When performing a penetration or security test on a system, there is a popular phase known as enumeration. That is the process of gathering useful information on the target system. These details include user names, machine/ OS names, network resources, shares, and running services. One of the most common types of enumeration is SMTP Enumeration.
The SMTP Protocol
SMTP stands for Simple Mail Transfer Protocol. It’s a network protocol used only for sending E-mails over a TCP/IP network via port 25. Here, we are using the word “only” because we have other protocols like POP3 and IMAP that can do both - send and receive E-mails. SMTP is quite popular, and there is always a high possibility that you will run into this service when performing a penetration test or solving a CTF (Capture The Flag) challenge.
Why Do We Perform an SMTP Enumeration?
The default port for SMTP service is port 25. However, some network administrators might decide to configure a different port to run the SMTP service. Suppose there is any misconfiguration with the SMTP service or a vulnerability on the server. In that case, there are various things we can achieve:
- We can enumerate and gather user accounts
- We can bypass authentication and send emails if we have an open relay.
If you are lucky to find any user accounts on the target system, you can now use them to perform other tasks like SSH login, web login, and so on.
Prerequisites
Do not carry out any instructions described on this post on any system without permission. We highly encourage Setting up a Virtual Penetration Testing Lab where you can practice the commands and tools. Alternatively, you can download and set up a vulnerable machine like Metasploitable, which you can use to practice your skills.
SMTP Commands
You can use several commands with the SMTP service. However, when performing an enumeration, we use three main commands.
- VRFY: This command is used to validate and check the existence of users (mailboxes)
- EXPN: This command reveals the delivery address of aliases and a list of emails.
- RCPT TO: This command defines the recipient of the message.
Tools and Scripts for Performing SMTP Enumeration
This post will give you a step-by-step guide on using the following tools to carry out SMTP user enumeration.
Let’s get started.
SMTP Enumeration - smtp-user-enum Command
It is one of the most popular tools for performing SMTP user enumeration on a target. This utility uses three main commands to perform user enumeration:
- VRFY
- EXPN
- RCPT TO.
This post will give you a detailed guide on all these commands. Additionally, you can perform a single user enumeration or multiple user enumeration where you will need to provide a wordlist of usernames. Use the command below to install smtp-user-enum
on Kali Linux.
sudo apt install smtp-user-enum
After a successful install, you can run the smtp-user-enum -h
command to view all the available options.
smtp-user-enum -h
The general syntax for the smtp-user-enum command is:
smtp-user-enum [options] ( -u username | -U file-of-usernames ) ( -t host | -T file-of-targets )
Single User Enumeration with smtp-user-enum Command
If you want to check a particular user exists on the system with the VRFY command, you can use the -u
parameter as shown below. Let’s check whether the user ‘msfadmin’ exists.
sudo smtp-user-enum -M VRFY -u msfadmin -t 192.168.1.58
The image above shows that the ‘msfadmin’ user exists on the system. You can use this method to verify other usernames you might have.
Multiple User Enumeration with smtp-user-enum
If you want to check for all users who might be available on the system, you will need to use a wordlist. Below is the general syntax that we will need.
sudo smtp-user-enum -M [method] -U [wordlist-path] -t [target-system-IP]
For this post, we will use the wordlists that come with Kali Linux in the /usr/share/wordlist
directory.
sudo smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/common_roots.txt -t 192.168.1.58
Interesting! From the image above, you can see we were able to retrieve quite a long list of usernames.
Enumerate Valid Email Addresses - smtp-user-enum
Alternatively, you can decide to check for valid mail addresses instead of usernames using the -D
parameter. Use the syntax below.
sudo smtp-user-enum -M [method] -D [mail-server] -U [wordlist-path] -t [target-IP]
Let’s scan for mail addresses using the “metasploitable.localdomain” mail server.
sudo smtp-user-enum -M VRFY -D metasploitable.localdomain -U /usr/share/wordlists/metasploit/common_roots.txt -t 192.168.1.58
Below is a list of all mail addresses that we were able to enumerate on the system.
SMTP Enumeration with NMAP
NMAP is an opensource network scanner that you can use to scan for ports and services running on a system. Additionally, it comes with various scripts that you can use to enumerate or scan for vulnerabilities on a target system. Let’s look at the NMAP scripts used with SMTP service.
To list the available NMAP scripts for SMTP, execute the commands below.
ls -al /usr/share/nmap/scripts/ | grep -e "smtp"
You can see there are several scripts that you can use to exploit the SMTP service. We even have scripts that scan for specific vulnerabilities. We will use the smtp-enum-users.nse
scripts that scans for SMTP users on our target system.
Unfortunately, we were not lucky to gather any users using NMAP. Let’s look at how we can perform SMTP enumeration with Metasploit.
SMTP Enumeration with Metasploit
Metapsloit is one of the most popular penetratin testing framework you will come across in the security field. It enables you to perform penetration testing on a target system and also develop custom exploits that you can deploy on vulnerable targets.
Metasploit comes with many security modules meant to perform a variety of tasks. In this post we will use the smtp_enum
module used to perform SMTP enumeration on SMTP services.
First, launch Metasploit by running the command below.
sudo msfconsole
When you have access to the msfconsole shell, execute the command below to specify the module that we want to use.
use auxiliary/scanner/smtp/smtp_enum
Next, enter the IP of the target system using the command below.
set RHOST [target-IP] E.g., set RHOST 192.168.1.58
When done, type run
to start user enumeration.
Below, we can see Metasploit was able to successfully enumerate users and mailboxes available on our target system.
Wrapping Up
This post has given you a detailed guide on using NMAP, Metasploit and Smtp-User-Enum to enumerate users on the SMTP service. Of the three methods, smtp-user-enum and metasploit proved to be more reliable. The results you get from these scans can be used to perform more attacks on the system especially on authentication and authorization.
Administrators are highly advised to properly configure mail servers by disabling execution of EXPN, VRFY and RCPT commands to avoid SMTP-Service details’ leakage.
Related Keywords: smtp enumeration oscp, smtp enumeration cheat sheet, smtp enumeration kali, smtp enumeration hacktricks, smtp enumeration nmap, smtp enumeration tools, smtp enumeration metasploit, smtp enumeration github, smtp enumeration telnet, nmap smtp enumeration, port 25 smtp enumeration, python smtp enumeration, prevent smtp enumeration, smtp user enumeration, smtp version enumeration, smtp vrfy enumeration, smtp user enumeration nmap, smtp user enumeration metasploit, smtp etrn enumeration, smtp username enumeration mitigation