Content

• Content
• SMTP (port 21)
• IMAP (port 143)
• FTP (port 21)
• TFTP (port 69/udp)

• Infrastructure PenTest Series: Part 2 - Vulnerability Analysis - awesome cheatsheet for vulnerability analysis of various ports
• 0daysecurity pentest by ports

SMTP (port 21)

• mailsploit.com - a collection of bugs in email clients that allow effective sender spoofing and code injection attacks
  analysis of 30 applications

• Example of telnet session to SMTP server (other example)

  another trivial example

  HELO server.example.com
  MAIL FROM: mr.president@government.com
  RCPT TO: phonexicum@yandex.ru
  DATA
  From: [Hacker] <mr.president@government.com>
  To: <phonexicum@yandex.ru>
  Date: Sat, 10 Dec 2017 00:20:26 -0400
  Subject: Handy email
  Hello buddy
  .
  QUIT
  

• Python SMTP server: python -m smtpd -n -c DebuggingServer localhost:1025 (server prints received smtp messages (NO further transmission))

• Send prepared composite e-mail with engish and other language

  sendemail (github)

  sendEmail -f mr.smith@matrix.io -t phonexicum@matrix.io -u "=?utf-8?B?$(echo "This is the spam message" | base64)?=" -o message-content-type=html -o message-file=/home/phonexicum/email.html -s localhost:25 -o message-charset=utf-8 -o tls=no

  e-mail at /home/phonexicum/email.html

    <html>
    <head><title></title></head>
    <body>
    <p>Hello, phonexicum ...</p>
  
    <p>Please cooperate with us.</p>
  
    <p>
    Mr. Smith
    <br> Department of control.
    </p>
    </body>
    </html>
  

IMAP (port 143)

• telnet IMAP session:

  another trivial example

  $ telnet mail.domain.ext imap
  * OK Courier-IMAP ready. Copyright 1998-2002 Double Precision, Inc.
  
  login me@mydomain.com mypassword
  * OK LOGIN Ok.
  
  # Select the folder you want to look in (usually the inbos):
  select INBOX
  
  # This should give you some information about the contents of that mail folder:
  * FLAGS (\Draft \Answered \Flagged \Deleted \Seen \Recent)
  * OK [PERMANENTFLAGS (\Draft \Answered \Flagged \Deleted \Seen)] Limited
  * 0 EXISTS
  * 0 RECENT
  * OK [UIDVALIDITY 1021381622] Ok
  * OK [READ-WRITE] Ok
  
  logout
  * BYE Courier-IMAP server shutting down
  * OK LOGOUT completed
  

FTP (port 21)

• default login:passwd

  anonymous:example@email.com anonymous:guest ftp:ftp

TFTP (port 69/udp)

• tftp does not provide the directory listing, so filenames must be bruteforced:

  nmap -n -sU -p69 --script tftp-enum 10.0.0.2 (nmap uses dictionary: /usr/share/nmap/nselib/data/tftplist.txt)

• tftp session:

  another trivial example

    $ tftp
    tftp> connect 10.0.0.2
    tftp> get filename.ext