SMTP

Ports

25, 465, 587

Enumerating what commands are available to us

sudo nmap -p25 --script=smtp-commands 10.129.34.39

Enumerating users

we can enumerate users if at least one of the following commands are enabled on the smtp server

VRFY
RCPT TO

MANUALLY

we can make use of telnet or netcat to establish a connection to the smtp server

telnet 10.129.34.39 25
Trying 10.129.34.39...
Connected to 10.129.34.39.
Escape character is '^]'.
220 Mail Service ready
HELO shrek123@shrek123.com
250 Hello.
MAIL FROM: <shrek123@shrek123>
250 OK
RCPT TO: <nico@megabank.com>
250 OK

We can see we have identified a user on the smtp server nico@megabank.com
if the user didn't exists we would smtp would have replied with

550 unknown user

we can also utilize a script to automate the process

sudo perl /opt/smtp-user-enum/smtp-user-enum.pl -M RCPT -u nico@megabank.com -t 10.129.34.39

PreviousSeDebugPrivilege NextDirectory brute-forcing (Fuzzing web directories)

Last updated 2 years ago