Welcome back guys to another blog in the pentesting series. Today we will explore about email pentesting and various ways to perform a VAPT on them. We will also discuss about various associated protocols and tools involved and at the end give you a checklist to follow while performing a test on email.
How email works:
As we all know emails are mails sent electronically over the internet and different protocols handle sending, fetching and internal sending of email pentesting and every component of email system is vulnerable to some sort of an attack.
Almost everyone in this digital age has atleast 1 email address and its tightly integrated into our lives, we need to have email address to use a smartphone/PC. Email accounts hold a treasure for attacker like confidential/personal data, financial info, identity proofs, credentials, and what not. So, hacking into one is a dream for any attacker.
Common email protocols (all Application layer):
| Port | Service | Details |
| 25/tcp | SMTP | Simple mail transfer protocol is an email transmission standard for outgoing emails from ones device. |
| 587/tcp | ESMTP | Extended/Enhanced SMTP is used for inter-server mail transfer or mail submission protocol. It’s a secure one. |
| 465/tcp | SSMTP | Deprecated and out-of-date used only for legacy purposes. It was used only for sending emails from local devices to mail servers. |
| 109/tcp | POP2 | Post Office Protocol v2. It relies on smtp to receive mails from remote mailbox server. |
| 110/tcp | POP3 | Newer and currently used version. It doesn’t require SMTP to receive mails from server to a local email client. |
| 995/tcp | POP3S | Just POP3 but secure transmission using SSL or TLS. |
| 143/tcp | IMAP2 | Internet message access protocol allows email clients to access emails stored on mail server. |
| 993/tcp | IMAPS | IMAP over SSL/TLS |
Email Pentest Steps:
Here is a list of to-do things during email pentesting, so stay calm and keep reading.
1. SMTP, POP3, IMAP fingerprinting
Fingerprinting is the 1st step in any testing, so is the case here. Try to gather details like type, port, available options and try simple buffer over exploit.
Use tools like telnet, netcat, nmap, smtpmap, smtpscan for above purposes.
2. Directory harvest attack (DHA)
Its used to find valid email addresses of provided domain, provided they follow some pattern for email addresses using brute force guessing.
This attack uses following 2 methods:
a. using alphanumeric combinations of email address appending with company’s domain.
b. Using combinations of names, initials and last names.
3. Enumerate enabled smtp subsystems and features
Extended HELO (EHLO) is an ESMTP command sent by an email server to identify itself when connecting to another email server to start the process of sending an email. It can target exploitable subsystems and features.
4. Brute-force/crack SMTP, POP3, IMAP password
Tools such as brutus, medusa, thc-hydra can accomplish above mission.
Other methods include phishing, social engineering, hints in “forgot password”.
5. Perform NTLM overflow attack through smtp authentication
6. Test for SMTP open relay
One can perform this using tools like NetScanTools pro and SMTP test tool.
7. Do SMTP, POP3 user enumeration
8. See if you can find any CVEs against a service and try exploiting it
9. Check to see if Anti-phishing, anti-spamming protection are present
Send a mail having link to malicious site and check how server handles it and views to recipient.
Sites like netcraft, phishTank, virustotal are useful including anti-malware softwares.
To check for anti-spamming, see if common spam mails are detected, how effective are its filters. You can easily send mails in bulk/spoofed to test this.
10. Check CLSID extension vulnerability and also do email bombing
Class id (CLSID) is a unique id for app or app components. Try sending mails using clsid file extension instead of standard extension. At receiver, if extension can be run then it has bypassed filtering and email is vulnerable to CLSID extension vulnerability.
Send mails in bulk, check if they’re marked differently or blocked
11. Check common vulnerabilities:
vbs attachment: These scripts can run arbitrary code in windows if mail isn’t configured properly.
double file extension: Eg. Notes.txt.vbs , if this is executed as vbs than it’s a vulnerability.
long file name: Usually attachments with long name (>250 chars) bypass filtering, so test this.
malformed file extension: send an exe file with .exxe and notice how server reacts.
message fragmentation: Fragment your mail is smaller pieces and at receiver, check if they’re merged into one with attachment bypassing filtering.
long subject attachment check: have a very long subject line and give same name to your attachment, mostly it will slip through mail server defences.
no file attachment: Send an attachment with no name or extension and if its executed at receiver than it’s an issue.
Email security Recommendation:
- Setup anti-malware programs on endpoints and use anti-spam, anti-phishing services.
- Have strong passwords with MFA turned ON and proper patch management in place.
- Train employees to detect and report social engineering and phishing attacks.
- Create a blacklist of words, Ips, domains commonly associated with spam.
- Have dedicated softwares to handle email attachments and policies to be followed by employees.
- Implement and configure IDS/IPS to log, report and stop an attack.
- Periodically perform audit, VAPT of your organization.
Conclusion:
In this article, we learnt about email pentesting security and some good practices to follow including email pentesting basics. Hope you liked it and found it useful, keep following our blogs to read more about such amazing topics.
Author
Vishal Thakur
Network Security Analyst Intern
