Key terms: what you need to understand before the first team
Before dismantling specific attacks on network protocols with a pentest, we will deal with the concepts. Without them, further commands turn into a set of letters.
Community string in the SNMP protocol - essentially a password for accessing information about the device. Send a SNMP request, with it the community string flies, and the device decides whether to give the data or not. By default, a huge amount of equipment is "public" for reading and "private" for reading-writing. If the admin has not changed these values, anyone in the network reads the configuration of routers, switches and servers. Just like that, one team.
NNTLM-hash - result of hashing the user's password in Windows. When you sign, Windows converts the password into hash and stores it. In network authentication (SMB, HTTP, LDAP) is used NTLM-hash to confirm the identity. For the pentester, there is a key point: knowing NTLM-hash, you can authenticate without knowing the password itself - the Pass-the-Hash technique. Decrypting hash isn't necessary.
SMB signing - the mechanism at which each SMB-package is signed by the cryptographic key of the session. Without a signature, the attacker intercepts the authentication request of one host and redirects to another (SMB relay). With the signature - the redirected package is discarded, the signature does not match. On the SMB connection domain controllers is required by default (via GPO). On workstations to Windows 11 24H2 signing only included, but not mandatory - it has become mandatory on all systems starting with Windows 11 24H2 and Server 2025.
Open relay in the context of SMTP is a mail server that receives and forwards emails from anyone without checking the sender. The attacker uses such a server to phishing on behalf of the company’s legitimate domain. The letter comes from this IP address of the victim's mail server - the basic checks are by once.
How to deploy a laboratory for practice
[Applicable: laboratory environment, training]
All the techniques from the article are reproduced in a local virtual environment without Internet access.
Adjustments to the environment:
• RAM: 8 GB minimum (4 GB for Kali Linux + 4 GB for Metasploitable 2), 12 GB is recommended
• CPU: 2+ core
• Disk: 40 GB of free space
• Host OS: Windows 10+, macOS 12+, Linux
• VirtualBox 7.x (free) or VMware Workstation
• Internet: not required after downloading images
Step 1. Download VirtualBox with virtualbox.org, installation standard. For macOS on Apple Silicon - UTM instead of VirtualBox (VirtualBox on ARM does not work).
Step 2. Download the finished image of Kali Linux for VirtualBox with kali.org/get-kali (LVirt Machines section). File .ova Imported through File → Import Appliance. Select VM at least 4 GB RAM and 2 CPU.
Step 3. Download Metasploitable 2 - a deliberately vulnerable Linux machine from Rapid7 (SourceForge, search for "Metasploitable 2 download"). Unpack the archive, create a new VM: New → Linux → Ubuntu (32-bit) → Use existing virtual hard disk → specify .vmdk from the archive. At the Apple Silicon Metasploitable 2 (x86), it only starts through QEMU emulation in the UTM and works slowly - for ARM hosts, consider Metasploitable 3 or a VulnHub machine.
Step 4. Both cars switch to Host-Only Network: Settings → Network → Attached to: Host-Only Adapter. This isolating the laboratory from the home and working network - you will break only your cars.
Step 5. Run both VM. Perform on Kali sudo netdiscover -r 192.168.56.0/24 - the IP address Metasploitable will appear in the output (usually 192.168.56.101). Prying: ping 192.168.56.101 - responds, so the lab is ready.
Metasploitable 2 contains intentionally vulnerable services: FTP (vsftpd 2.4.4 with backdoor), SMB (Samba 3.x), SNMP with default community string, SMTP - a complete set for testing techniques from this article.
Exploration of network services: The first scan
[Applicable: internal and external pentest, black/grey box]
Each attack begins with reconnaissance - Scanning IP Blocks (T1595.001, Reconnaissance). Task: to understand which services are sticking out and which ones are crooked. For the first pass, one team is enough:
Flag -sS - half-open SYN scanning, does not complete the TCP-hieling and therefore less noticeable than a full connect scan. Flag -sV determines the versions of the services - without it you will see only the port number, but do not know what kind of software is spinning on it.
In the conclusion of Nmap, each port is marked with one of three states:
• open - service accepts connections (SYN-ACK has arrived)
• closed - port is closed, the service is not launched (RST has arrived)
• filtered - between you and the target is firewall, which has undole the package (silence)
Difference between closed and filtered Principled: closed “There’s nothing here,” and filtered “There may be something here, but firewall doesn’t let it.” The second option is more interesting.
