SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. It is normally worked with one of two other protocols, POP3 or IMAP, that allow the user to save messages in a server mailbox and download them regularly from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail.
The SMTP-server has a database with all emails that can receive or send emails. We can use SMTP to query that database for potential email addresses.
Nmap scripts:
nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 192.168.1.101
Users enumeration:
smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN and RCPT TO commands.
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 192.168.1.101
Metasploit:
msf > use auxiliary/scanner/smtp/smtp_enum msf auxiliary(smtp_enum) > show options Module options (auxiliary/scanner/smtp/smtp_enum): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 25 yes The target port THREADS 1 yes The number of concurrent threads UNIXONLY true yes Skip Microsoft bannered servers when testing unix users USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt yes The file that contains a list of probable users accounts.
Connect to mail server trough Evolution:
apt-get install evolution
