Table of Contents

  1. Introduction to SMTP Enumeration
  2. Understanding SMTP
  3. Connecting to the Target with SMTP Open
  4. Enumerating SMTP Users
    1. Using VRFY Command
    2. Using EXPN Command
    3. Using RCPT TO Command
  5. SMTP Enumeration Tools
  6. Practical Examples
  7. Defense and Mitigation
  8. References

Introduction to SMTP Enumeration

SMTP (Simple Mail Transfer Protocol) is primarily used for email exchange, typically on port 25. Penetration testers exploit SMTP to conduct user enumeration by querying the server to verify if certain users exist. This enumeration helps in identifying potential email addresses or valid accounts for further attacks, such as phishing or brute-forcing.

Understanding SMTP

SMTP includes commands for email exchange and server communication. Commands used for enumeration—VRFY, EXPN, and RCPT TO—allow different levels of interaction depending on server configuration and security settings.

SMTP Command Overview

  • VRFY: Checks if a specified username exists on the server.
  • EXPN: Expands aliases or mailing lists to reveal individual addresses.
  • RCPT TO: Used during email transmission to specify recipients, often used to verify users.

Some servers may disable these commands to prevent enumeration, especially those hardened against such techniques.

Connecting to the Target with SMTP Open

After identifying systems with port 25 open, connect to them using Netcat (or Telnet) to interact directly with the SMTP service and test for user enumeration.

Connect to SMTP with Netcat

Use Netcat to establish a connection to the target SMTP server:

nc TARGET_IP 25

Replace TARGET_IP with the IP address of the server that has SMTP open. Once connected, the server may respond with an SMTP banner, indicating that it’s ready to receive commands.

Enumerating SMTP Users

Once connected, you can use commands like VRFY, EXPN, and RCPT TO to enumerate users.

1. Using VRFY Command

The VRFY command checks if a user exists on the SMTP server.

Syntax and Example

VRFY <username>

Practical Usage

nc TARGET_IP 25
VRFY johndoe

Expected Responses:

  • 250 OK - User johndoe exists (valid user)
  • 550 No such user here (user does not exist)

Note: VRFY may also return details like the full name or email address, but many servers disable this command to prevent enumeration.

2. Using EXPN Command

The EXPN command expands a mailing list to show individual addresses.

Syntax and Example

EXPN <group-alias>

Practical Usage

nc TARGET_IP 25
EXPN support_team

Expected Responses:

  • 250 OK - List expanded (with user list if valid)
  • 550 Requested action not taken: mailbox unavailable (alias does not exist or is protected)

3. Using RCPT TO Command

Typically used in email sending, the RCPT TO command can verify email addresses for enumeration.

Syntax and Example

RCPT TO:<user@domain>

Practical Usage

nc TARGET_IP 25
MAIL FROM:<tester@domain>
RCPT TO:<johndoe@domain>

Expected Responses:

  • 250 OK - Recipient exists (user exists)
  • 550 No such user here (user does not exist)

This command is often effective since many servers don’t explicitly block it.

SMTP Enumeration Tools

Several tools automate SMTP enumeration:

  • Metasploit Framework: Includes auxiliary modules for SMTP enumeration.

    use auxiliary/scanner/smtp/smtp_enum
set RHOSTS target_ip
set USER_FILE /path/to/userlist.txt
run

  • Nmap NSE Scripts: Nmap’s smtp-enum-users script enumerates users.

    nmap -p 25 --script smtp-enum-users --script-args smtp-enum-users.userdb=userlist.txt target_ip

  • Telnet: Basic enumeration can also be done using Telnet.

  • Python Scripts: Custom scripts allow flexibility and can be tailored for specific SMTP commands.

Practical Examples

Example 1: Enumerating Users with Metasploit

Using Metasploit’s smtp_enum module for SMTP enumeration:

use auxiliary/scanner/smtp/smtp_enum
set RHOSTS 192.168.1.10
set USER_FILE /path/to/usernames.txt
run

Example 2: Nmap Enumeration Script

Using Nmap’s smtp-enum-users NSE script for user enumeration:

nmap -p 25 --script smtp-enum-users --script-args smtp-enum-users.userdb=userlist.txt 192.168.1.10

Example 3: Connecting with Netcat for Basic Enumeration

  1. Establish a connection to SMTP with Netcat:

    nc 192.168.1.10 25

  2. Use VRFY and EXPN commands to verify users:

    VRFY admin
EXPN sales_team

Defense and Mitigation

To mitigate SMTP enumeration:

  1. Disable VRFY and EXPN: Configure the SMTP server to disable these commands.
  2. Use Firewalls: Restrict SMTP access to trusted IPs only.
  3. Logging and Monitoring: Regularly monitor SMTP traffic for unusual activity.
  4. Rate Limiting: Set limits to prevent brute-force or repeated enumeration attempts.

References