coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #238 from jeffbencteux/smtp-internal-name-disclosure

Browse Source 
add SMTP trick to get internal server name
This commit is contained in:
Carlos Polop 2021-09-25 15:19:39 +01:00 committed by GitHub
commit c7d8fcac55
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
pentesting/pentesting-smtp/README.md
View File

@ -70,6 +70,29 @@ NTLM supported
Or **automate** this with **nmap** plugin `smtp-ntlm-info.nse`
### Internal server name - Information disclosure
Some SMTP servers auto-complete a sender's address when command "MAIL FROM" is issued without a full address, disclosing its internal name:
```
220 somedomain.com Microsoft ESMTP MAIL Service, Version: Y.Y.Y.Y ready at Wed, 15 Sep 2021 12:13:28 +0200
EHLO all
250-somedomain.com Hello [x.x.x.x]
250-TURN
250-SIZE 52428800
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250 OK
MAIL FROM: me
250 2.1.0 me@PRODSERV01.somedomain.com....Sender OK
```
### Sniffing
Check if you sniff some password from the packets to port 25