Mail servers are available in almost any organization because email has taken over as the preferred communication channel. The importance of the role of mail servers depends on the information stored in them. Attackers often compromise an email account and proceed to take over all other accounts found in the mailbox, and recover other credentials using the forgotten password functionality available in almost every web application. Sometimes, compromised accounts are simply eavesdropped on for months without anyone noticing, and they may even be abused by spammers. Therefore, any good system administrator knows that it is essential to have a secure mail server.

In this chapter, I will go through different Nmap Scripting Engine (NSE) tasks to administer and monitor mail servers. I will also show the offensive side available to penetration testers. We will cover the most popular mail protocols, such as SMTP, POP3, and IMAP.

We will review tasks such...

Open relays are insecure mail servers that allow third-party domains to use them without authorization. They are abused by spammers and phishers, and they present a serious risk to organizations because public spam blacklists may add the relay servers and affect an entire organization relying on email reaching their destinations.

This recipe shows how to detect SMTP open relays with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -sV --script smtp-open-relay -v <target>

The output returns the number of tests that passed if the SMTP server is an open relay, and the command combination used:

Host script results:
| smtp-open-relay: Server is an open relay (1/16 tests)
|_MAIL FROM:<antispam@insecure.org> -> RCPT TO:
<relaytest@insecure.org>

How it works...

The smtp-open-relay script was submitted by Arturo Buanzo Busleiman, and it attempts 16 different tests to determine if an...

Mail servers often store very sensitive information. Organizations must use strong password policies, so penetration testers need to perform brute-force password auditing against them to check for weak passwords.

This recipe will show you how to launch dictionary attacks against SMTP servers with Nmap.

How to do it...

To launch a dictionary attack against an SMTP server with Nmap, enter the following command:

$ nmap -p25 --script smtp-brute <target>

If any valid credentials are found, they will be included in the script output section:

PORT STATE SERVICE REASON
25/tcp     open stmp syn-ack
| smtp-brute:
|    Accounts
|    acc0:test - Valid credentials
|    acc1:test - Valid credentials
|    acc3:password - Valid credentials
|    acc4:12345 - Valid credentials
|    Statistics
|_  ...

Compromised servers might have rogue SMTP servers installed and abused by spammers. System administrators can use Nmap to help them monitor mail servers in their network.

This recipe shows how to detect rogue SMTP servers with Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap -sV --script smtp-strangeport <target>

If a mail server is found on a nonstandard port, it will be reported in the script output section:

PORT STATE SERVICE    VERSION
9999/tcp open   ssl/smtp Postfix smtpd
|_smtp-strangeport: Mail server on unusual port: possible malware

How it works...

The smtp-strangeport script was submitted by Diman Todorov. It detects SMTP servers running on nonstandard ports, which is an indicator of rogue mail servers. If an SMTP server is found running on a port other than 25, 465, and 587, this script will notify you.

The -sV --script smtp-strangeport...

Email accounts used as usernames are very common in web applications. Having access to an email account could mean access to sensitive data, including more credentials for other services. Unfortunately, as attackers, sometimes we don't even have a username list. So, finding valid users is one of the very first steps when auditing mail servers. Enumerating users via SMTP commands can obtain excellent results, and thanks to the NSE, we can automate this task.

This recipe shows how to enumerate users on an SMTP server with Nmap.

How to do it...

To enumerate users of an SMTP server with Nmap, enter the following command:

$ nmap -p25 --script smtp-enum-users <target>

Any usernames found will be included in the script output section:

'Host script results:
| smtp-enum-users:
|_   RCPT, webmaster

How it works...

The smtp-enum-users script was written by Duarte Silva, and it attempts to enumerate users in SMTP...

Password auditing checks have the purpose of discovering weak passwords on critical systems such as mail servers. Organizations must prevent users from using weak passwords that could be targeted with brute-force password attacks.

This recipe will show you how to launch dictionary attacks against IMAP servers 
with Nmap.

