SMTP User Enumeration

Techniques to discover valid email addresses and user accounts through SMTP server interactions.

Legal Warning

This information is provided for educational purposes only. Always obtain proper authorization before performing any security testing. Unauthorized testing or attacks against email systems is illegal and unethical.

Responsible Disclosure Policy

What is SMTP User Enumeration?

SMTP User Enumeration is a technique used during the reconnaissance phase of a penetration test to identify valid email addresses and user accounts on a target organization. By interacting with SMTP servers and analyzing their responses, penetration testers can determine which email addresses exist on the server.

This information is valuable for several reasons:

It provides a list of potential targets for phishing campaigns
It can reveal naming conventions used by the organization
It may expose technical or administrative accounts
It can be used as a starting point for password attacks

Security Impact

While SMTP User Enumeration itself doesn't directly compromise systems, it provides attackers with valuable information that can be used in subsequent attacks:

Targeted phishing attacks against confirmed email addresses
Password spraying or brute force attacks against identified accounts
Social engineering attacks using information about organizational structure
Identifying potential high-value targets (executives, IT administrators, etc.)

SMTP Enumeration Methods

There are several methods to perform SMTP enumeration. Each method exploits different aspects of the SMTP protocol to verify the existence of email addresses.

Method 1: VRFY Command

The VRFY (verify) command is used to verify if a specific username exists on the mail server. Many mail servers have this command enabled by default, though it's often disabled in modern configurations for security reasons.

$ nc -vn mail.example.com 25

# Once connected, you should see a banner like:
220 mail.example.com ESMTP Postfix

HELO test.com

250 mail.example.com

VRFY admin

# Possible responses:
# 250 admin <admin@example.com> (User exists)
# 550 admin... User unknown (User doesn't exist)
# 502 VRFY disallowed (Command disabled)

Success Indicator: If you receive a "250" response code, the username exists on the server. This confirms a valid email account.

VRFY Automation Script

Python script to automate VRFY enumeration

#!/usr/bin/python3 import socket import sys if len(sys.argv) != 3: print("Usage: smtp_vrfy.py <server> <userlist>") sys.exit(0) server = sys.argv[1] userlist = sys.argv[2] # Create a socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Connect to the server connect = s.connect((server, 25)) # Receive the banner banner = s.recv(1024) print(banner.decode()) # Send HELO s.send(b'HELO test.com\r\n') result = s.recv(1024) print(result.decode()) # Open userlist file with open(userlist, 'r') as f: for user in f: user = user.strip() # VRFY command s.send(('VRFY ' + user + '\r\n').encode()) result = s.recv(1024) print(user + ': ' + result.decode().strip()) # Close the socket s.close()

Explanation: This Python script automates the VRFY enumeration process. It takes a server address and a file containing a list of usernames as input, then attempts to verify each username using the VRFY command.

Method 2: EXPN Command

The EXPN (expand) command is used to expand a mailing list and reveal the users within it. This can provide valuable information about groups and users.

$ nc -vn mail.example.com 25

# Once connected, you should see a banner like:
220 mail.example.com ESMTP Postfix

HELO test.com

250 mail.example.com

EXPN support

# Possible responses:
# 250-john@example.com
# 250-jane@example.com
# 250 mark@example.com
# (This reveals all members of the 'support' mailing list)
# 550 Access denied (Command disabled)

Success Indicator: If you receive a "250" response code with email addresses, you've successfully expanded a mailing list and identified multiple users at once.

Method 3: RCPT TO Command

The RCPT TO command is used during the mail delivery process to specify recipients. This method works even when VRFY and EXPN are disabled, making it the most reliable method for user enumeration.

$ nc -vn mail.example.com 25

# Once connected, you should see a banner like:
220 mail.example.com ESMTP Postfix

HELO test.com

250 mail.example.com

MAIL FROM:<test@test.com>

250 2.1.0 Ok

RCPT TO:<admin@example.com>

# Possible responses:
# 250 2.1.5 Ok (User exists)
# 550 5.1.1 <admin@example.com>: Recipient address rejected: User unknown (User doesn't exist)

QUIT

Success Indicator: If you receive a "250" response code, the email address exists. This method is often more reliable as it's testing the actual mail delivery process.

RCPT TO Automation Script

Python script to automate RCPT TO enumeration

#!/usr/bin/python3 import socket import sys if len(sys.argv) != 3: print("Usage: smtp_rcpt.py <server> <userlist>") sys.exit(0) server = sys.argv[1] userlist = sys.argv[2] domain = server # You might want to customize this # Create a socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Connect to the server connect = s.connect((server, 25)) # Receive the banner banner = s.recv(1024) print(banner.decode()) # Send HELO s.send(b'HELO test.com\r\n') result = s.recv(1024) print(result.decode()) # Send MAIL FROM s.send(b'MAIL FROM:<test@test.com>\r\n') result = s.recv(1024) print(result.decode()) # Open userlist file with open(userlist, 'r') as f: for user in f: user = user.strip() # Create a new socket for each user to avoid timeouts s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((server, 25)) s.recv(1024) # Banner s.send(b'HELO test.com\r\n') s.recv(1024) s.send(b'MAIL FROM:<test@test.com>\r\n') s.recv(1024) # RCPT TO command s.send(('RCPT TO:<' + user + '@' + domain + '>\r\n').encode()) result = s.recv(1024) if b'250' in result: print(f"[+] {user}@{domain}: VALID") else: print(f"[-] {user}@{domain}: INVALID") # Close the socket s.send(b'QUIT\r\n') s.close()

Explanation: This Python script automates the RCPT TO enumeration process. It takes a server address and a file containing a list of usernames as input, then attempts to verify each email address using the RCPT TO command.

Method 4: Using Automated Tools

Several tools can automate the SMTP enumeration process, making it more efficient for penetration testers.

Option 1: Using Metasploit

$ msfconsole

msf6 > use auxiliary/scanner/smtp/smtp_enum

msf6 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS mail.example.com

msf6 auxiliary(scanner/smtp/smtp_enum) > set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt

msf6 auxiliary(scanner/smtp/smtp_enum) > run

Option 2: Using smtp-user-enum

$ smtp-user-enum -M VRFY -U /path/to/userlist.txt -t mail.example.com

# For EXPN method:

$ smtp-user-enum -M EXPN -U /path/to/userlist.txt -t mail.example.com

# For RCPT method:

$ smtp-user-enum -M RCPT -U /path/to/userlist.txt -t mail.example.com

Option 3: Using Nmap

$ nmap --script smtp-enum-users.nse -p 25 mail.example.com

Protecting Against SMTP Enumeration

Organizations can implement several measures to protect against SMTP enumeration:

Disable unnecessary SMTP commands (VRFY, EXPN) if not required
Implement rate limiting to prevent brute force enumeration attempts
Configure proper error messages that don't reveal whether a user exists
Use a mail gateway or proxy to filter direct access to mail servers
Implement proper logging and monitoring to detect enumeration attempts
Consider using catch-all email addresses to make enumeration more difficult

Conclusion

SMTP User Enumeration is a valuable technique for penetration testers to gather information about email infrastructure and valid user accounts. By understanding these techniques, security professionals can both test for vulnerabilities and implement appropriate protections.

Remember to always obtain proper authorization before performing any security testing, and follow responsible disclosure practices if vulnerabilities are identified.

Back to Attacks