Port 25 – SMTP

How to enumerate port 25 (SMTP)


SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. It is normally worked with one of two other protocols, POP3 or IMAP, that allow the user to save messages in a server mailbox and download them regularly from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail.

The SMTP-server has a database with all emails that can receive or send emails. We can use SMTP to query that database for potential email addresses.

Nmap scripts:

nmap --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25

Users enumeration:

smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN and RCPT TO commands.

smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t


msf > use auxiliary/scanner/smtp/smtp_enum 
msf auxiliary(smtp_enum) > show options

Module options (auxiliary/scanner/smtp/smtp_enum):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 25 yes The target port
THREADS 1 yes The number of concurrent threads
UNIXONLY true yes Skip Microsoft bannered servers when testing unix users
USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt yes The file that contains a list of probable users accounts.

Connect to mail server trough Evolution:

apt-get install evolution


Leave A Reply

Your email address will not be published.