OK so I have showed you how to perform password profiling, and how to get cracking locally and over the network, but some of you keep asking how you find the mail servers to attack. If the FQDN or IP address is unknown, the easiest way to find this information is to use the Nslookup command-line tool to find the MX record for the destination domain. You can try various web scanners to find it or you can simply open a command prompt and type the following:
- set type=MX
- <enter site name>
- nslookup type=MX <target IP or site name>
This will begin to send DNS queries for the MX or mail exchange records. You will find this will give you an output that tells you which mail servers are registered by your target site. Note the first line after "Non-authoritative answer". The "MX preference" specifies which mail server to use and in which order. The lower the number, the more preferred the mail server is. If the preferences for each mail server are the same, you can use any them.
- open <smtp server ip/name found above> 25
This will open telnet session between our machine and remote ip/server on port 25 (port 25 is default port for SMTP; you may need to change to fit your situation)
- EHLO <ip/servername.com>
EHLO is the Extended Simple Message Transfer Protocol (ESMTP) verb and can help to establish the remote SMTP capabilities during the initial connection
- MAIL FROM:firstname.lastname@example.org
This defines who email will be sent from (helps to use valid email to avoid errors on some setups or in case the receiver is undeliverable)
- RCPT TO:email@example.com NOTIFY=success,failure
The NOTIFY is optional but can be helpful as it will cause the server to provide a message to let us know whether it worked or not. A message number of 500 means there was a failure or error, while 220 means it was a success
You will receive a 354 response that resembles the following:
"Copy Code 354 Start mail input; end with <CLRF>.<CLRF>"
- Subject: <Subject Title/Name>
This defines the subject line of email message, now hit ENTER to add a blank line. We need to have a blank line between the Subject header line and the Body of email to avoid errors
- Type your message now...press ENTER when done
This defines the body of the email message to be sent
- Just press ENTER again
- . (Type a Period)
This should end the message and let it know we are ready to send. You should see a message similar to this:
"Copy Code 250 2.6.0 <GUID> Queued mail for delivery"
"Copy Code 221 2.0.0 Service closing transmission channel."
Note:You can't use the backspace key after you have connected to the destination SMTP server within the Telnet session. If you make a mistake as you type an SMTP command, you must press ENTER and then type the command again from scratch once more.