38 minutes from the first SNMP query to the domain-adminpassword. The Internal Pentest of the Logistics Company - Nmap Showthe port of 161/udp with a default community string, and the SNMPhappily give the names of hosts, interfaces and runningvir. Two SMB-balls with anonymous access, file passwords.xlsxin the open form - the domain isd compromise. Three services, none ofThey have been a set. There are we have no exploits.
KeyTerms: What You Need to Underly Before the First Team
BeforeDismantling specific attacks on inter-project protocols with atest pen, wewill deal with the concepts. Without them, again commands turna set of letters.
Community string in the SNMP protocol -Basic a password for accessing information about the device.Send a SNMP request, with it the community string flies, and theDetection : . . . . . . . . . . . By default, a hugeamount of equipment is "public" for and reading "private"for reading-writing. If the admin has not changed these values,anyone in the network reads the configuration of routers, switchesand servers. Just like that, one team.
NNTLM-hash - resultof the hashing the user's password in Windows. When you sign, WindowsConvert the password in it. In Networkauthentication (SMB, HTTP, LDAP) is used NTLM-has to confirm theidentity. For the pentester, there is a key point: know NTLM-hash,You can see without the password yourself - thePass-the-Hash technique. Decrypting hash's undue.
SMB- sign the mechanism at which which are sm-package is signed by thecryptographic key of the session. Without a signature, the attackerIntercepts the authentication request of one host and redirects toAnother (SMB relay). With the signature - the redirected packagediscarded, the signature does not match. On the SMB connection domaincontrollers is required by default (via GPO). Onttations toWindows 11 24H2 only connection, but not mandatory - it hasben on all systems starting with Windows 11 24H2Server 2025.
Open relay in the context of SMTP is a mailWhore receives and forwards emails from anyone without checkingthe sender. The attacker uses such a server to phishing on behalf ofthe company's domain. The Get Letter From This IPaddress of the victim's mail server - the basic checks are byOnce upon a time.
How to deploy a laboratory for practice
[Applicable:laboratory environment, training]
All the techniques fromthe article ared in a local virtual environmentInternet access.
Adjustments to the environment:
• RAM: 8 GB minimum (4 GB for Kali Linux + 4 GB forMetasploitable 2), 12 GB recommended is
• CPU: 2+ core
• Disk: 40 GB of free space
• Host OS:Windows 10+, macOS 12+, Linux
• VirtualBox 7.x (free)or VMware Workstation
• Internet: not required afterDownloading Images
Step 1. Download VirtualBox withvirtualbox.org, installation standard. For macOS on Apple Silicon -UTM instead of VirtualBox (VirtualBox on ARM does not work)
Step2. Download the finished image of Kali Linux for VirtualBoxkali.org/get-kali (LVirt Machines section). File .ova Importedthrough File → Import Appliance. Select VM at least 4 GB RAM and2 CPU.
Step 3. Download Metasploitable 2 - alyvulnerable Linux machine from Rapid7 (SourceForge, search for"Metasploitable Download 2". Unpack the archive, create anew VM: New → Linux → Ubuntu (32-bit) → Use allvirtual hard disk specified → .vmdk from the archive. At the AppleSilicon Metasploitable 2 (x86), it starts only through QEMU emulationin the UTM and works - for ARM hosts, consider Metasploitable3 or a VulnHub machine.
Step 4. Both cars switch toHost-Only Network: Settings → Network → Attached to:Host-Only Adapter. This isalating the laboratory from the home andworking network - you will break only your cars.
Step 5.Run both VM. Perform on Kali sudo netdiscover - er 192.16.56.04/24 -the IP address Metasploitable will will in the output (usually)192.168.56.101). Prying: ping 192.168.56.101 - res, so the labis ready.
Metasploitable collection 2 intendalWALFFS: FTP (Vsftd 2.4.4 with backdoor), SMB (Samba)3.x), SNMP with default community string, SMTP - a complete set forTesting techniques from this article.
Exploration of networkServices: The First scan
[Applicable: internal andexternal pentest, black/grey box]
Any attack start withreconnaissance - Scanning IP Blocks (T1595.001, Reconnaissance).Task: to understand what services are sticking out and thoseare crowed. For the first pass, one team is:
Flag -sS - half-openSYN scanning, do not complete the TCP-hieling and therefore lessnoticeable than full a connect scan. Flag -sV determines the lyricsof the services - without it you will see only the port number, butdo not know what kind of software is spinning on it.