SYN scanning requires root to work with raw sockets. And no, it's not invisible - Suricata and Snort fix the fast port thaw pattern from one IP. Elastic 8.x+ with a threshold for the number of SYN-packages without ACK will detect the scan in minutes. Slow Scan (-T1 or -T2) smears the pattern, but increases the time from minutes to hours.
Vulse SMB operation: from nulll session to lateral movement
[Applicable: internal pentest, Windows/AD-environment]
SMB (Server Message Block, port 445) is the most “fat” vector on the internal toptest of the corporate network with Windows. Filed balls, printers and domain authentication mechanisms work through SMB.
Place in kill chain: recon → SMB enumeration → ecvital (relay / EternalBlue) → lateral movement → privilege escalation → domain admin.
Null-session and transfer of resources
Null Session - connection to SMB without username and password. On unstoppled or curved systems, this opens access to lists of domain users, groups and network ball. For enumeration – enum4linux (twrink over skblcient and RPcclicient): enum4linux -a <IP>. In output, look for Users (domain accounting), Share Enumberation (available balls) and Password Policy (the minimum password length, the locking threshold is critical before any brothross).
Option faster - NetExec (former CrackMapExec, repository active, last update - 2024): nxc smb 192.168.56.0/24 --shares -u '' -p '' checks all subnet hosts on available balloons through a null session in one pass.
What to do with the result: save the list of users to the file for password spraying. Balls with read rights check with your hands - configuration files, scripts with hard-knit-son passwords, database backups. In practice, it is in SMB-balls that most often lie in type files passwords.xlsx or backup_config.txt with creeds in open form. A classic that doesn’t age.
SMB relay attack
SMB relay is one of the most effective attacks on the internal network. Mechanics: Run Responder, which listens to LLMNR and NBT-NS broadcast queries. When a Windows machine cannot allow a name through the DNS (a reference to an address remote network resource), it asks everyone in a broadcast domain. Responder says, “It’s me, feel authenticated with me.” Intercepted NTLM-request redirects through ntlmrelayx from Impacket to hosts with SMB signing off.
Check where the signing is disabled: nxc smb 192.168.56.0/24 --gen-relay-list targets.txt - creates a file with a list of vulnerable hosts.
In modern environments, there are nuances: domain controllers require SMB-conformal default starting with Windows 2000 Server (via GPO Default Domain Controllers Policy). In workstations, behavior is determined by group policy. Microsoft Defender for Endpoint captures suspicious processes Responder/Inveight; NDR-sensors detect abnormal LLMNR/NBT-NS responses. CrowdStrike Falcon or SentinelOne catch Responder by signature (although it formally works on Kali, not on the target machine). But in practice, in 2025, the signing at workstations is disabled in most of the networks that I test. So relay works, and how.
EternalBlue: legacy, but indicative
EternalBlue (MS17-010) is a vulnerability in SMBv1, remote code execution without authentication. In Metasploit - module exploit/windows/smb/ms17_010_eternalblue. On real pentests in 2025, it is rare - only on legacy systems (Windows 7, Server 2008 R2), not updated for years. In the laboratory (Metasploitable, Hack The Box) is a great way to understand what the full RCE chain looks like through the network protocol: from the scan to shell. By training on this, it will be easier to understand more complex exploits.
Attacks on FTP server: not only anonymous access
[Applicable: external and internal pentest, legacy-infrastructure]
FTP (port 21) - a protocol from the 1970s, transmitting data and passwords in which the mother gave birth (in open form). On external pentests, it is less common (shutten by SFTP/SCP), but on internal - regularly: NAS storage, printers, legacy applications for file exchange.
Place in kill chain: recon → FTP enumeration → credential access (anonymous / brute force) → data exfiltration.
First action - checking anonymous access: connect ftp <IP>, login anonymous, password is empty (or any email). Let - flips the contents (ls -la) and look for configuration files, backups, scripts with passwords. On one of the projects in the anonymous FTP-ball was .sql- the dam with the table of users - MD5-hsheh without salt, half stood in minutes after hehctarus.
