal server name

Browse Source 
Tested on Microsoft ESMTP MAIL Service, Version: 7.5.7601.17514
This commit is contained in:
Jeffrey Bencteux 2021-09-15 12:33:43 +02:00 committed by GitHub
parent ed83f616f9
commit 9f4c1cf2fc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
pentesting/pentesting-smtp/README.md
View File

@ -70,6 +70,29 @@ NTLM supported
Or **automate** this with **nmap** plugin `smtp-ntlm-info.nse`
### Internal server name - Information disclosure
Some SMTP servers auto-complete a sender's address when command "MAIL FROM" is issued without a full address, disclosing its internal name:
```
220 somedomain.com Microsoft ESMTP MAIL Service, Version: Y.Y.Y.Y ready at Wed, 15 Sep 2021 12:13:28 +0200
EHLO all
250-somedomain.com Hello [x.x.x.x]
250-TURN
250-SIZE 52428800
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250 OK
MAIL FROM: me
250 2.1.0 me@PRODSERV01.somedomain.com....Sender OK
```
### Sniffing
Check if you sniff some password from the packets to port 25