Inthe conclusion of Nmap, each port is with one of threeStates:
• open - service accepts connections (SYN-ACK)has prepared)
• closed - port is closed, the service isNot Proceed (RST has иdrew)
• filtered - aliasYou and the Target is Firewall, Whatifly Disole the Pack(silence)
Differences between closed and filtered Principled:“There’s nothing here” and filtered “Theremay be something here, but firewall don’t let it.” Thesecond option is more interesting.
SYN scanning requiresroot to work with raw sockets. And no, it's not invisible - Suricataand Snort fix the fast port thaw pattern from one IP. Elastic 8.x+with a threshold for the number of SYN-packages without ACK willdetect the scan in minutes. Slow Scan (-T1 or -T2) smears thepattern, but increase the time from minutes to hours.
Vulse SMBoperation: from nulll session to element movement
[Applicable:internal penttest, Windows/AD-environment]
SMB (ServerMessage Block, port 445) is the most “fat” vector on theinternal toptest of the corporate network with Windows. Filed balls,printers and domain authentication processing work throughSMB.
Place in kill chain: recon → SMB enumeration →ecvital (relay / EternalBlue) → lateral movement →privilege escalation → domain admin.
Null-session andTransfer of Res.
Null Session - connection to SMBwithout username and password. On unstopped curve ord systems, thisopens access to lists of domain users, groups and network ball. Forenumeration – enum4linux (twrink over skblcient andRPcclicient): enum4linux -a <IP>. In output, look for Users(domain accounting), Share Enumberation (available balls) andPassword Policy (the minimum password length, the locking thresholdis critical before any brothross).
Speed Option - NetExec(former CrackMapExec, repository active, last update - 2024): nxc smb192.168.56.0/24 --shares -u '' -c '' checks all subnet hosts onavailable balloons through a null session in one pass.
Whatto do with the result: save the list of users to the file forpassword spraying. Balls with read rights check with your hands -configuration files, scripts with hard-knit-son passwords, databasebackups. In practice, it is in SMB-balls that are often lie in typefiles passwords.xlsx or backup_config.txt with creeds in open form. Aclassic that don't age.
SMB relay attack
SMBrelay is one of the most effective attacks on the internal network.Mechanics: Run Responder, which is listening to LLMNR and NBT-NS broadcastqueries. When a Windows Machine Cant allow a name through the DNS(a reference to an address remote network resource), it asks everyonein a broadcast domain. Responder says, “It’s me, feel"Acumented with Me." Intercepted NTLM-request redirectsthrough ntlmplayx from Impacket to hosts with SMBoff.
Check where the sign is disabled: nxc smb192.168.56.0/24 --gen-relay-list targets.txt create - a file with aList of salary hosts.
In Modern Environments, thereare nuances: domain controllers require SMB-conformal defaultStart with Windows 2000 Server (via GPO Default Domain Controllers)policy). Intttations, behavior is determined by group policy.Microsoft Defender for Endpoint captions distortsResponder/Inveight; NDR-sensors abnormal detect LLMNR/NBT-NSResponses. CrowdStrike Falcon or SentinelOne catch Responder byалтиhl, on the targetmachine). But in practice, in 2025, the call at workstations isDistbit in most of the networks that I test. So relayt works, andhow.
EternalBlue: if it's indicative
EternalBlue(MS17-010) is a vulnerability in SMBv1, remote code execution withoutauthentication. In Metasploit - moduleexploit/windows/smb/sm17_010_eternalblue. On Real Pentests in 2025,is is rare - only on legacy systems (Windows 7, Server 2008 R2), notUpdated for years. In the laboratory (Metasploitable, Hack The Box)is a great way to understand what the full RCE network likethrough the network protocol: from the scan to shell. By training onthis, it will be easier to understand more complex exploits.
Attackson FTP server: not only anonymous access
[Applicable:External and internal pentest, legacy-infrastructure]
FTP(port 21) - a protocol from the 1970s transmission, data andpasswords in what the mother gave birth (in open form). On Externalpentests, it is less common (shutten by SFTP/SCP), but on internal -regularly: NAS storage, printers, legacy applications for fileexchange.
Place in kill chain: con → FTPenmeuration → credential access (anonymous / brute force) →data exfiltration.
