# SMTP Enumeration (Port 25)

## Quick Intro <a href="#quick-intro" id="quick-intro"></a>

* Used to send, receive, and relay outgoing emails
* Used port 25
* Main attacks are user enumeration and using an open relay to send spam

## NSE

```
nmap 192.168.1.101 --script=smtp* -p 25

nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip
```

## User Enumeration <a href="#user-enumeration" id="user-enumeration"></a>

```
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip

for server in $(cat smtpmachines); do echo "******************" $server "*****************"; smtp-user-enum -M VRFY -U userlist.txt -t $server;done #for multiple servers
# For multiple servers
```

## Connection

```
telnet $ip 25
```

### Command to check if a user exists <a href="#command-to-check-if-a-user-exists" id="command-to-check-if-a-user-exists"></a>

```
VRFY root
```

### Command to ask the server if a user belongs to a mailing list <a href="#command-to-ask-the-server-if-a-user-belongs-to-a-mailing-list" id="command-to-ask-the-server-if-a-user-belongs-to-a-mailing-list"></a>

```
EXPN root
```

## Brute Force <a href="#brute-force" id="brute-force"></a>

```
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
```

## Send email using netcat <a href="#send-email-using-netcat" id="send-email-using-netcat"></a>

{% embed url="<http://www.microhowto.info/howto/send_an_email_using_netcat.html>" %}