If anonymous access is closed - Hydra for brothnake: hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://<IP>. But first find out the password policy through SMB or AD - how many attempts before blocking an account. Without this information, you risk blocking real accounts, and the customer will not be happy about this.
vsftpd 3.x+ and ProFTPD are blocked by default after several failed attempts. In an environment with SIEM (Elastic 8.x+, MaxPatrol SIEM), mass failed FTP logins generate alerates according to the rules of Bruter Force (T1110, Credential Access). Of all the described techniques, this is the most “noisy”.
SNMP enumeration with a power source entest
[Applicable: internal pentest, network equipment, servers, IoT]
SNMP (port 161/udp) is a monitoring protocol that in practice turns into a gold mine for a penesser. SNMP v1 and v2c transmit community string in the open form, and on an amazing number of devices there are default values. This is the first thing that is worth checking on the internal pentest - only silence is quieter.
Checking the default community string "public" - one command:
If the command returns the data instead of a timeout, the device gives information to anyone who knows (or guessed) community string. What can be pulled out:
On the network equipment (Cico Catalyst, HP/Aruba, MikroTik) community string "private" in read-write mode allows you to download the full config of the device - together with passwords, VLAN-settings and ACL. In practice, this is a instant compromise of the entire network segment. One line, and the whole scroll is yours.
For automation by subnet - Metasploit module auxiliary/scanner/snmp/snmp_enum: ask RHOSTS on the hook, COMMUNITY on "public", run and get a summary of all SNMP-open devices.
SNMP v3, available since 2004, uses authentication and encryption - default community strings does not work there. On modern equipment (Cisco IOS-XE 17.x+, Juniper Junos 23.x+) SNMP v1/v2c is often disconnected by default. But in real corporate networks, legacy equipment with v2c and community string "public" is no exception, but the norm. Separate bonus: SNMP queries on UDP are practically not logged in standard SIEM configurations and are extremely difficult to detect IDS.
SMTP attacks on the mail server: from listing to spoofing
[Applicable: external pentest, phishing campaigns, red team]
SMTP (ports 25, 465, 587) - e-mail sending protocol. For the penetester there are two vectors: listing valid email addresses and forgery (spoofing) letters for phishing.
Place in kill chain: SMTP user enumeration → email spoofing → Phishing (T1566, Initial Access) → Spearphishing Attachment (T1566.001) → payload delivery → foothold.
List of users
SMTP servers support commands to verify the existence of the mailbox. Three methods:
VRFY - directly asks the server if the user exists. Connect through telnet mail.target.com 25, enter EHLO test, then VRFY admin. Answer 250 - there is a user, 550 - no, 252 - the server does not confirm explicitly (typical response when the VRFY is disabled, switch to RCPT TO).
EXPN - discloses the members of the mailing list. It works similarly VRFY, but for flying sheets.
RCPT TO - indirect inspection through an attempt to send: MAIL FROM:<[email protected]>, then RCPT TO:<[email protected]>. Answer 250 OK confirms the existence of the address.
Automation - smtp-user-enum: smtp-user-enum -M RCPT -U users.txt -t mail.target.com -f [email protected] Checks the list of users in minutes. Many modern servers disconnect VRFY and EXPN, but RCPT TO works almost always - the server is obliged to tell if it accepts the letter.
For Nmap there is a script smtp-enum-users: nmap -p 25 --script smtp-enum-users mail.target.com. A Script smtp-ntlm-info pulls from the SMTP server with NTLM authentication the name of the NetBIOS-domain, the name of the computer and the DNS domain - valuable information for further reconnaissance AD.
Open relay and email spoofing
Check open relay via Nmap: nmap -p 25 --script smtp-open-relay mail.target.com. If the server is open relay, the attacker sends letters on behalf of any employee of the company. Reservation: Even if you successfully send through telnet, the letter can be intercepted by internal filters - firewall or Exchange is often blocked at the next stage, and the attacker from the SMTP answer will not know.
Spuffing protection is based on three DNS records: SPF (who has the right to send on behalf of the domain) DKIM (Digital signature of the letter) and DMARC (the policy of processing letters that have not passed SPF/DKIM). On the pentest, all three are checked through dig: dig +short TXT target.com | grep "v=spf1" show the SPF-record, dig +short TXT _dmarc.target.com - DMARC policy. There are no records - a ready find for the report.
