search

smtp-enum

VRFY commander@openmailbox.xyz
	550 5.1.1 <commander@openmailbox.xyz>: Recipient address rejected: User unknown in local recipient table

# No "commander" doesn't exist
1

hashtag
Check supported commands / capabilities using telnet

telnet 192.63.243.3 25
HELO attacker.xyz
	250 openmailbox.xyz
EHLO attacker.xyz
    250-openmailbox.xyz
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250-DSN
    250 SMTPUTF8
circle-info

📌 Supported commands/capabilities are shown in the EHLO response above.

Relevant links:

  • https://kabi.gitbook.io/kabi/ine/ejpt/assessment-methodologies/3-enumeration/smtp-enum#smtp-user-enum

  • https://pentestmonkey.net/tools/user-enumeration/smtp-user-enum

2

hashtag
Use smtp-user-enum to find common usernames from a wordlist

  • Tool: smtp-user-enum — tool for enumerating OS-level user accounts via the SMTP service

  • Example command:

smtp-user-enum -U /usr/share/commix/src/txt/usernames.txt -t 192.63.243.3

Result (from the provided wordlist):

  • admin

  • administrator

  • mail

  • postmaster

  • root

  • sales

  • support

  • www-data

3

hashtag
Use msfconsole to find common usernames from a wordlist

Example workflow:

service postgresql start && msfconsole -q
search type:auxiliary name:smtp
use auxiliary/scanner/smtp/smtp_enum
options
set RHOSTS 192.63.243.3
exploit

Example output:

[+] 192.63.243.3:25 - 192.63.243.3:25 Users found: , admin, administrator, backup, bin, daemon, games, gnats, irc, list, lp, mail, man, news, nobody, postmaster, proxy, sync, sys, uucp, www-data

Note: This result used the /usr/share/metasploit-framework/data/wordlists/unix_users.txt wordlist and found 20 users.

4

hashtag
Connect to SMTP via telnet and send a fake mail to root

telnet 192.63.243.3 25

Example SMTP session to send a message:

HELO attacker.xyz
mail from: admin@attacker.xyz
rcpt to: root@openmailbox.xyz
data
Subject: Hello Root
Hello,
This is a fake mail sent using telnet command.
From admin
.
5

hashtag
Send a fake mail using sendemail (sendmail wrapper)

Relevant docs:

  • https://kabi.gitbook.io/kabi/ine/ejpt/assessment-methodologies/3-enumeration/smtp-enum#sendmail

  • https://www.postfix.org/sendmail.1.html

Example command:

sendemail -f admin@attacker.xyz -t root@openmailbox.xyz -s 192.63.243.3 -u Fakemail -m "Hi root, a fake mail from admin" -o tls=no
Previoussmb-ejpt-labNextssh-enum

Last updated