# Pentesting SMTP - 25,465,587

### Find Mail Server <a href="#find-mail-server" id="find-mail-server"></a>

Mail sunucularının ipleri genellikle testlerde verilir. Verilmediği durumlarda bunu "dig" kullanarak bulabiliriz.

```
dig mx gmail.com
```

<figure><img src="https://2461890485-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZygBL34Vft9j04dWeA4C%2Fuploads%2FN4t0C4oaQheGcIpJLY4P%2Fdig%20mx%20gmal.com.jpg?alt=media&#x26;token=acd6d696-1730-4bc9-8f67-9211c1994ad4" alt=""><figcaption></figcaption></figure>

## Banner Grabbing

```
nc -nv <IP address> 25
```

### Mail Relay

```
telnet 10.10.10.10 25
EHLO domain.com #telnet ile bağlanmaya çalıştığımızda burada domaini yada ipyi verir.
VRFY username@localhost
mail from: mailadresi@domain.com
rcpt to: denemamail@localhost
data
```

```
telnet 10.10.10.10 25
EHLO domain.com #telnet ile bağlanmaya çalıştığımızda burada domaini yada ipyi verir.
mail from: mailadresi@domain.com
rcpt to: denemamail@localhost
data
```

```
nmap -p 25 --script=smtp-open-relay 10.10.10.10
```

## SMTP Nmap scripts

```
nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.10.10.10
```

## Automatic Tools

```
Metasploit: auxiliary/scanner/smtp/smtp_enum
smtp-user-enum: smtp-user-enum -M <MODE> -u <USER> -t <IP>
smtp-user-enum -M VRFY -U /root/Desktop/user.txt -t 10.10.10.10
```

## Send E-mail From Shell

```
root@kali:~# sendEmail -t victimmail@victim.com -f frommail@fmail.com -s 10.10.10.10 -u Title of Mail -a /root/Desktop/filname.pdf
```