First action - checking anonymousaccess: connect ftp <IP>,
login anonymous,password is empty (or any email). Let - flips the contents (ls -la)and look for file, backups, scripts with passwords. Onone of the projects in the anonymous FTP-ball was .sql- the dam withthe table of the users - MD5-hsheh without salt, half in stand minutesAfter Hehcatruus.
If Access is Closed - Hydrabrothnake: hydra -l admin -P /usr/share/wordlists/rockyou.tttftp://<IP>. But first find out the password policy through SMBor AD - how to attempts apart before blocking an account. Without thisinformation, you risking real, and accounts the customer willnot happy about this.
vsftpd 3.x+ and ProFTPD areby object default after unfolding. In an Environmentwith SIEM (Elastic 8.x+, MaxPator SIEM), mass failed FTP loginsByllerates to the rules of Bruter Force (T1110)Credential Access). Of all the described techniques, this is the most“Noisy.”
SNMP enumeration with a power sourceEntest
[Applicable: internal pent, network equipment,servers, IoT]
SNMP (port 161/udp) is a monitoring protocolthat in practice turns into a gold mine for a penesser. SNMP v1 andv2c transmit community string in the open form, and on an amazingnumber of devices there are default values. This is the first thingthat is a checking on the internal pent - only silence isquieter.
Checking the Deferred Community Stret "UP"- one command:
If thecommand returns the data instead of a timeout, the deviceinformation to anyone who knows (or guessed) community string. Whatcan be pulled out:
On the Network Equipment(Cico Catalyst, HP/Aruba, MikroTik) community string "private"in read-write mode allow you to download the full config of thedevice - together with passwords, VLAN-settings and ACL. In practice,this is a most common of the whole network segment. One line,and the whole scroll is yours.
For Automation by Subnet -Metasploit module auxiliary/scanner/snmp/snmp_enum: ask RHOSTS on thehook, COMMUNITY on "public", run and get a summary of allSNMP-open devices.
SNMP v3, during the 2014, usingauthentication and encryption - default community strings do notwork there. On Modern Equipment (Cisco IOS-XE 17.x+, Juniper Junos23.x+) SNMP v1/v2c is often disconnected by default. But in realCorporate networks, legacy equipment with v2c and community string"public" is no exception, but the norm. Separate bonus:SNMP queries on UDP are also political not logged in standard SIEMconfigurations and are difficult to detect IDS.
SMTPBet on the mail server: from listing to spoofing
[Applicable:external pentest, phishing, red team]
SMTP(ports 25, 465, 587) - e-mail protocol. For the penetterThere are both vectors: listing email addresses and forgery(spoofing) letters for phishing.
Place in kill chain: SMTPuser enumeration → email spoofing → Phishing (T1566,Initial Access) → Spearphishing Attachment (T1566.001) →payload delivery → foothold.
List of users
SMTPsupport commands verify to the cested about the mailbox.Three terms:
VRFY - direct askings the server if the userservices. Connect via telnet mail.target.com 25, enter EHLO test,term VRFY admin. Answer 250 - there is a user, 550 - no, 252 - theserver does not confirmly explicitly (typical response when the VRFY isDistance, switch to RCPT TO).
EXPN - dys the membersof the mailing list. It works similarly VRFY, but for flyingsheets.
RCPT TO - indirect inspection through an attemptto send: MAIL FROM:<[email protected], then RCPTTO:<[email protected]>. Answer 250 OK confirms the elusives ofthe address.
Automation - smtp-user-enum: smtp-user-enum-M RCPT -U users.txt -t mail.target.com -f [email protected] list of users in minutes. Many Modern Services Disconnect VRFY andEXPN, but RCPT TO work almost always - the server is to tellIf it accepts the letter.
For Nmap is a scriptSMp-enum-users: nmap -p 25 --script mitp-enum-users mail.target.com.A Script smtp-ntlm-info pulls from the SMTP server with NTLMauthentication the name of the NetBIOS-domain, the name of theComputer and the DNS Domain - Protective Information for MoreReconnaissance AD.
Open relay and email spoofing
Checkopen relay via Nmap: nmap -p 25 --script smtp-open-relaymail.target.com. If the server is open relay, the attacker sendsletters on behalf of any employee of the company. Reservation: EvenIf you send through telnet, the letter can beintercepted by internal filters - firewall or Exchange is oftenat the next stage, and the attacker from the SMTP answer willnot know.
