HOWTO use NMAP to SMTP Enumeration

Run the command nc -nv 10.11.1.215 25 to check the mail server.

VRFY bob send us a SMTP success code 250, while failure send SMTP code 550. We will use the SMTP success code 250 in a script in the next example.

This is a sample of SMTP Enumeration using users.txt that you collect through passive gathering. The command for user in $(cat users.txt); do echo VRFY $user |nc -nv -w 1 10.11.1.215 25 2>/dev/null |grep ^”250″;done script.

For list in users.txt, do echo with VRFY command with each user name and pipe that with netcat which will connect to the mail server on port 25 and redirect any error messages to /dev/null, then with the remaining output look for lines that begin with 250 the SMTP code for a success result. Then complete the loop, see the results below.

How about using Python script? Here’s an example vrfy.py file.

Import the Python module such as socket and sys, parameter check to make the syntax is use correctly. The script will connect to the SMTP server 192.168.31.215 on port 25, receive the banner and print it.

Once printed, the script will send the VRFY command together with the username, then print the result and close the socket.

Run the script, verify username bob.

#./vrfy.py bob [enter]; you will see the result of 250 2.1.5 <bob@test.king.net>

and for unknown user.

#./vrfy.py idontexist [enter]; result 550 5.1.1 idontexist … User unknown

Please continue reading other HOWTO articles.