---

name: smtp-penetration-testing description: "对SMTP（简单邮件传输协议）服务器进行全面安全评估，识别包括开放中继、用户枚举、弱认证和配置错误在内的漏洞。" risk: offensive source: community author: zebbern date_added: "2026-02-27"

仅限授权使用：此技能仅用于授权的安全评估、防御验证或受控教育环境。

SMTP渗透测试

目的

对SMTP（简单邮件传输协议）服务器进行全面安全评估，识别包括开放中继、用户枚举、弱认证和配置错误在内的漏洞。此技能涵盖横幅抓取、用户枚举技术、中继测试、暴力破解攻击和安全加固建议。

前提条件

所需工具

# Nmap with SMTP scripts
sudo apt-get install nmap

# Netcat
sudo apt-get install netcat

# Hydra for brute force
sudo apt-get install hydra

# SMTP user enumeration tool
sudo apt-get install smtp-user-enum

# Metasploit Framework
msfconsole

所需知识

• SMTP协议基础
• 邮件架构（MTA、MDA、MUA）
• DNS和MX记录
• 网络协议

所需访问权限

• 目标SMTP服务器IP/主机名
• 书面测试授权
• 用于枚举和暴力破解的字典文件

输出与交付物

1. SMTP安全评估报告 - 全面的漏洞发现
2. 用户枚举结果 - 发现的有效邮箱地址
3. 中继测试结果 - 开放中继状态及利用潜力
4. 修复建议 - 安全加固指南

核心工作流程

阶段1：SMTP架构理解

Components: MTA (transfer) → MDA (delivery) → MUA (client)

Ports: 25 (SMTP), 465 (SMTPS), 587 (submission), 2525 (alternative)

Workflow: Sender MUA → Sender MTA → DNS/MX → Recipient MTA → MDA → Recipient MUA

阶段2：SMTP服务发现

识别SMTP服务器和版本：

# Discover SMTP ports
nmap -p 25,465,587,2525 -sV TARGET_IP

# Aggressive service detection
nmap -sV -sC -p 25 TARGET_IP

# SMTP-specific scripts
nmap --script=smtp-* -p 25 TARGET_IP

# Discover MX records for domain
dig MX target.com
nslookup -type=mx target.com
host -t mx target.com

阶段3：横幅抓取

获取SMTP服务器信息：

# Using Telnet
telnet TARGET_IP 25
# Response: 220 mail.target.com ESMTP Postfix

# Using Netcat
nc TARGET_IP 25
# Response: 220 mail.target.com ESMTP

# Using Nmap
nmap -sV -p 25 TARGET_IP
# Version detection extracts banner info

# Manual SMTP commands
EHLO test
# Response reveals supported extensions

解析横幅信息：

Banner reveals:
- Server software (Postfix, Sendmail, Exchange)
- Version information
- Hostname
- Supported SMTP extensions (STARTTLS, AUTH, etc.)

阶段4：SMTP命令枚举

测试可用的SMTP命令：

# Connect and test commands
nc TARGET_IP 25

# Initial greeting
EHLO attacker.com

# Response shows capabilities:
250-mail.target.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-8BITMIME
250 DSN

需要测试的关键命令：

# VRFY - Verify user exists
VRFY admin
250 2.1.5 admin@target.com

# EXPN - Expand mailing list
EXPN staff
250 2.1.5 user1@target.com
250 2.1.5 user2@target.com

# RCPT TO - Recipient verification
MAIL FROM:<test@attacker.com>
RCPT TO:<admin@target.com>
# 250 OK = user exists
# 550 = user doesn't exist

阶段5：用户枚举

枚举有效的邮箱地址：

# Using smtp-user-enum with VRFY
smtp-user-enum -M VRFY -U /usr/share/wordlists/users.txt -t TARGET_IP

# Using EXPN method
smtp-user-enum -M EXPN -U /usr/share/wordlists/users.txt -t TARGET_IP

# Using RCPT method
smtp-user-enum -M RCPT -U /usr/share/wordlists/users.txt -t TARGET_IP

# Specify port and domain
smtp-user-enum -M VRFY -U users.txt -t TARGET_IP -p 25 -d target.com

使用Metasploit：

use auxiliary/scanner/smtp/smtp_enum
set RHOSTS TARGET_IP
set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
set UNIXONLY true
run

使用Nmap：

# SMTP user enumeration script
nmap --script smtp-enum-users -p 25 TARGET_IP

# With custom user list
nmap --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY,EXPN,RCPT} -p 25 TARGET_IP

阶段6：开放中继测试

测试未授权的邮件中继：

# Using Nmap
nmap -p 25 --script smtp-open-relay TARGET_IP

# Manual testing via Telnet
telnet TARGET_IP 25
HELO attacker.com
MAIL FROM:<test@attacker.com>
RCPT TO:<victim@external-domain.com>
DATA
Subject: Relay Test
This is a test.
.
QUIT

# If accepted (250 OK), server is open relay

使用Metasploit：

use auxiliary/scanner/smtp/smtp_relay
set RHOSTS TARGET_IP
run

测试变体：

# Test different sender/recipient combinations
MAIL FROM:<>
RCPT TO:<user@external.com>

MAIL FROM:<user@target.com>
RCPT TO:<user@external.com>

MAIL FROM:<user@[TARGET_IP]>
RCPT TO:<user@external.com>