Spuffing protection is based on three DNSSPF (S) (S)(Digital signature of the letter) and DMARC (the policy of processing)letters that have not bed SPF/DKIM). On the pentest, all three arechecked through dig: dig +short TXT target.com | grep "v=spf1"show the SPF-record, dig +short TXT _dmarc.target.com - DMARC policy.There are a ready for the report.
CVE in SMTPServices: what it is methods in practice
CVE-2019-10149 -critical vulnerability in Exim 4.87-4.91 (CVSS 9.8, CRITICAL,AV:N/L/PR:N:N:N:N - network attack, no privileges and user actions).Incorrectation validation of the recipients's request in_message()(CWE-78, OS Command Injection) you to execute commands on theserver. Affected by Exim on Ubuntu and Debian. Vulnerability in CISAKEV - catalog of actively exploited events. Public exploitson Exploit-DB: EDB-46974 (remone command execution, Qualys) andEDB-46996 (local privilege escalation). For those in the tank -unstopped Exim = full control over the mail server withoutauthentication. In 2025, it is found only on off on servers withDebian 9 / Ubuntu 16.04, long-readleased.
CVE 2021-26855(Proxy Logon) - SSRF in Microsoft Exchange Server (CVSS 9.1, CRITICAL,CWE-91). Part of the ProxyLogon chain that allowed an unauthenticattacker to file on Exchange. In CISA KEV with Usellin ransomware attacks. The Mail Server is Not Just “Sendingemails, but full-component point of initial accesscorporate infrastructure.
Penttest Network Infrastructure:Choosing an Attack Vector
After the First Schp, You Havea list of open ports and services. The Is Question, What to AttackFirst? Here is the decision tree that works on internal pentests:
1.SMB (445) with hand sign? Launch Responder + nnlmlayex.Passive attack: do not demand the selection of passwords, whilethe victim works to appeal to a non-extensive resource.Minimal noise.
2. SNMP (161) with a default communitystring? → → snmpwalk for network and process map. Oftengive more information than all other services together, with almostzero detection.
3. FTP (21)? Check the anonymous access.Closed - postponed the broograde to a password policySMB/AD.
4. SMTP (25)? List users via RCPT TO. Thelist of valid email is useful for password spraying onOWA/VPN or a phishing campaign.
The principle is simple:first passive techniques (relay, SNMP read), then active (brutfors,exploits). Passiveer and less cracker SIEM alerg. Active - onlypassive exhausted or a password policy release secure overruns.
KeyTerms: What You Need to Underly Before the First Team
BeforeDismantling specific attacks on inter-project protocols with atest pen, wewill deal with the concepts. Without them, again commands turna set of letters.
Community string in the SNMP protocol -Basic a password for accessing information about the device.Send a SNMP request, with it the community string flies, and theDetection : . . . . . . . . . . . By default, a hugeamount of equipment is "public" for and reading "private"for reading-writing. If the admin has not changed these values,anyone in the network reads the configuration of routers, switchesand servers. Just like that, one team.
NNTLM-hash - resultof the hashing the user's password in Windows. When you sign, WindowsConvert the password in it. In Networkauthentication (SMB, HTTP, LDAP) is used NTLM-has to confirm theidentity. For the pentester, there is a key point: know NTLM-hash,You can see without the password yourself - thePass-the-Hash technique. Decrypting hash's undue.
SMB- sign the mechanism at which which are sm-package is signed by thecryptographic key of the session. Without a signature, the attackerIntercepts the authentication request of one host and redirects toAnother (SMB relay). With the signature - the redirected packagediscarded, the signature does not match. On the SMB connection domaincontrollers is required by default (via GPO). Onttations toWindows 11 24H2 only connection, but not mandatory - it hasben on all systems starting with Windows 11 24H2Server 2025.
Open relay in the context of SMTP is a mailWhore receives and forwards emails from anyone without checkingthe sender. The attacker uses such a server to phishing on behalf ofthe company's domain. The Get Letter From This IPaddress of the victim's mail server - the basic checks are byOnce upon a time.
How to deploy a laboratory for practice
[Applicable:laboratory environment, training]
All the techniques fromthe article ared in a local virtual environmentInternet access.
