refabr1k's Pentest Notebook
  • refabr1k's Pentest Notebook
  • Steganography
  • Kali USB with persistence memory
  • useful tools
  • Understanding ICACLS permissions
  • INFO GATHERING
    • Port Knocking
    • 22 tcp - SSH
      • SSH Tunneling
    • 25 tcp - SMTP
    • 53 tcp/udp - DNS
    • 88 tcp - Kerberos
    • 161 udp - SNMP
    • 445 tcp - SMB
    • 1098,1099 tcp - Java RMI
    • 8009 tcp - AJP
    • 5901,5902 tcp - VNC
  • Web
    • XSS cookie stealing
    • PHP
    • Webdav
    • Wordpress
    • XML RPC
    • SQL Injection
    • SSRF
  • EXPLOITATION
    • File Transfers
    • Buffer Overflow
    • Bruteforce
      • Hashcat
      • Ophcrack (rainbow tables)
      • John The Ripper
    • PHP rce
    • Compiling
    • msfvenom
    • Reverse shell
    • Using ENV to escape Bad Characters
    • shellshock
    • Ncat Persistent Backdoor
  • PRIVESC - LINUX
    • Basic checks
    • Upgrading Shells
    • SUID
  • Privesc - Windows
    • Basic checks / powershell
    • Privesc Openings
    • LonelyPotato - SeImpersonatePrivilege
    • Enable RDP @ Firewall
    • NTLM (Pass The Hash)
  • Windows
    • NTDS.dit
    • Responder / SMB Relay
    • Attacking AD
      • AD Hacking Lab Setup
  • Metasploit
    • Basic Usage
    • Meterpreter
      • Pivoting
      • Windows Post Exploitation
  • Unsorted
    • other notes
  • eLearnSecurity eJPT
    • eJPT notes
  • OSWP
  • Getting started
  • WEP Attacks
    • WEP Attack (OPEN) - Clients connected
    • WEP Attack (OPEN) - Clientless
    • WEP Attack (SKA)
  • WPA/WPA2 Attacks
  • Scripts
    • get port from nmap
    • Curl response
    • ping sweep
    • iptables-counter.sh
    • (DNS) zonetransfer_check.sh
    • (DNS) dns-rev-brute.sh
    • (DNS) dns-fwd-brute.sh
    • (SMB) vuln-scan.sh
    • (SMB) samba-checker.sh
    • (SMTP) vrfy.py
    • (SNMP) mib-check.sh
  • Zeroday vulnerabilities explained
    • 2020-12 Solarwind supply chain
Powered by GitBook
On this page
  • STMP username enum (smtp-user-enum)
  • Nmap username enum
  • Telnet SMTP - send mail
  • VRFY USER
  • VRFY SCRIPT (Python)

Was this helpful?

  1. INFO GATHERING

25 tcp - SMTP

STMP username enum (smtp-user-enum)

smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.17

Nmap username enum

nmap --script smtp-enum-users 10.10.10.51 -p25

Telnet SMTP - send mail

telnet 10.10.10.17 110

#login
user orestis
pass 1234656

#list messages
list

#read message number
retr 1

#To send email using STMP for LFI /var/mail/ValidUserHere
EHLO hacker.anything.com
mail from:hacker@doesnt.matter
rcpt to:ValidVictim@Mail
data
Subject: email title
<your LFI code here>
<new blank line>

VRFY USER

nc -nv 192.168.1.230 25
VRFY bob

VRFY SCRIPT (Python)

#!/usr/bin/python
import socket
import sys
if len(sys.argv) != 3:
        print "Usage: vrfy.py <username> <ipaddress>"
        sys.exit(0)
print "Verifying user: " + sys.argv[1] + " with " + sys.argv[2]
try:
        s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) #create a socket
        connect=s.connect((sys.argv[2],25)) #connect to the server
        banner=s.recv(1024)
        print banner
        s.send('VRFY ' + sys.argv[1] + '\r\n') #VRFY a user
        result=s.recv(1024)
        print "There is some response: "
        print result
except:
        print "Unable to verify. Server maybe offline/port filtered/unopened"
        s.close()
finally:
        s.close() #close the socket)
PreviousSSH TunnelingNext53 tcp/udp - DNS

Last updated 5 years ago

Was this helpful?

smtp send mail