Metasploitable 2: Port 25 Open SMTP Postfix SMTPD

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
25/tcp    open  smtp        Postfix smtpd

Despite researching the Postfix email service, I haven’t uncovered an exploit; however, we can enumerate user information via Metasploit’s scanner

msf >search postfix smtp
[!] Database not connected or cache not built, using slow search

Matching Modules
================

Name                                                    Disclosure Date  Rank       Description
—-                                                    —————  —-       ———–
auxiliary/client/smtp/emailer                                            normal     Generic Emailer (SMTP)
auxiliary/dos/smtp/sendmail_prescan                     2003-09-17       normal     Sendmail SMTP Address prescan <= 8.12.8 Memory Corruption
auxiliary/dos/windows/smtp/ms06_019_exchange            2004-11-12       normal     MS06-019 Exchange MODPROP Heap Overflow
auxiliary/fuzzers/smtp/smtp_fuzzer                                       normal     SMTP Simple Fuzzer
   auxiliary/scanner/smtp/smtp_enum                                         normal     SMTP User Enumeration Utility
auxiliary/scanner/smtp/smtp_relay                                        normal     SMTP Open Relay Detection
auxiliary/scanner/smtp/smtp_version                                      normal     SMTP Banner Grabber
auxiliary/server/capture/smtp                                            normal     Authentication Capture: SMTP
auxiliary/vsploit/pii/email_pii                                          normal     VSploit Email PII
exploit/linux/misc/gld_postfix                          2005-04-12       good       GLD (Greylisting Daemon) Postfix Buffer Overflow
exploit/linux/smtp/exim4_dovecot_exec                   2013-05-03       excellent  Exim and Dovecot Insecure Configuration Command Injection
exploit/unix/smtp/clamav_milter_blackhole               2007-08-24       excellent  ClamAV Milter Blackhole-Mode Remote Code Execution
exploit/unix/smtp/exim4_string_format                   2010-12-07       excellent  Exim4 <= 4.69 string_format Function Heap Buffer Overflow
exploit/unix/webapp/squirrelmail_pgp_plugin             2007-07-09       manual     SquirrelMail PGP Plugin command execution (SMTP)
exploit/windows/browser/communicrypt_mail_activex       2010-05-19       great      CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow
exploit/windows/browser/oracle_dc_submittoexpress       2009-08-28       normal     Oracle Document Capture 10g ActiveX Control Buffer Overflow
exploit/windows/email/ms07_017_ani_loadimage_chunksize  2007-03-28       great      Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
exploit/windows/http/mdaemon_worldclient_form2raw       2003-12-29       great      MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow
exploit/windows/smtp/mailcarrier_smtp_ehlo              2004-10-26       good       TABS MailCarrier v2.51 SMTP EHLO Overflow
exploit/windows/smtp/mercury_cram_md5                   2007-08-18       great      Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow
exploit/windows/smtp/ms03_046_exchange2000_xexch50      2003-10-15       good       MS03-046 Exchange 2000 XEXCH50 Heap Overflow
exploit/windows/smtp/njstar_smtp_bof                    2011-10-31       normal     NJStar Communicator 3.00 MiniSMTP Buffer Overflow
exploit/windows/smtp/wmailserver                        2005-07-11       average    SoftiaCom WMailserver 1.0 Buffer Overflow
exploit/windows/smtp/ypops_overflow1                    2004-09-27       average    YPOPS 0.6 Buffer Overflow
exploit/windows/ssl/ms04_011_pct                        2004-04-13       average    Microsoft Private Communications Transport Overflow
post/windows/gather/credentials/outlook                                  normal     Windows Gather Microsoft Outlook Saved Password Extraction

msf use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(smtp_enum) > show options

Module options (auxiliary/scanner/smtp/smtp_enum):

Name       Current Setting                                              Required  Description
—-       —————                                              ——–  ———–
RHOSTS                                                                  yes       The target address range or CIDR identifier
RPORT      25                                                           yes       The target port
THREADS    1                                                            yes       The number of concurrent threads
UNIXONLY   true                                                         yes       Skip Microsoft bannered servers when testing unix users
USER_FILE  /opt/metasploit/apps/pro/msf3/data/wordlists/unix_users.txt  yes       The file that contains a list of probable users accounts.

msf auxiliary(smtp_enum) > set RHOSTS 192.168.1.103
RHOSTS => 192.168.1.103

msf auxiliary(smtp_enum) > set RPORT 25
RPORT => 25
msf auxiliary(smtp_enum) > run

[*] 192.168.1.103:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
[+] 192.168.1.103:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, news, nobody, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As we can see users have been identified which might be useful in further attacks especially if any of the passwords are the same a the username.

I did connect to the Postfix email service via Telnet:

# telnet 192.168.1.103 25
Trying 192.168.1.103…
Connected to 192.168.1.103.
Escape character is ‘^]’.
220 metasploitable.localdomain ESMTP Postfix (Ubuntu)

I attempted to log on using the above user credentials, but was greeted with:

503 5.5.1 Error: authentication not enabled

So, presumably the Telnet connection is operational, but I simply don’t know how to take advantage of this.