SMTP Enumeration

262

SMTP ( Simple Mail Transfer Protocol ) enumeration is a process used to gather information about a mail server, such as the types of email accounts and users that exist on it. It’s often used by security professionals to assess the security of a mail server, but it can also be used maliciously to find potential targets for spam or phishing attacks. it is part of the Ethical hacking Enumeration Topic.

What is SMTP?

SMTP stands for Simple Mail Transfer Protocol. It’s the protocol used to send emails across the Internet. When you send an email, your email client communicates with an SMTP server to deliver your message. Mail systems commonly use SMTP with POP3 and IMAP, which enable users to save messages on the server. SMTP uses mail exchange (MX) servers to direct mail via DNS.

What is SMTP Enumeration?

SMTP enumeration involves connecting to an SMTP server and using various commands to extract information about the server and the email accounts it manages. The main goal is to identify valid email addresses or user accounts on the server. SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users, based on which we can determine valid users on the SMTP server. it is a part of the Enumeration phase in Ethical Hacking.

how to find smtp server

Finding an SMTP server can be done in several ways, depending on your needs and available information. Here are some common methods:

1. DNS MX Records: Use DNS tools to find the Mail Exchange (MX) records for a domain. MX records indicate the mail servers responsible for receiving email for that domain. Tools: nslookup, dig

nslookup -type=mx example.com

or

dig mx example.com

2. Web Tools: Use online tools like MXToolbox to look up MX records for a domain.
3. Using NMAP: Use Nmap to scan a target for the common SMTP ports.

nmap -p 25,587,465 -T4 -sV <target>

How to Work SMTP?

1. Connecting to the SMTP Server:
   • You start by connecting to the SMTP server using a terminal or a tool designed for SMTP enumeration. The connection is typically made on PORT 25(TCP), 587(SSL), or 465(SSL).
2. HELO/EHLO Command:
   • This command is used to introduce the client to the server. It’s like saying “hello” to the server. The server responds with a greeting.
3. VRFY Command:
   • The VRFY (verify) command is used to check if a specific email address exists on the server. For example, sending VRFY [email protected] will make the server respond to whether the user exists.
4. EXPN Command:
   • The EXPN (expand) command is used to reveal the members of a mailing list. For example, sending EXPN listname will list all the users in that mailing list if the server allows it.
5. RCPT TO Command:
   • The RCPT TO (recipient) command is used during the process of sending an email to specify the recipient’s email address. Some servers will respond differently if the address is valid or invalid, thus revealing whether the address exists.

Example Steps:

Attackers can directly interact with SMTP via the telnet prompt and collect a list of valid users on the SMTP server.

1. Open a terminal:

   telnet smtp.example.com 25

2. Send EHLO:

   EHLO yourdomain.com

3. Verify a user:

   VRFY [email protected]

4. Expand a mailing list:

   EXPN listname

SMTP Commands

Here is the information formatted as a table:

Command	Meaning	Example
HELO	Specify your domain name so that the mail server knows who you are.	HELO example.com
MAIL	Specify the sender email.	MAIL FROM: [email protected]
RCPT	Specify the recipient. Issue this command multiple times if you have more than one recipient.	RCPT TO: [email protected]
DATA	Specify the sender’s email.
QUIT	Terminates the conversation with the server.
EXPN	Specify that your recipient is a mailing list.
HELP	Asks for help from the mail server.
NOOP	Does nothing except to get a response from the server.
RSET	Aborts the current conversation and starts a new conversation.
SEND	Sends a message to a user’s terminal instead of a mailbox.
SAML	Sends a message to a user’s terminal and to a user’s mailbox.
SOML	Sends a message to a user’s terminal if they are logged on; otherwise, sends the message to the user’s mailbox.
TURN	Reverses the role of client and server. This might be useful if the client program can also act as a server and needs to receive mail from the remote computer.
VRFY	Verifies that a particular user name of a given mail address exists. Not supported by all mail servers.

SMTP Response:

When you send a VRFY command, you might get responses like:

• 250 [email protected] (indicating the user exists)
• 550 No such user here (indicating the user does not exist)

Here’s the table with the return codes in ascending order:

Return Code	Meaning
211	System status or system help response
214	Help information
220	Service ready
221	Service closes the transport channel
235	User verification successful
250	The requested mail action was completed
251	If the user is not local, the response
334	Waiting for the user to enter verification information
354	Format error, command is unrecognizable (this error also includes the command line being too long)
421	If the service is not ready, close the transmission channel (this reply can be used as a response to any command)
450	The requested mail operation was not completed and the mailbox is unavailable (e.g., the mailbox is busy)
451	The requested operation was aborted; an error occurred during processing
452	Insufficient system storage, the requested operation was not performed
500	Format error, command is unrecognizable (this error also includes command line being too long)
501	Parameter format error
502	Command not implementable
503	Wrong command sequence
504	Command parameter is not implementable
535	User authentication failed
550	The requested mail operation was not completed and the mailbox is unavailable (e.g., the mailbox was not found or is not accessible)
551	The user is not local, please try another method
552	Start email input and end with.
553	The mailbox name is not available and the requested operation was not performed (e.g., the mailbox format is incorrect)
554	Operation failed

SMTP Enumeration Tools

Administrators and pen testers can perform SMTP enumeration using command-line utilities. There are various tool available to perform enumeration on Linux systems.

