Metasploitable 2: Port 25

In part I we’ve prepared our lab for safe hacking, in part II we’ve made our first hack into Metasploitable 2 through port 21. In this article we’ll get to port 25, SMTP.

SMTP port 25 with MSF

Our first task is determine which software and version is running behing port 25. Lets use nmap:

> db_nmap -p 25 -sC -sV -A 192.168.231.109

MSF has an auxiliary module for us to use, so let’s try it:

> use auxiliary/scanner/smtp/smtp_version

After running the module here are the results:

As we did in part II, lets search exploitDB, google, etc.

MSF has a user enumeration module for SMTP.

> use auxiliart/scanner/smtp/smtp_enum

> run

The module was able to extract a list of users. We can now try to brute force our way in with these users.

SMTP 25 commands

SMTP stands for Simple Mail Transport Protocol and is a server-to-server protocol and keeps a local database of users to which it must send and receive emails.

SMTP has a set of commands (view them here). We’re going to connect to out target through port 25 and try to acquire this database email’s. Open a new terminal and type:

$ nc 192.168.231.109 25

We’re in. Let’s use the ‘VRFY’ command to list users:

>VRFY user

Instead of doing this by hand lets use a tool of our toolbelt: smtp-user-enum.

Running the ‘-h’ option we can view the usage. We’ll use a wordlist form Kali:

$ smpt-users-enum -M VRFY -U /usr/share/wordlist/fern-wifi -t 192.168.231.109

Conclusion

In this article we’ve scanned port 25 (SMTP). After obtaining more information about the service, we’ve decided to try to enumerate existing users, which we did first with the metasploit framework and then with the smtp-users-enum tool.