From 9f4c1cf2fc4b22ea721279a7eda4f838967c4068 Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffbencteux@gmail.com>
Date: Wed, 15 Sep 2021 12:33:43 +0200
Subject: [PATCH] add SMTP trick to get internal server name

Tested on Microsoft ESMTP MAIL Service, Version: 7.5.7601.17514
---
 pentesting/pentesting-smtp/README.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/pentesting/pentesting-smtp/README.md b/pentesting/pentesting-smtp/README.md
index c0e14d4c..5e7a30a6 100644
--- a/pentesting/pentesting-smtp/README.md
+++ b/pentesting/pentesting-smtp/README.md
@@ -70,6 +70,29 @@ NTLM supported
 
 Or **automate** this with **nmap** plugin `smtp-ntlm-info.nse`
 
+### Internal server name - Information disclosure
+
+Some SMTP servers auto-complete a sender's address when command "MAIL FROM" is issued without a full address, disclosing its internal name:
+
+```
+220 somedomain.com Microsoft ESMTP MAIL Service, Version: Y.Y.Y.Y ready at  Wed, 15 Sep 2021 12:13:28 +0200 
+EHLO all
+250-somedomain.com Hello [x.x.x.x]
+250-TURN
+250-SIZE 52428800
+250-ETRN
+250-PIPELINING
+250-DSN
+250-ENHANCEDSTATUSCODES
+250-8bitmime
+250-BINARYMIME
+250-CHUNKING
+250-VRFY
+250 OK
+MAIL FROM: me
+250 2.1.0 me@PRODSERV01.somedomain.com....Sender OK
+```
+
 ### Sniffing
 
 Check if you sniff some password from the packets to port 25