SMTP
- port: 25/tcp
Connect
$ nc -nv $IP 25
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connected to 10.11.1.217:25.
220 hotline.localdomain ESMTP Postfix
VRFY noone^M
550 5.1.1 <noone>: Recipient address rejected: User unknown in local recipient tableCRLF
SMTP servers often expect CRLF line endings, so use
^V^M(Ctrl-V Ctrl-M) to enter carriage returns in the terminal; note that^Vdoes not get echoed.
VRFY Username Enumeration
Related:userenum See SecLists for username wordlists.
#!/usr/bin/env python
import socket
import sys
if len(sys.argv) != 3:
print("Usage: {} <ip> <usernames-file>".format(sys.argv[0]))
sys.exit(1)
with open(sys.argv[2]) as f:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((sys.argv[1],25))
banner = s.recv(1024)
for username in f:
username = username.rstrip('\n')
s.send(('VRFY ' + username + '\r\n').encode('ascii'))
result = s.recv(1024)
if b'rejected' not in result:
print(username)
s.close()
EXPN User and Mailing List Enumeration
Verify whether jacob is a mailbox / jacob is a valid user:
EXPN jacob
250 [email protected]List all members of the users mailing list / check whether users mailing list exists:
EXPN users
[email protected]
[email protected]
[email protected]
250 [email protected]The - indicates that it’s not the last line.