As with nearly all common Layer 7 protocols, SMTP has its share of vulnerabilities and exploits. Clients use it to send email to their mail service, and email (MX) servers use it to forward email messages to each other. The original TCP port 25 version of SMTP was sent in cleartext. Although most clients use an encrypted version on TCP 587 or 465, most server-server email is still sent in cleartext over the Internet, with no authentication between the servers. Although many SMTP products have code vulnerabilities that allow an attacker to gain root privilege and run arbitrary commands through an overflow attack, many pen testers also seek to enumerate email accounts from the server, as well as relay spam and phishing messages. SMTP has two commands in particular that help with enumeration. VRFY asks the server to quickly verify if an email account exists. EXPN asks the server to expand a mailing list or alias to see who the actual recipients are. Most email servers allow you to disable both commands.

SMTP exploits and some popular tools include:

  • Banner grabbing
  • Cleartext sniffing of authentication, email messages, and attachments: Wireshark, coupled with an ARP poisoner such as Ettercap or Cain and Abel
  • Spam and phishing relaying: MailBomber, Kali SET, Metasploit Pro Phishing Campaign Quick Wizard, ReelPhish, King Phisher
  • Email account enumeration: telnet, Kali Linux smtp-user-enum, iSMTP, Metasploit /auxiliary/scanner/smtp/smtp_enum
  • Brute forcing account passwords: Ncrack, Hydra, and Medusa
  • Buffer overflows for arbitrary code execution: smtp-vuln-cve2010-4344.nse, exploit/windows/email/ms07_017_ani_loadimage_chunksize
  • Privilege escalation
  • Denial of service
  • Authentication bypass
SMTP enumeration example

Metasploit has many SMTP-related scanners and exploits. You can search for modules by entering any of the following commands at the msfconsole:

search smtp
search scanner name:smtp
search exploit name:smtp -S excellent

Note: For more information on SMTP vulnerabilities and exploits, see https://pen-testing.sans.org/resources/papers/gcih/smtp-victim-good-time-105208