SMTP User Enumeration

SMTP user enumeration is a technique used to discover valid email addresses or usernames on a target mail server, providing valuable information for subsequent attacks.

Attack Summary: Exploiting SMTP commands and responses to identify valid email addresses and usernames on a target mail server, which can be used for phishing, password spraying, or other attacks.

Background: SMTP Commands for User Verification

Several SMTP commands can be used to verify whether a specific email address or username exists on a mail server:

VRFY (Verify): Confirms whether a specific username exists on the server
EXPN (Expand): Returns the membership of a mailing list
RCPT TO: Specifies the recipient of an email during the SMTP transaction

In a properly secured environment, these commands should be restricted or should not reveal detailed information about valid users. However, many mail servers are misconfigured and provide different responses for valid versus invalid users, allowing attackers to enumerate valid accounts.

Attack Methodology

SMTP user enumeration involves using various SMTP commands to determine whether specific email addresses or usernames exist on a target mail server.

VRFY Command Enumeration

Using the VRFY command to verify usernames

The VRFY command is designed to verify whether a specific username exists on the server. When used with a valid username, the server typically returns a positive response.

VRFY Command Example

Using VRFY to check if usernames exist

# Connect to the target SMTP server telnet mail.example.com 25 # Initiate SMTP conversation HELO attacker.com # Try to verify a username VRFY john 250 2.1.5 <john@example.com> # Try an invalid username VRFY nonexistent 550 5.1.1 User unknown

Explanation: In this example, the attacker uses the VRFY command to check if the username 'john' exists on the server. The server responds with a '250' code, indicating that the user exists, and even provides the full email address. When trying a non-existent username, the server responds with a '550' error code. By comparing these responses, the attacker can determine which usernames are valid.

VRFY Response Codes

Different response codes indicate different status:

250: User exists (positive response)
550: User does not exist (negative response)
551: User not local, forwarding address given
252: Cannot verify user, but will accept message and attempt delivery
502: Command not implemented (VRFY disabled)
503: Bad sequence of commands

EXPN Command Enumeration

Using the EXPN command to expand mailing lists

The EXPN command is designed to expand a mailing list and show all the recipients. This can reveal multiple valid email addresses in a single query.

EXPN Command Example

Using EXPN to expand mailing lists

# Connect to the target SMTP server telnet mail.example.com 25 # Initiate SMTP conversation HELO attacker.com # Try to expand a mailing list EXPN sales 250 2.1.5 <john@example.com> 250 2.1.5 <mary@example.com> 250 2.1.5 <bob@example.com> # Try an invalid list EXPN nonexistent 550 5.1.1 Unknown list

Explanation: In this example, the attacker uses the EXPN command to expand the 'sales' mailing list. The server responds with multiple '250' codes, each containing a valid email address that is part of the list. When trying a non-existent list, the server responds with a '550' error code. This technique can reveal multiple valid email addresses with a single query.

EXPN Security Implications

The EXPN command can reveal sensitive information:

Multiple users: Reveals all members of a mailing list
Organizational structure: Can reveal department structures and hierarchies
Naming conventions: Helps identify username patterns
External forwarding: May reveal external email addresses

Due to these security concerns, many modern mail servers disable the EXPN command by default.

RCPT TO Enumeration

Using the RCPT TO command to verify recipients

The RCPT TO command is used during the SMTP transaction to specify the recipient of an email. Even when VRFY and EXPN are disabled, the RCPT TO command often provides different responses for valid versus invalid recipients.

RCPT TO Command Example

Using RCPT TO to verify recipients

# Connect to the target SMTP server telnet mail.example.com 25 # Initiate SMTP conversation HELO attacker.com MAIL FROM: <attacker@attacker.com> # Try a valid recipient RCPT TO: <john@example.com> 250 2.1.5 Recipient ok # Try an invalid recipient RCPT TO: <nonexistent@example.com> 550 5.1.1 User unknown

Explanation: In this example, the attacker initiates an SMTP transaction with the HELO and MAIL FROM commands, then uses the RCPT TO command to specify recipients. The server responds with a '250' code for a valid recipient and a '550' error code for an invalid recipient. By comparing these responses, the attacker can determine which email addresses are valid, even if VRFY and EXPN are disabled.

RCPT TO vs. VRFY/EXPN

RCPT TO enumeration has several advantages over VRFY/EXPN:

More reliable: RCPT TO is rarely disabled as it's essential for mail delivery
More stealthy: Looks like a normal mail transaction
Works with restrictions: Often works even when VRFY/EXPN are disabled
Can test full addresses: Tests complete email addresses, not just usernames

However, it requires more commands per test and may be rate-limited or logged more extensively.

Automated Enumeration Tools

Several tools can automate the process of SMTP user enumeration:

smtp-user-enum: A dedicated Perl script for SMTP user enumeration that supports VRFY, EXPN, and RCPT TO methods
Metasploit: Contains several modules for SMTP enumeration, including auxiliary/scanner/smtp/smtp_enum
Nmap: Includes NSE scripts like smtp-enum-users.nse for SMTP user enumeration
THC-Hydra: Can be used for SMTP user enumeration in addition to brute-force attacks

Example: Using smtp-user-enum

# VRFY enumeration
smtp-user-enum -M VRFY -U users.txt -t mail.example.com

# EXPN enumeration
smtp-user-enum -M EXPN -U lists.txt -t mail.example.com

# RCPT TO enumeration
smtp-user-enum -M RCPT -U users.txt -t mail.example.com -f sender@example.com

This tool automates the process of testing multiple usernames against a target mail server using different methods.

Impact

SMTP user enumeration can have significant impacts:

Identification of valid email addresses for phishing campaigns
Discovery of username patterns for password guessing or brute-force attacks
Mapping of organizational structure and hierarchy
Preparation for more targeted attacks against specific users
Information gathering for social engineering attacks

Detection

Organizations can detect SMTP user enumeration attempts by:

Monitoring mail server logs for multiple VRFY, EXPN, or failed RCPT TO commands
Implementing intrusion detection systems that recognize patterns of SMTP enumeration
Setting up honeypot accounts to detect enumeration attempts
Monitoring for unusual SMTP traffic patterns or volumes
Implementing rate limiting for SMTP commands

Mitigation

To protect against SMTP user enumeration, organizations should:

Disable VRFY and EXPN: Configure the mail server to disable or restrict these commands
Standardize error messages: Configure the mail server to return the same error message for both valid and invalid recipients
Implement rate limiting: Limit the number of SMTP commands that can be issued from a single IP address
Use a mail gateway: Place a mail gateway in front of the internal mail server to filter enumeration attempts
Monitor logs: Regularly review mail server logs for enumeration attempts
Implement authentication: Require authentication before accepting SMTP commands
Use delayed responses: Implement tarpitting to slow down enumeration attempts

Testing

Security professionals can test for SMTP user enumeration vulnerabilities using the following approach:

Identify mail servers using port scanning (port 25, 465, 587)
Test VRFY, EXPN, and RCPT TO commands with known valid and invalid usernames
Compare responses to determine if the server leaks information about valid users
Use automated tools to test multiple usernames efficiently
Document findings and recommend appropriate mitigations

References

RFC 5321: "Simple Mail Transfer Protocol." https://tools.ietf.org/html/rfc5321
OWASP: "Testing for SMTP." https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism
smtp-user-enum: "SMTP User Enumeration Tool." https://github.com/pentestmonkey/smtp-user-enum
Nmap NSE Documentation: "smtp-enum-users." https://nmap.org/nsedoc/scripts/smtp-enum-users.html

Previous: STARTTLS Downgrade Attacks Next: SMTP Command Injection