{"id":104,"date":"2007-01-21T21:53:38","date_gmt":"2007-01-21T21:53:38","guid":{"rendered":"http:\/\/pentestmonkey.net\/?p=104"},"modified":"2011-08-31T16:11:07","modified_gmt":"2011-08-31T16:11:07","slug":"smtp-user-enum","status":"publish","type":"post","link":"https:\/\/pentestmonkey.net\/tools\/user-enumeration\/smtp-user-enum","title":{"rendered":"smtp-user-enum"},"content":{"rendered":"<p>Username guessing tool primarily for use against the default Solaris SMTP service. Can use either EXPN, VRFY or RCPT TO.\u00a0 Recent changes are detailed in the <a href=\"..\/tools\/smtp-user-enum\/CHANGELOG\">CHANGELOG<\/a>.<\/p>\n<p>Download smtp-user-enum v1.2 <a href=\"\/tools\/smtp-user-enum\/smtp-user-enum-1.2.tar.gz\">here<\/a>.<\/p>\n<p>MD5 and SHA1 checksums are the packages can be downloaded.\u00a0 They&#8217;re based on the package name (below v.v represents the version, e.g. 1.1):<br \/>\nhttp:\/\/pentestmonkey.net\/tools\/smtp-user-enum\/smtp-user-enum-v.v-beta.tar.gz.md5<br \/>\nhttp:\/\/pentestmonkey.net\/tools\/smtp-user-enum\/smtp-user-enum-v.v-beta.tar.gz.sha1<\/p>\n<p>User documentation is also available in <a href=\"\/tools\/smtp-user-enum\/smtp-user-enum-user-docs.pdf\">PDF<\/a> format.<\/p>\n<p><!--more--><\/p>\n<p>&nbsp;<\/p>\n<h1 align=\"center\">smtp-user-enum User Documentation<\/h1>\n<p>&nbsp;<\/p>\n<h2><a title=\"SECTION00010000000000000000\" name=\"SECTION00010000000000000000\"><\/a> Contents<\/h2>\n<ul>\n<li><a title=\"tex2html12\" name=\"tex2html12\" href=\"smtp-user-enum-user-docs.html#SECTION00020000000000000000\"><\/a>Overview<\/li>\n<li><a title=\"tex2html13\" name=\"tex2html13\" href=\"smtp-user-enum-user-docs.html#SECTION00030000000000000000\"><\/a>Installation<\/li>\n<li><a title=\"tex2html14\" name=\"tex2html14\" href=\"smtp-user-enum-user-docs.html#SECTION00040000000000000000\"><\/a>Usage<\/li>\n<li><a title=\"tex2html15\" name=\"tex2html15\" href=\"smtp-user-enum-user-docs.html#SECTION00050000000000000000\"><\/a>Some Examples\n<ul>\n<li><a title=\"tex2html16\" name=\"tex2html16\" href=\"smtp-user-enum-user-docs.html#SECTION00051000000000000000\"><\/a>Using the SMTP VRFY Command<\/li>\n<li><a title=\"tex2html17\" name=\"tex2html17\" href=\"smtp-user-enum-user-docs.html#SECTION00052000000000000000\"><\/a>Using the SMTP EXPN Command<\/li>\n<li><a title=\"tex2html18\" name=\"tex2html18\" href=\"smtp-user-enum-user-docs.html#SECTION00053000000000000000\"><\/a>Using the SMTP RCPT TO Command<\/li>\n<li><a title=\"tex2html18c\" name=\"tex2html18c\" href=\"smtp-user-enum-user-docs.html#SECTIONc0053000000000000000\"><\/a>Enumerating Email Addresses Instead of Usernames<\/li>\n<\/ul>\n<\/li>\n<li><a title=\"tex2html19\" name=\"tex2html19\" href=\"smtp-user-enum-user-docs.html#SECTION00060000000000000000\"><\/a>License<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h1><a title=\"SECTION00020000000000000000\" name=\"SECTION00020000000000000000\"><\/a>Overview<\/h1>\n<p>smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN and RCPT TO commands. It could be adapted to work against other vulnerable SMTP daemons, but this hasn&#8217;t been done as of v1.0.<\/p>\n<h1><a title=\"SECTION00030000000000000000\" name=\"SECTION00030000000000000000\"><\/a>Installation<\/h1>\n<p>smtp-user-enum is just a stand alone PERL script, so installation is as simple as copying it to your path (e.g. \/usr\/local\/bin). It has only been tested under Linux so far.