CVE in SMTP services: what it means in practice
CVE-2019-10149 - critical vulnerability in Exim 4.87-4.91 (CVSS 9.8, CRITICAL, AV:N/L/PR:N:N:N:N - network attack, no privileges and user actions). Incorrect validation of the recipient's address in deliver_message() (CWE-78, OS Command Injection) allows you to execute commands on the server. Affected by Exim on Ubuntu and Debian. Vulnerability in CISA KEV - catalog of actively exploited vulnerabilities. Public exploits on Exploit-DB: EDB-46974 (remote command execution, Qualys) and EDB-46996 (local privilege escalation). For those in the tank - unstoppled Exim = full control over the mail server without authentication. In 2025, it is found only on abandoned servers with Debian 9 / Ubuntu 16.04, long-released.
CVE 2021-26855 (ProxyLogon) - SSRF in Microsoft Exchange Server (CVSS 9.1, CRITICAL, CWE-91). Part of the ProxyLogon chain that allowed an unauthentic attacker to execute code on Exchange. In CISA KEV marked with usage in ransomware attacks. The mail server is not just “sending emails”, but a full-fledged point of initial access into the corporate infrastructure.
Pentest Network Infrastructure: Choosing an Attack Vector
After the first scan, you have a list of open ports and services. The question is, what to attack first? Here is the decision tree that works on internal pentests:
1. SMB (445) with disabled signing? Launch Responder + nnlmlayex. Passive attack: does not require the selection of passwords, while the victim herself works to appeal to a non-existent resource. Minimal noise.
2. SNMP (161) with a default community string? → → snmpwalk for network and process map. Often gives more information than all other services together, with almost zero detection.
3. FTP (21)? Check the anonymous access. Closed - postpone the broograde to receive a password policy through SMB/AD.
4. SMTP (25)? → List users via RCPT TO. The list of valid email addresses is useful for password spraying on OWA/VPN or a phishing campaign.
The principle is simple: first passive techniques (relay, SNMP read), then active (brutfors, exploits). Passive quieter and less cracker SIEM alerg. Active - only when passive exhausted or a password policy allows secure overruns.
Before dismantling specific attacks on network protocols with a pentest, we will deal with the concepts. Without them, further commands turn into a set of letters.
Community string in the SNMP protocol - essentially a password for accessing information about the device. Send a SNMP request, with it the community string flies, and the device decides whether to give the data or not. By default, a huge amount of equipment is "public" for reading and "private" for reading-writing. If the admin has not changed these values, anyone in the network reads the configuration of routers, switches and servers. Just like that, one team.
NNTLM-hash - result of hashing the user's password in Windows. When you sign, Windows converts the password into hash and stores it. In network authentication (SMB, HTTP, LDAP) is used NTLM-hash to confirm the identity. For the pentester, there is a key point: knowing NTLM-hash, you can authenticate without knowing the password itself - the Pass-the-Hash technique. Decrypting hash isn't necessary.
SMB signing - the mechanism at which each SMB-package is signed by the cryptographic key of the session. Without a signature, the attacker intercepts the authentication request of one host and redirects to another (SMB relay). With the signature - the redirected package is discarded, the signature does not match. On the SMB connection domain controllers is required by default (via GPO). On workstations to Windows 11 24H2 signing only included, but not mandatory - it has become mandatory on all systems starting with Windows 11 24H2 and Server 2025.
Open relay in the context of SMTP is a mail server that receives and forwards emails from anyone without checking the sender. The attacker uses such a server to phishing on behalf of the company’s legitimate domain. The letter comes from this IP address of the victim's mail server - the basic checks are by once.
How to deploy a laboratory for practice
[Applicable: laboratory environment, training]
All the techniques from the article are reproduced in a local virtual environment without Internet access.
Adjustments to the environment:
• RAM: 8 GB minimum (4 GB for Kali Linux + 4 GB for Metasploitable 2), 12 GB is recommended
• CPU: 2+ core
• Disk: 40 GB of free space
• Host OS: Windows 10+, macOS 12+, Linux
• VirtualBox 7.x (free) or VMware Workstation
• Internet: not required after downloading images
Step 1. Download VirtualBox with virtualbox.org, installation standard. For macOS on Apple Silicon - UTM instead of VirtualBox (VirtualBox on ARM does not work).