Adjustments to the environment:
• RAM: 8 GB minimum (4 GB for Kali Linux + 4 GB forMetasploitable 2), 12 GB recommended is
• CPU: 2+ core
• Disk: 40 GB of free space
• Host OS:Windows 10+, macOS 12+, Linux
• VirtualBox 7.x (free)or VMware Workstation
• Internet: not required afterDownloading Images
Step 1. Download VirtualBox withvirtualbox.org, installation standard. For macOS on Apple Silicon -UTM instead of VirtualBox (VirtualBox on ARM does not work)
Step2. Download the finished image of Kali Linux for VirtualBoxkali.org/get-kali (LVirt Machines section). File .ova Importedthrough File → Import Appliance. Select VM at least 4 GB RAM and2 CPU.
Step 3. Download Metasploitable 2 - alyvulnerable Linux machine from Rapid7 (SourceForge, search for"Metasploitable Download 2". Unpack the archive, create anew VM: New → Linux → Ubuntu (32-bit) → Use allvirtual hard disk specified → .vmdk from the archive. At the AppleSilicon Metasploitable 2 (x86), it starts only through QEMU emulationin the UTM and works - for ARM hosts, consider Metasploitable3 or a VulnHub machine.
Step 4. Both cars switch toHost-Only Network: Settings → Network → Attached to:Host-Only Adapter. This isalating the laboratory from the home andworking network - you will break only your cars.
Step 5.Run both VM. Perform on Kali sudo netdiscover - er 192.16.56.04/24 -the IP address Metasploitable will will in the output (usually)192.168.56.101). Prying: ping 192.168.56.101 - res, so the labis ready.
Metasploitable collection 2 intendalWALFFS: FTP (Vsftd 2.4.4 with backdoor), SMB (Samba)3.x), SNMP with default community string, SMTP - a complete set forTesting techniques from this article.
Exploration of networkServices: The First scan
[Applicable: internal andexternal pentest, black/grey box]
Any attack start withreconnaissance - Scanning IP Blocks (T1595.001, Reconnaissance).Task: to understand what services are sticking out and thoseare crowed. For the first pass, one team is:
Flag -sS - half-openSYN scanning, do not complete the TCP-hieling and therefore lessnoticeable than full a connect scan. Flag -sV determines the lyricsof the services - without it you will see only the port number, butdo not know what kind of software is spinning on it.
Inthe conclusion of Nmap, each port is with one of threeStates:
• open - service accepts connections (SYN-ACK)has prepared)
• closed - port is closed, the service isNot Proceed (RST has иdrew)
• filtered - aliasYou and the Target is Firewall, Whatifly Disole the Pack(silence)
Differences between closed and filtered Principled:“There’s nothing here” and filtered “Theremay be something here, but firewall don’t let it.” Thesecond option is more interesting.
SYN scanning requiresroot to work with raw sockets. And no, it's not invisible - Suricataand Snort fix the fast port thaw pattern from one IP. Elastic 8.x+with a threshold for the number of SYN-packages without ACK willdetect the scan in minutes. Slow Scan (-T1 or -T2) smears thepattern, but increase the time from minutes to hours.
Vulse SMBoperation: from nulll session to element movement
[Applicable:internal penttest, Windows/AD-environment]
SMB (ServerMessage Block, port 445) is the most “fat” vector on theinternal toptest of the corporate network with Windows. Filed balls,printers and domain authentication processing work throughSMB.
Place in kill chain: recon → SMB enumeration →ecvital (relay / EternalBlue) → lateral movement →privilege escalation → domain admin.
Null-session andTransfer of Res.
Null Session - connection to SMBwithout username and password. On unstopped curve ord systems, thisopens access to lists of domain users, groups and network ball. Forenumeration – enum4linux (twrink over skblcient andRPcclicient): enum4linux -a <IP>. In output, look for Users(domain accounting), Share Enumberation (available balls) andPassword Policy (the minimum password length, the locking thresholdis critical before any brothross).
Speed Option - NetExec(former CrackMapExec, repository active, last update - 2024): nxc smb192.168.56.0/24 --shares -u '' -c '' checks all subnet hosts onavailable balloons through a null session in one pass.
Whatto do with the result: save the list of users to the file forpassword spraying. Balls with read rights check with your hands -configuration files, scripts with hard-knit-son passwords, databasebackups. In practice, it is in SMB-balls that are often lie in typefiles passwords.xlsx or backup_config.txt with creeds in open form. Aclassic that don't age.