SMTP Enumeration using Nmap

Attackers use Nmap to enumerate information from the target SMTP server. They enumerate the target SMTP server using various SMTP commands available with Nmap Scripting Engine (NSE) scripts.

The following command, when executed, lists all the SMTP commands available in the Nmap directory: command structure.

nmap -p 25, 365, 587 -script=smtp-commands <Target IP Address > 

Some Example:

1. Run the following command to identify SMTP open relays:

nmap -p 25 -script=smtp-open-relay <Target IP Address> 

2. Run the following command to enumerate all the mail users on the SMTP server:

nmap -p 25 -script=smtp-enum-users <Target IP Address> 

SMTP Enumeration using Metasploit

Attackers use the Metasploit framework to enumerate SMTP users. The SMTP server uses its inbuilt method VRFY to validate the usernames in the wordlist file with the users present on the server and displays the matched list of users.

Steps to Enumerate SMTP Users Using Metasploit

1. Launch Metasploit msfconsole and switch to the relevant auxiliary scanner to initiate the process: auxiliary/scanner/smtp/smtp_enum.

msf > use auxiliary/scanner/smtp/smtp_enum 
msf auxiliary(smtp_enum) > 

2. Use the command show options to view the entire list of options required to perform this task. Alternatively, the command show evasion can be used to view the list of options to evade security solutions.

msf auxiliary(smtp_enum) > show options

3. Use the option set RHOST to set the target SMTP server’s IP address or a range of IP addresses.

msf auxiliary(smtp_enum) > set RHOSTS <target ip address>

4. By default, the Metasploit framework uses default wordlists located at /usr/share/64etasploit-framework/data/wordlists/unix_users.txt to enumerate SMTP users. The USER _ FILE option can be set to use custom wordlist.

msf auxiliary(smtp_enum) > set USER_FILE <location of wordlists file> 

5. Use the command show advanced to view the complete list of available options in the SMTP user enumeration module.

msf auxiliary(smtp_enum) > show advanced 

6. Execute the run command to begin the enumeration process. It scans the given wordlists with the SMTP server users and lists all the matched usernames.

msf auxiliary(smtp_enum) > run

attackers obtain a list of valid SMTP users from the target SMTP server and can use this information to initiate targeted attacks.

SMTP Enumeration using smtp-user-enum

smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN, and RCPT TO commands. smtp-user-enum needs to be passed on to a list of users and at least one target running an SMTP service. The syntax for using smtp-user-enum is as follows:

smtp-user-enum [options] (-u username|-U file-of-usernames) (- 
t host|-T file-of-targets) 

smtp-user-enum has the following options:

• -m n: Maximum number of processes (default: 5)
• -M mode: Specify the SMTP command to use for username guessing from among EXPN, VRFY, and RCPT TO (default: VRFY)
• -u user: Check if a user exists on the remote system
• -f addr: Specify the from email address to use for “RCPT TO” guessing (default: [email protected])
• -D dom: Specify the domain to append to the supplied user list to create email addresses (default: none)
• -U file: Select the file containing usernames to check via the SMTP service
• -t host: Specify the server host running the SMTP service
• -T file: Select the file containing hostnames running the SMTP service
• -p port: Specify the TCP port on which the SMTP service runs (default: 25)
• -d: Debugging output
• -t n: Wait for a maximum of n seconds for the reply (default: 5)
• -v: Verbose
• -h: Help message

Example of uses

$smtp-user-enum -M VRFY -u administrator -t <target ip address>

SMTP Enumeration using NetScanTools Pro

NetScanTools Pro’s SMTP Email Generator tool tests sending an email through an SMTP server. it is a Windows-based application. Attackers use it for SMTP enumeration to extract email header parameters, including confirm/urgent flags. They can also record the email session in a log file to view communications between NetScanTools Pro and the SMTP server.

Security Implications:

SMTP enumeration can be used by attackers to:

• Discover valid email addresses for phishing attacks.
• Identify user accounts for potential brute-force attacks.

How to Protect Against SMTP Enumeration:

1. Disable VRFY and EXPN Commands: Most modern mail servers disable these commands to prevent enumeration.
2. Implement Rate Limiting: Limit the number of requests that can be made to the SMTP server in a short period.
3. Use Authentication: Require authentication to connect to the SMTP server.
4. Monitor Logs: Keep an eye on your server logs for unusual activity.
5. Prevent Bruit-force: Limit the number of accepted connections from a source to prevent brute-force attacks.
6. Do not share internal IP/host information or mail relay system information.
7. Identify spammers through machine learning (ML) solutions.

Conclusion

SMTP enumeration is a powerful tool for both security assessment and malicious activities, responsible usage, and robust security measures are key to protecting email servers from exploitation.

FAQs