Step 2. Download the finished image of Kali Linux for VirtualBox with kali.org/get-kali (LVirt Machines section). File .ova Imported through File → Import Appliance. Select VM at least 4 GB RAM and 2 CPU.
Step 3. Download Metasploitable 2 - a deliberately vulnerable Linux machine from Rapid7 (SourceForge, search for "Metasploitable 2 download"). Unpack the archive, create a new VM: New → Linux → Ubuntu (32-bit) → Use existing virtual hard disk → specify .vmdk from the archive. At the Apple Silicon Metasploitable 2 (x86), it only starts through QEMU emulation in the UTM and works slowly - for ARM hosts, consider Metasploitable 3 or a VulnHub machine.
Step 4. Both cars switch to Host-Only Network: Settings → Network → Attached to: Host-Only Adapter. This isolating the laboratory from the home and working network - you will break only your cars.
Step 5. Run both VM. Perform on Kali sudo netdiscover -r 192.168.56.0/24 - the IP address Metasploitable will appear in the output (usually 192.168.56.101). Prying: ping 192.168.56.101 - responds, so the lab is ready.
Metasploitable 2 contains intentionally vulnerable services: FTP (vsftpd 2.4.4 with backdoor), SMB (Samba 3.x), SNMP with default community string, SMTP - a complete set for testing techniques from this article.
Exploration of network services: The first scan
[Applicable: internal and external pentest, black/grey box]
Each attack begins with reconnaissance - Scanning IP Blocks (T1595.001, Reconnaissance). Task: to understand which services are sticking out and which ones are crooked. For the first pass, one team is enough:
Flag -sS - half-open SYN scanning, does not complete the TCP-hieling and therefore less noticeable than a full connect scan. Flag -sV determines the versions of the services - without it you will see only the port number, but do not know what kind of software is spinning on it.
In the conclusion of Nmap, each port is marked with one of three states:
• open - service accepts connections (SYN-ACK has arrived)
• closed - port is closed, the service is not launched (RST has arrived)
• filtered - between you and the target is firewall, which has undole the package (silence)
Difference between closed and filtered Principled: closed “There’s nothing here,” and filtered “There may be something here, but firewall doesn’t let it.” The second option is more interesting.
SYN scanning requires root to work with raw sockets. And no, it's not invisible - Suricata and Snort fix the fast port thaw pattern from one IP. Elastic 8.x+ with a threshold for the number of SYN-packages without ACK will detect the scan in minutes. Slow Scan (-T1 or -T2) smears the pattern, but increases the time from minutes to hours.
Vulse SMB operation: from nulll session to lateral movement
[Applicable: internal pentest, Windows/AD-environment]
SMB (Server Message Block, port 445) is the most “fat” vector on the internal toptest of the corporate network with Windows. Filed balls, printers and domain authentication mechanisms work through SMB.
Place in kill chain: recon → SMB enumeration → ecvital (relay / EternalBlue) → lateral movement → privilege escalation → domain admin.
Null-session and transfer of resources
Null Session - connection to SMB without username and password. On unstoppled or curved systems, this opens access to lists of domain users, groups and network ball. For enumeration – enum4linux (twrink over skblcient and RPcclicient): enum4linux -a <IP>. In output, look for Users (domain accounting), Share Enumberation (available balls) and Password Policy (the minimum password length, the locking threshold is critical before any brothross).
Option faster - NetExec (former CrackMapExec, repository active, last update - 2024): nxc smb 192.168.56.0/24 --shares -u '' -p '' checks all subnet hosts on available balloons through a null session in one pass.
What to do with the result: save the list of users to the file for password spraying. Balls with read rights check with your hands - configuration files, scripts with hard-knit-son passwords, database backups. In practice, it is in SMB-balls that most often lie in type files passwords.xlsx or backup_config.txt with creeds in open form. A classic that doesn’t age.
SMB relay attack
SMB relay is one of the most effective attacks on the internal network. Mechanics: Run Responder, which listens to LLMNR and NBT-NS broadcast queries. When a Windows machine cannot allow a name through the DNS (a reference to an address remote network resource), it asks everyone in a broadcast domain. Responder says, “It’s me, feel authenticated with me.” Intercepted NTLM-request redirects through ntlmrelayx from Impacket to hosts with SMB signing off.
