SMTP Enumeration Technique

M'hirsi Hamza
3 min readJan 8, 2021

--

Source

Hi Medium! Here we are again with a new article, I was asked by a friend in my last article about Enumeration to provide a breakout on the SMTP technique.

In this article, we will go through different tools and techniques that should be known to retrieve information about your target.

+ SMTP technique :

In this part I will provide some different techniques of SMTP Enumeration, first I want to give some details about the important commands that we will need to know.

SMTP provides 3 built-in-commands:
— VRFY: means validates users.
— EXPN: Tells the actual delivery addresses of aliases and mailing lists.
— RCPT TO: Defines the recipients of the message.
Those different response commands can determine if the user is valid or not, also there are more commands that the SMTP server use but we will need only those for now to enumerate.

- Telnet :

One of the simplest techniques to query the SMTP server is telnet with VRFY, EXPN and RCPT TO commands, those commands will answer if the username entered exist or not, 252 code if the user exists, 550 code if the user is unknown.

> telnet 172.16.212.133 25

  • VRFY or EXPN syntax “VRFY root”
Source
  • RCPT TO syntax “RCPT TO root”
Source

- Metasploit :

Metasploit is one of the Pen Testing tools that I highly recommend as it provides so many modules and it’s not difficult to use, the module of SMTP enumeration is auxiliary/scanner/SMTP/smtp_enum, and here we only need to set the IP address of the SMTP server.

Source
Source

- Smtp-user-enum :

This tool uses the same commands of telnet to query the SMTP server, we just need to build a .txt file filled with a good list of usernames Smtp-user-enum, and the best part that this tool may discover valid email addresses instead of usernames.

Source
Source

- Nmap :

Nmap is a tool mainly used to scan networks, this tool also provides a big library of scripts to run, in the NSE (Nmap Scripting Engine) we can found SMTP enumeration script SMTP-enum-users.nse.

Source

Sadly in this example, the query didn’t succeed.

- NetScanTools Pro :

It’s a windows tool with a graphic interface easy to use; it is an Email Generator and Email relay testing tools.

Source

+ Conclusion :

SMTP is an important service that we found in every network and it provides too many important information for a hacker, that’s why we will need to protect that information by disabling the execution of the commands EXPN, VRFY, and RCPT in order to avoid this problem.

References:

CEHv9 Module Enumeration — https://www.eccouncil.org
https://pentestlab.blog/2012/11/20/smtp-user-enumeration/

Hey, I hope that you enjoyed my article, if you have something to add or to correct please don’t hesitate to write a comment, see you soon ^^!

--

--

M'hirsi Hamza

Cyber Security Architect at Rakuten Symphony Deutschland, talks about #innovation, #technology, #cyberattack, #cyberdefense, and #cybersecurity