Mail servers often store very sensitive information, and penetration testers need to perform brute force password auditing against them to check for weak passwords.
This recipe will show you how to launch dictionary attacks against SMTP servers by using Nmap.
To launch a dictionary attack against an SMTP server by using Nmap, enter the following command:
$ nmap -p25 --script smtp-brute <target>
If any valid credentials are found, they will be included in the script output section:
PORT STATE SERVICE REASON 25/tcp open stmp syn-ack | smtp-brute: | Accounts | acc0:test - Valid credentials | acc1:test - Valid credentials | acc3:password - Valid credentials | acc4:12345 - Valid credentials | Statistics |_ Performed 3190 guesses in 81 seconds, average tps: 39
The NSE script smtp-brute
was submitted by Patrik Karlsson. It performs brute force password auditing against SMTP servers. It supports the following authentication methods: LOGIN
, PLAIN
, CRAM-MD5
, DIGEST-MD5
, and NTLM
.
By default the script uses the wordlists /nselib/data/usernames.lst
and /nselib/data/passwords.lst
but it can easily be changed to use alternate wordlists.
The argument -p25 --script smtp-brute
makes Nmap initiate the NSE script smtp-brute
if an SMTP server is found running on port 25.
The script smtp-brute
depends on the NSE libraries unpwdb
and brute
. These libraries have several script arguments that can be used to tune your brute force password auditing.
userdb
and passdb
:$ nmap -p25 --script smtp-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
brute.firstOnly
:$ nmap -p25 --script smtp-brute --script-args brute.firstOnly <target>
unpwd.timelimit
. To run it indefinitely, set it to 0
:$ nmap -p25 --script smtp-brute --script-args unpwdb.timelimit=0 <target> $ nmap -p25 --script smtp-brute --script-args unpwdb.timelimit=60m <target>
The brute library supports different modes that alter the username/password combinations used in the attack. The available modes are:
user
: For each user listed in userdb
, every password in passdb
will be tried$ nmap --script smtp-brute --script-args brute.mode=user <target>
pass
: For each password listed in passdb
, every user in userdb
will be tried$ nmap --script smtp-brute --script-args brute.mode=pass <target>
creds
: This requires the additional argument brute.credfile
$ nmap --script smtp-brute --script-args brute.mode=creds,brute.credfile=./creds.txt <target>
18.224.44.108