SMB relay attack
SMBrelay is one of the most effective attacks on the internal network.Mechanics: Run Responder, which is listening to LLMNR and NBT-NS broadcastqueries. When a Windows Machine Cant allow a name through the DNS(a reference to an address remote network resource), it asks everyonein a broadcast domain. Responder says, “It’s me, feel"Acumented with Me." Intercepted NTLM-request redirectsthrough ntlmplayx from Impacket to hosts with SMBoff.
Check where the sign is disabled: nxc smb192.168.56.0/24 --gen-relay-list targets.txt create - a file with aList of salary hosts.
In Modern Environments, thereare nuances: domain controllers require SMB-conformal defaultStart with Windows 2000 Server (via GPO Default Domain Controllers)policy). Intttations, behavior is determined by group policy.Microsoft Defender for Endpoint captions distortsResponder/Inveight; NDR-sensors abnormal detect LLMNR/NBT-NSResponses. CrowdStrike Falcon or SentinelOne catch Responder byалтиhl, on the targetmachine). But in practice, in 2025, the call at workstations isDistbit in most of the networks that I test. So relayt works, andhow.
EternalBlue: if it's indicative
EternalBlue(MS17-010) is a vulnerability in SMBv1, remote code execution withoutauthentication. In Metasploit - moduleexploit/windows/smb/sm17_010_eternalblue. On Real Pentests in 2025,is is rare - only on legacy systems (Windows 7, Server 2008 R2), notUpdated for years. In the laboratory (Metasploitable, Hack The Box)is a great way to understand what the full RCE network likethrough the network protocol: from the scan to shell. By training onthis, it will be easier to understand more complex exploits.
Attackson FTP server: not only anonymous access
[Applicable:External and internal pentest, legacy-infrastructure]
FTP(port 21) - a protocol from the 1970s transmission, data andpasswords in what the mother gave birth (in open form). On Externalpentests, it is less common (shutten by SFTP/SCP), but on internal -regularly: NAS storage, printers, legacy applications for fileexchange.
Place in kill chain: con → FTPenmeuration → credential access (anonymous / brute force) →data exfiltration.
First action - checking anonymousaccess: connect ftp <IP>,
login anonymous,password is empty (or any email). Let - flips the contents (ls -la)and look for file, backups, scripts with passwords. Onone of the projects in the anonymous FTP-ball was .sql- the dam withthe table of the users - MD5-hsheh without salt, half in stand minutesAfter Hehcatruus.
If Access is Closed - Hydrabrothnake: hydra -l admin -P /usr/share/wordlists/rockyou.tttftp://<IP>. But first find out the password policy through SMBor AD - how to attempts apart before blocking an account. Without thisinformation, you risking real, and accounts the customer willnot happy about this.
vsftpd 3.x+ and ProFTPD areby object default after unfolding. In an Environmentwith SIEM (Elastic 8.x+, MaxPator SIEM), mass failed FTP loginsByllerates to the rules of Bruter Force (T1110)Credential Access). Of all the described techniques, this is the most“Noisy.”
SNMP enumeration with a power sourceEntest
[Applicable: internal pent, network equipment,servers, IoT]
SNMP (port 161/udp) is a monitoring protocolthat in practice turns into a gold mine for a penesser. SNMP v1 andv2c transmit community string in the open form, and on an amazingnumber of devices there are default values. This is the first thingthat is a checking on the internal pent - only silence isquieter.
Checking the Deferred Community Stret "UP"- one command:
If thecommand returns the data instead of a timeout, the deviceinformation to anyone who knows (or guessed) community string. Whatcan be pulled out:
On the Network Equipment(Cico Catalyst, HP/Aruba, MikroTik) community string "private"in read-write mode allow you to download the full config of thedevice - together with passwords, VLAN-settings and ACL. In practice,this is a most common of the whole network segment. One line,and the whole scroll is yours.
For Automation by Subnet -Metasploit module auxiliary/scanner/snmp/snmp_enum: ask RHOSTS on thehook, COMMUNITY on "public", run and get a summary of allSNMP-open devices.
SNMP v3, during the 2014, usingauthentication and encryption - default community strings do notwork there. On Modern Equipment (Cisco IOS-XE 17.x+, Juniper Junos23.x+) SNMP v1/v2c is often disconnected by default. But in realCorporate networks, legacy equipment with v2c and community string"public" is no exception, but the norm. Separate bonus:SNMP queries on UDP are also political not logged in standard SIEMconfigurations and are difficult to detect IDS.
