I am a security admin and want to penetrate my office network. I want to hack it like a hacker who don't have any info about the company and network. I m new in hacking. I have collected info about domain (registered in UK), nameservers (registered at ISP in UK), mail server name and public address with help of tools like nmap, samspade, visual route and etc. This company is in india. I tried to transfer DNS Zone info through nslookup, spampad but fails as nameserver are configured to not tranfer Zone to unauthorised external hosts. Mail server is listening on port 25 and has windows installed. The MX record is registered with ISP in India only. When I tried to trace the Mail server the trace result has completed but it hasn't showed me IP address of Firewall.
What should be next step to get a correct picture of network which can give me info about hosts of interest in network with perimeter devices like router and firewall and how could I hack Mail server with port 25 only or any other way.