Check where the signing is disabled: nxc smb 192.168.56.0/24 --gen-relay-list targets.txt - creates a file with a list of vulnerable hosts.
In modern environments, there are nuances: domain controllers require SMB-conformal default starting with Windows 2000 Server (via GPO Default Domain Controllers Policy). In workstations, behavior is determined by group policy. Microsoft Defender for Endpoint captures suspicious processes Responder/Inveight; NDR-sensors detect abnormal LLMNR/NBT-NS responses. CrowdStrike Falcon or SentinelOne catch Responder by signature (although it formally works on Kali, not on the target machine). But in practice, in 2025, the signing at workstations is disabled in most of the networks that I test. So relay works, and how.
EternalBlue: legacy, but indicative
EternalBlue (MS17-010) is a vulnerability in SMBv1, remote code execution without authentication. In Metasploit - module exploit/windows/smb/ms17_010_eternalblue. On real pentests in 2025, it is rare - only on legacy systems (Windows 7, Server 2008 R2), not updated for years. In the laboratory (Metasploitable, Hack The Box) is a great way to understand what the full RCE chain looks like through the network protocol: from the scan to shell. By training on this, it will be easier to understand more complex exploits.
Attacks on FTP server: not only anonymous access
[Applicable: external and internal pentest, legacy-infrastructure]
FTP (port 21) - a protocol from the 1970s, transmitting data and passwords in which the mother gave birth (in open form). On external pentests, it is less common (shutten by SFTP/SCP), but on internal - regularly: NAS storage, printers, legacy applications for file exchange.
Place in kill chain: recon → FTP enumeration → credential access (anonymous / brute force) → data exfiltration.
First action - checking anonymous access: connect ftp <IP>, login anonymous, password is empty (or any email). Let - flips the contents (ls -la) and look for configuration files, backups, scripts with passwords. On one of the projects in the anonymous FTP-ball was .sql- the dam with the table of users - MD5-hsheh without salt, half stood in minutes after hehctarus.
If anonymous access is closed - Hydra for brothnake: hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://<IP>. But first find out the password policy through SMB or AD - how many attempts before blocking an account. Without this information, you risk blocking real accounts, and the customer will not be happy about this.
vsftpd 3.x+ and ProFTPD are blocked by default after several failed attempts. In an environment with SIEM (Elastic 8.x+, MaxPatrol SIEM), mass failed FTP logins generate alerates according to the rules of Bruter Force (T1110, Credential Access). Of all the described techniques, this is the most “noisy”.
SNMP enumeration with a power source entest
[Applicable: internal pentest, network equipment, servers, IoT]
SNMP (port 161/udp) is a monitoring protocol that in practice turns into a gold mine for a penesser. SNMP v1 and v2c transmit community string in the open form, and on an amazing number of devices there are default values. This is the first thing that is worth checking on the internal pentest - only silence is quieter.
Checking the default community string "public" - one command:
If the command returns the data instead of a timeout, the device gives information to anyone who knows (or guessed) community string. What can be pulled out:
On the network equipment (Cico Catalyst, HP/Aruba, MikroTik) community string "private" in read-write mode allows you to download the full config of the device - together with passwords, VLAN-settings and ACL. In practice, this is a instant compromise of the entire network segment. One line, and the whole scroll is yours.
For automation by subnet - Metasploit module auxiliary/scanner/snmp/snmp_enum: ask RHOSTS on the hook, COMMUNITY on "public", run and get a summary of all SNMP-open devices.
SNMP v3, available since 2004, uses authentication and encryption - default community strings does not work there. On modern equipment (Cisco IOS-XE 17.x+, Juniper Junos 23.x+) SNMP v1/v2c is often disconnected by default. But in real corporate networks, legacy equipment with v2c and community string "public" is no exception, but the norm. Separate bonus: SNMP queries on UDP are practically not logged in standard SIEM configurations and are extremely difficult to detect IDS.
SMTP attacks on the mail server: from listing to spoofing
[Applicable: external pentest, phishing campaigns, red team]
SMTP (ports 25, 465, 587) - e-mail sending protocol. For the penetester there are two vectors: listing valid email addresses and forgery (spoofing) letters for phishing.