SMTPBet on the mail server: from listing to spoofing
[Applicable:external pentest, phishing, red team]
SMTP(ports 25, 465, 587) - e-mail protocol. For the penetterThere are both vectors: listing email addresses and forgery(spoofing) letters for phishing.
Place in kill chain: SMTPuser enumeration → email spoofing → Phishing (T1566,Initial Access) → Spearphishing Attachment (T1566.001) →payload delivery → foothold.
List of users
SMTPsupport commands verify to the cested about the mailbox.Three terms:
VRFY - direct askings the server if the userservices. Connect via telnet mail.target.com 25, enter EHLO test,term VRFY admin. Answer 250 - there is a user, 550 - no, 252 - theserver does not confirmly explicitly (typical response when the VRFY isDistance, switch to RCPT TO).
EXPN - dys the membersof the mailing list. It works similarly VRFY, but for flyingsheets.
RCPT TO - indirect inspection through an attemptto send: MAIL FROM:<[email protected], then RCPTTO:<[email protected]>. Answer 250 OK confirms the elusives ofthe address.
Automation - smtp-user-enum: smtp-user-enum-M RCPT -U users.txt -t mail.target.com -f [email protected] list of users in minutes. Many Modern Services Disconnect VRFY andEXPN, but RCPT TO work almost always - the server is to tellIf it accepts the letter.
For Nmap is a scriptSMp-enum-users: nmap -p 25 --script mitp-enum-users mail.target.com.A Script smtp-ntlm-info pulls from the SMTP server with NTLMauthentication the name of the NetBIOS-domain, the name of theComputer and the DNS Domain - Protective Information for MoreReconnaissance AD.
Open relay and email spoofing
Checkopen relay via Nmap: nmap -p 25 --script smtp-open-relaymail.target.com. If the server is open relay, the attacker sendsletters on behalf of any employee of the company. Reservation: EvenIf you send through telnet, the letter can beintercepted by internal filters - firewall or Exchange is oftenat the next stage, and the attacker from the SMTP answer willnot know.
Spuffing protection is based on three DNSSPF (S) (S)(Digital signature of the letter) and DMARC (the policy of processing)letters that have not bed SPF/DKIM). On the pentest, all three arechecked through dig: dig +short TXT target.com | grep "v=spf1"show the SPF-record, dig +short TXT _dmarc.target.com - DMARC policy.There are a ready for the report.
CVE in SMTPServices: what it is methods in practice
CVE-2019-10149 -critical vulnerability in Exim 4.87-4.91 (CVSS 9.8, CRITICAL,AV:N/L/PR:N:N:N:N - network attack, no privileges and user actions).Incorrectation validation of the recipients's request in_message()(CWE-78, OS Command Injection) you to execute commands on theserver. Affected by Exim on Ubuntu and Debian. Vulnerability in CISAKEV - catalog of actively exploited events. Public exploitson Exploit-DB: EDB-46974 (remone command execution, Qualys) andEDB-46996 (local privilege escalation). For those in the tank -unstopped Exim = full control over the mail server withoutauthentication. In 2025, it is found only on off on servers withDebian 9 / Ubuntu 16.04, long-readleased.
CVE 2021-26855(Proxy Logon) - SSRF in Microsoft Exchange Server (CVSS 9.1, CRITICAL,CWE-91). Part of the ProxyLogon chain that allowed an unauthenticattacker to file on Exchange. In CISA KEV with Usellin ransomware attacks. The Mail Server is Not Just “Sendingemails, but full-component point of initial accesscorporate infrastructure.
Penttest Network Infrastructure:Choosing an Attack Vector
After the First Schp, You Havea list of open ports and services. The Is Question, What to AttackFirst? Here is the decision tree that works on internal pentests:
1.SMB (445) with hand sign? Launch Responder + nnlmlayex.Passive attack: do not demand the selection of passwords, whilethe victim works to appeal to a non-extensive resource.Minimal noise.
2. SNMP (161) with a default communitystring? → → snmpwalk for network and process map. Oftengive more information than all other services together, with almostzero detection.
3. FTP (21)? Check the anonymous access.Closed - postponed the broograde to a password policySMB/AD.
4. SMTP (25)? List users via RCPT TO. Thelist of valid email is useful for password spraying onOWA/VPN or a phishing campaign.
The principle is simple:first passive techniques (relay, SNMP read), then active (brutfors,exploits). Passiveer and less cracker SIEM alerg. Active - onlypassive exhausted or a password policy release secure overruns.
