Stratos Ally

Subscribe
Subscribe
Facebook-square Instagram Linkedin Youtube X-twitter

SMTP Enumeration 

Picture of StratosAlly

StratosAlly

Facebook-square Instagram Linkedin Youtube X-twitter
SMTP Enumeration 

**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. Please use this information responsibly. Unauthorized use can lead to severe legal consequences.** 

SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol for transmitting email over networks. It operates as a push protocol, initiating the sending of emails from a client to a server or between servers. 

SMTP enumeration is a technique used to interact with mail systems that rely on the Simple Mail Transfer Protocol (SMTP) for sending emails, while POP3 and IMAP handle email retrieval. SMTP communicates with mail exchange (MX) servers, which route emails based on DNS (Domain Name System) records. 

SMTP primarily uses port 25, but port 2525 can be an alternative, and port 587 is used for encrypted, authenticated submissions. Three key SMTP commands used for enumeration are: 

  1. VRFY Command: Checks if an email address exists on the server. 
  1. EXPN Command: Shows specific email addresses in a distribution list 
  1. RCPT TO Command: Tells the recipient of the email message 

SMTP Enumeration Tools  

  1. SMTP Enumeration using smtp-user-enum 

The smtp-user-enum tool is designed to identify operating system-level user accounts on systems by leveraging the SMTP protocol, typically implemented by the sendmail service. This tool looks at how servers respond to specific SMTP commands such as VRFY, EXPN, and RCPT TO.  

To use this tool well, you need to provide a list of usernames and at least one target host running an SMTP service. 

Command-Line Options for smtp-user-enum: 

  • -D dom: Appends a domain to the provided list of usernames to create email addresses. 
  • -U file: Specifies a file with the list of usernames to check. 
  • -t host: Defines the SMTP server to be queried. 
  • -T file: Chooses a file that lists hostnames of SMTP servers to query. 
  • -p port: Sets the TCP port for the SMTP service (default port no. is 25). 
  • -d: Turns on debugging output for detailed process info. 
  • -t n: Sets a timeout in seconds for server response (default is 5 seconds). 
  • -v: Enables verbose output for detailed information during operation. 
  • -h: Shows a help screen that tells you how to use the command. 

Additional Options: 

  • -m n: Sets the highest number of processes running at once(default is 5). 
  • -M mode: Selects the SMTP command to guess usernames (EXPN, VRFY, or RCPT TO; default is VRFY). 
  • -u user: Checks if a specific user exists on the remote system you are checking. 
  • -f addr: Specifies the email address for the “RCPT TO” command ( user@example.com is the default). 
  1. SMTP Enumeration using Metasploit Framework 

Metasploit offers two SMTP auxiliary modules, smtp_enum and smtp_version, designed to assist in the enumeration of SMTP servers by providing detailed information. 

Search for SMTP Modules 

To find SMTP-related modules in Metasploit, use the search command: 

search smtp 

This command will display a list of SMTP modules. Two useful modules for enumeration are: 

  • auxiliary/scanner/smtp/smtp_version 
  • auxiliary/scanner/smtp/smtp_enum 

A) smtp_enum 

Use SMTP Enumeration Module: To enumerate valid email addresses: 

  1. use the smtp_enum module. 

use auxiliary/scanner/smtp/smtp_enum 

  1. Set the target address. 

set RHOSTS <target_ip> 

  1. Set the user file containing a list of usernames to enumerate. 

set USER_FILE /path/to/usernames.txt 

  1. Run the module. 

run 

The module will attempt to enumerate valid email addresses based on the list provided. 

B) smtp_version 

Use the SMTP Version Scanner 

To identify the SMTP server version,  

  1. use the smtp_version module. 
    use auxiliary/scanner/smtp/smtp_version 
  1. Set the target address: 
    set RHOSTS <target_ip> 
  1. Run the module: 
    run 

This will provide information about the SMTP server version. 

3. SMTP Enumeration using iSMTP (Interactive SMTP) 

ISMTP is a tool that helps you verify whether certain email addresses exist on a server by “asking” the server in a way that’s similar to inquiring about people at a front desk. 

It is performed by sending different commands to the server to check if specific email addresses exist. 

ismtp -h 192.168.162.129:25 -e /home/kali/emails.txt 

-h (host): The victim’s IP and Port number (IP:Port)   

-e (file): Flag to specify the email addresses or username list file. 

/home/kali/emails.txt: The path to the file that contains the list of email addresses to be tested against the SMTP server 

more Related articles

READ ALL