How to do it...

To perform brute-force password auditing against IMAP, use the following command:

$ nmap -p143 --script imap-brute <target>

All the valid accounts found will be listed in the script output section:

PORT STATE SERVICE REASON
143/tcp open    imap syn-ack
| imap-brute:
|    Accounts
|    acc1:test - Valid credentials
|    webmaster:webmaster - Valid credentials
|    Statistics
|_   Performed 112 guesses in 112 seconds, average tps: 1

How it works...

The imap-brute script was...

IMAP servers may support different capabilities. There is a command named Capability that allows clients to list these supported mail server capabilities, and we can use Nmap to automate this task.

This recipe shows you how to list the capabilities of an IMAP server with Nmap.

How to do it...

Open your favorite terminal and enter the following Nmap command:

$ nmap -p143,993 --script imap-capabilities <target>

The results will be included in the script output section:

993/tcp   openssl/imap Dovecot imapd
|_imap-capabilities: LOGIN-REFERRALS completed AUTH=PLAIN OK Capability UNSELECT THREAD=REFERENCES AUTH=LOGINA0001IMAP4rev1 NAMESPACE SORT CHILDREN LITERAL+ IDLE SASL-IRMULTIAPPEND

How it works...

The imap-capabilities script was submitted by Brandon Enright, and it attempts to list the supported functionality of IMAP servers using the Capability command defined in RFC 3501.

The -p143,993 ...

Mail servers are always an attractive target as they store a lot of information in organizations. Attackers can guess weak passwords and access sensitive corporate data. As penetration testers, we must detect poorly designed password policies to prevent these attacks.

This recipe will show you how to launch dictionary attacks against POP3 servers with Nmap.

How to do it...

To launch a dictionary attack against POP3 with Nmap, enter the following command:

$ nmap -p110 --script pop3-brute <target>

Any valid accounts will be listed in the script output section:

PORT STATE SERVICE
110/tcp open    pop3
| pop3-brute: webmaster : abc123
|_acc1 : password

How it works...

The pop3-brute script was submitted by Philip Pickering, and it performs brute-force password auditing against POP3 servers. By default, this script uses the /nselib/data/usernames.lst and /nselib/data/passwords.lst word lists, but you can change...

POP3 mail servers may support different capabilities defined in RFC 2449. Using the pop3 command, we can list them and, thanks to Nmap, we can automate this task and include this service information in our scan results.

This recipe will teach you how to list the capabilities of a POP3 mail server with Nmap.

How to do it...

Open your favorite terminal and enter the following Nmap command:

$ nmap -p110 --script pop3-capabilities <target>

A list of server capabilities will be included in the script output section:

PORT STATE SERVICE
110/tcp open    pop3
|_pop3-capabilities: USER CAPAUIDL TOP OK(K) RESP-CODES PIPELINING STLSSASL(PLAIN LOGIN)

How it works...

The pop3-capabilities script was submitted by Philip Pickering, and it attempts to retrieve the capabilities of POP3 and POP3S servers. It uses the CAPA POP3 command to ask the server for a list of supported commands. This script also attempts...

SMTP servers with Windows NT LAN Manager (NTLM) authentication disclose NetBIOS, DNS, and OS build version information. This is excellent information to fingerprint a system accurately prior to authentication.

This recipe shows how to use Nmap to extract information from SMTP servers with NTLM authentication enabled.

How to do it...

To retrieve information from an SMTP server with NTLM, run the following command:

$ nmap -p25,465,587 --script smtp-ntlm-info --script-args smtp-ntlm- info.domain=<target domain> <target>

The results will include NetBIOS, DNS, and OS build version information in the script output section:

25/tcp   open  smtp
| smtp-ntlm-info:
|    Target_Name: SMTP
|    NetBIOS_Domain_Name: SMTP
|    NetBIOS_Computer_Name: SMTP
|    DNS_Domain_Name: 0xdeadbeefcafe.com
| ...