Place in kill chain: SMTP user enumeration → email spoofing → Phishing (T1566, Initial Access) → Spearphishing Attachment (T1566.001) → payload delivery → foothold.
List of users
SMTP servers support commands to verify the existence of the mailbox. Three methods:
VRFY - directly asks the server if the user exists. Connect through telnet mail.target.com 25, enter EHLO test, then VRFY admin. Answer 250 - there is a user, 550 - no, 252 - the server does not confirm explicitly (typical response when the VRFY is disabled, switch to RCPT TO).
EXPN - discloses the members of the mailing list. It works similarly VRFY, but for flying sheets.
RCPT TO - indirect inspection through an attempt to send: MAIL FROM:<[email protected]>, then RCPT TO:<[email protected]>. Answer 250 OK confirms the existence of the address.
Automation - smtp-user-enum: smtp-user-enum -M RCPT -U users.txt -t mail.target.com -f [email protected] Checks the list of users in minutes. Many modern servers disconnect VRFY and EXPN, but RCPT TO works almost always - the server is obliged to tell if it accepts the letter.
For Nmap there is a script smtp-enum-users: nmap -p 25 --script smtp-enum-users mail.target.com. A Script smtp-ntlm-info pulls from the SMTP server with NTLM authentication the name of the NetBIOS-domain, the name of the computer and the DNS domain - valuable information for further reconnaissance AD.
Open relay and email spoofing
Check open relay via Nmap: nmap -p 25 --script smtp-open-relay mail.target.com. If the server is open relay, the attacker sends letters on behalf of any employee of the company. Reservation: Even if you successfully send through telnet, the letter can be intercepted by internal filters - firewall or Exchange is often blocked at the next stage, and the attacker from the SMTP answer will not know.
Spuffing protection is based on three DNS records: SPF (who has the right to send on behalf of the domain) DKIM (Digital signature of the letter) and DMARC (the policy of processing letters that have not passed SPF/DKIM). On the pentest, all three are checked through dig: dig +short TXT target.com | grep "v=spf1" show the SPF-record, dig +short TXT _dmarc.target.com - DMARC policy. There are no records - a ready find for the report.
CVE in SMTP services: what it means in practice
CVE-2019-10149 - critical vulnerability in Exim 4.87-4.91 (CVSS 9.8, CRITICAL, AV:N/L/PR:N:N:N:N - network attack, no privileges and user actions). Incorrect validation of the recipient's address in deliver_message() (CWE-78, OS Command Injection) allows you to execute commands on the server. Affected by Exim on Ubuntu and Debian. Vulnerability in CISA KEV - catalog of actively exploited vulnerabilities. Public exploits on Exploit-DB: EDB-46974 (remote command execution, Qualys) and EDB-46996 (local privilege escalation). For those in the tank - unstoppled Exim = full control over the mail server without authentication. In 2025, it is found only on abandoned servers with Debian 9 / Ubuntu 16.04, long-released.
CVE 2021-26855 (ProxyLogon) - SSRF in Microsoft Exchange Server (CVSS 9.1, CRITICAL, CWE-91). Part of the ProxyLogon chain that allowed an unauthentic attacker to execute code on Exchange. In CISA KEV marked with usage in ransomware attacks. The mail server is not just “sending emails”, but a full-fledged point of initial access into the corporate infrastructure.
Pentest Network Infrastructure: Choosing an Attack Vector
After the first scan, you have a list of open ports and services. The question is, what to attack first? Here is the decision tree that works on internal pentests:
1. SMB (445) with disabled signing? Launch Responder + nnlmlayex. Passive attack: does not require the selection of passwords, while the victim herself works to appeal to a non-existent resource. Minimal noise.
2. SNMP (161) with a default community string? → → snmpwalk for network and process map. Often gives more information than all other services together, with almost zero detection.
3. FTP (21)? Check the anonymous access. Closed - postpone the broograde to receive a password policy through SMB/AD.
4. SMTP (25)? → List users via RCPT TO. The list of valid email addresses is useful for password spraying on OWA/VPN or a phishing campaign.
The principle is simple: first passive techniques (relay, SNMP read), then active (brutfors, exploits). Passive quieter and less cracker SIEM alerg. Active - only when passive exhausted or a password policy allows secure overruns.
