Open In App

SMTP Enumeration

Last Updated : 16 Sep, 2022
Improve
Improve
Like Article
Like
Save
Share
Report

SMTP (Simple Mail Transfer Protocol) is a set of communication guidelines that allow web applications to perform communication tasks over the internet, including emails. It is a part of the TCP/IP protocol and works on moving emails across the network. SMTP enumeration allows us to identify valid users on the SMTP server. This is done with the built-in SMTP commands using them. VRFY – This command is used to authenticate the user. EXPN – This command displays the actual mailing address for aliases and mailing lists. RCPT TO – It identifies the recipient of the message. SMTP enumeration is a technique used to enumerate the SMTP service that is running on the target server.

Pre-Defined Commands:

  • VRFY: It is used to validate the user on the server.
  • EXPN: It is used to find the delivery address of mail aliases
  • RCPT TO: It points to the recipient’s address.

Test for SMTP Enumeration:

SMTP enumeration can be performed by using different tools and scripts like telnet, Nmap, and smtp-user-enum.

1. Using Telnet for SMTP enumeration:

 Telnet comes in handy in SMTP enumeration as it provides a communication channel with the host. 

$ telnet <domain name/ip> <port no.>

Example:

Telnet scan

 

later you can use EXPN, MAIL FROM, and RCPT TO after connecting to the target host.

2. Using Nmap for SMTP enumeration:

 Nmap is a powerful tool and is used in different enumeration phases. Nmap provides special scripts for SMTP enumeration. smtp-enum-users is one of the scripts that is provided by Nmap.

 $sudo nmap -p 25 --script = 
 smtp-enum-users <target Domain/IP>

Example:

Nmap Scan

SMTP enumeration using Nmap

3. Using Metasploit for SMTP Enumeration:

Metasploit provides two SMTP auxiliary Modules i.e., smtp_enum and smtp_version. Both are used for SMTP enumeration and provide adequate information about the SMTP server. 

smtp_enum:

msf > use auxiliary/scanner/smtp/smtp_enum 
msf auxiliary(smtp_enum) set RHOSTS <IP address/target>
msf auxiliary(smtp_enum) > set rport 25
msf auxiliary(smtp_enum) set USER_FILE <address of file>
msf auxiliary(smtp_enum) run

Example:

metasploit framework

 

smtp_version:

msf > use auxiliary/scanner/smtp/smtp_version
msf auxiliary(smtp_version) >
set RHOSTS <IP address of target>
msf auxiliary(smtp_version) > 
set threads 250
msf auxiliary(smtp_version) > 
run

Example:

metasploit auxiliary

 


Like Article
Suggest improvement
Previous
What is DNS Enumeration?
Next
LDAP Enumeration
Share your thoughts in the comments

Similar Reads

What is SMTP Header Injection?
SMTP Injection
Testing For IMAP SMTP Injection
SMB Enumeration
User Enumeration in Ethical Hacking
What is RPC Enumeration?
What is Security Testing in Enumeration?
What is NTP Enumeration?
What is IPsec Enumeration?
What is DNS Enumeration?
author
0xshivam
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox