SMTP | Notion

NTLM Auth information disclosure:

$ telnet example.com 587
220 example.com SMTP Server Banner
>> EHLO example.com
250-example.com Hello [x.x.x.x]
250-SIZE
...
...
250-AUTH NTLM
...
...
250 XSHADOW
>> AUTH NTLM
NTLM supported
>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
334 [base64-encoded internal info]

or use nmap: nmap -p 587 --script smtp-ntlm-info x.x.x.x

with the result:

Target_Name: TEST
NetBIOS_Domain_Name: TEST
NetBIOS_Computer_Name: CN01
DNS_Domain_Name: test.local
DNS_Computer_Name: cn01.test.local
DNS_Tree_Name: test.local
Product_Version: 6.2.9200

Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection (CVE-2014-6271)

https://www.exploit-db.com/exploits/34896