Mail servers often store very sensitive information, and penetration testers need to perform brute force password auditing against them to check for weak passwords.
This recipe will show you how to launch dictionary attacks against SMTP servers by using Nmap.
To launch a dictionary attack against an SMTP server by using Nmap, enter the following command:
$ nmap -p25 --script smtp-brute <target>
If any valid credentials are found, they will be included in the script output section:
PORT STATE SERVICE REASON 25/tcp open stmp syn-ack | smtp-brute: | Accounts | acc0:test - Valid credentials | acc1:test - Valid credentials | acc3:password - Valid credentials | acc4:12345 - Valid credentials | Statistics |_ Performed 3190 guesses in 81 seconds, average tps: 39
The NSE script smtp-brute was submitted by Patrik Karlsson. It performs brute force password auditing against SMTP servers. It supports the following authentication methods: LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, and NTLM.
By default the script uses the wordlists /nselib/data/usernames.lst and /nselib/data/passwords.lst but it can easily be changed to use alternate wordlists.
The argument -p25 --script smtp-brute makes Nmap initiate the NSE script smtp-brute if an SMTP server is found running on port 25.
The script smtp-brute depends on the NSE libraries unpwdb and brute. These libraries have several script arguments that can be used to tune your brute force password auditing.
- To use different username and password lists, set the arguments
userdbandpassdb:$ nmap -p25 --script smtp-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target> - To quit after finding one valid account, use the argument
brute.firstOnly:$ nmap -p25 --script smtp-brute --script-args brute.firstOnly <target> - To set a different timeout limit, use the argument
unpwd.timelimit. To run it indefinitely, set it to0:$ nmap -p25 --script smtp-brute --script-args unpwdb.timelimit=0 <target> $ nmap -p25 --script smtp-brute --script-args unpwdb.timelimit=60m <target>
The brute library supports different modes that alter the username/password combinations used in the attack. The available modes are:
user: For each user listed inuserdb, every password inpassdbwill be tried$ nmap --script smtp-brute --script-args brute.mode=user <target>pass: For each password listed inpassdb, every user inuserdbwill be tried$ nmap --script smtp-brute --script-args brute.mode=pass <target>creds: This requires the additional argumentbrute.credfile$ nmap --script smtp-brute --script-args brute.mode=creds,brute.credfile=./creds.txt <target>
- The Discovering valid e-mail accounts using Google Search recipe
- The Enumerating users in an SMTP server recipe
- The Brute forcing IMAP passwords recipe
- The Retrieving the capabilities of an IMAP mail server recipe
- The Brute forcing POP3 passwords recipe
- The Retrieving the capabilities of a POP3 mail server recipe