<\/p>\n<p>It depends on the following PERL modules which you may need to install first:<\/p>\n<ul>\n<li>Socket<\/li>\n<li>IO::Handle<\/li>\n<li>IO::Select<\/li>\n<li>IO::Socket::INET<\/li>\n<li>Getopt::Std<\/li>\n<\/ul>\n<p>If you have PERL installed, you should be able to install the modules from CPAN:<\/p>\n<pre> # perl -MCPAN -e shell\r\n cpan&gt; install Getopt::Std<\/pre>\n<h1><a title=\"SECTION00040000000000000000\" name=\"SECTION00040000000000000000\"><\/a>Usage<\/h1>\n<p>smtp-user-enum simply needs to be passed a list of users and at least one target running an SMTP service.<\/p>\n<pre> smtp-user-enum v1.0 ( http:\/\/pentestmonkey.net\/tools\/smtp-user-enum ) \r\n\r\n Usage: smtp-user-enum.pl [options] (-u username|-U file-of-usernames) (-t host|-T file-of-targets) \r\n\r\n options are:\r\n         -m n     Maximum number of processes (default: 5)\r\n         -M mode  Method to use for username guessing EXPN, VRFY or RCPT (default: VRFY)\r\n         -u user  Check if user exists on remote system\r\n         -f addr  From email address to use for \"RCPT TO\" guessing (default: user@example.com)\r\n        -D dom   Domain to append to supplied user list to make email addresses (Default: none)\r\n                 Use this option when you want to guess valid email addresses instead of just usernames\r\n                 e.g. \"-D example.com\" would guess foo@example.com, bar@example.com, etc.  Instead of\r\n                      simply the usernames foo and bar.\r\n         -U file  File of usernames to check via smtp service\r\n         -t host  Server host running smtp service\r\n         -T file  File of hostnames running the smtp service\r\n         -p port  TCP port on which smtp service runs (default: 25)\r\n         -d       Debugging output\r\n         -t n     Wait a maximum of n seconds for reply (default: 5)\r\n         -v       Verbose\r\n         -h       This help message<\/pre>\n<h1><a title=\"SECTION00050000000000000000\" name=\"SECTION00050000000000000000\"><\/a>Some Examples<\/h1>\n<p>For all of the examples below we need a list of potential usernames. The following output demostrates the format for this list:<\/p>\n<pre> $ head users.txt\r\n root\r\n bin\r\n daemon\r\n adm\r\n lp\r\n sync\r\n shutdown\r\n halt\r\n mail\r\n news<\/pre>\n<h2><a title=\"SECTION00051000000000000000\" name=\"SECTION00051000000000000000\"><\/a> Using the SMTP VRFY Command<\/h2>\n<p>The output below shows how the SMTP server responds differently to VRFY requests for valid and invalid users. It is recommended that a manual check like the following is carried out before running smtp-user-enum. Obviously the tool won&#8217;t work if the server doesn&#8217;t respond differently to requests for valid and invalid users.<\/p>\n<pre> $ telnet 10.0.0.1 25\r\n Trying 10.0.0.1...\r\n Connected to 10.0.0.1.\r\n Escape character is '^]'.\r\n 220 myhost ESMTP Sendmail 8.9.3\r\n HELO\r\n 501 HELO requires domain address\r\n HELO x\r\n 250 myhost Hello [10.0.0.99], pleased to meet you\r\n VRFY root\r\n 250 Super-User &lt;root@myhost&gt;\r\n VRFY blah\r\n 550 blah... User unknown<\/pre>\n<p>To use smtp-user-enum to enumerate valid usernames using the VRFY command, first prepare a list of usernames (users.txt) and run the tool as follows:<\/p>\n<pre> $ smtp-user-enum.pl -M VRFY -U users.txt -t 10.0.0.1\r\n Starting smtp-user-enum v1.0 ( http:\/\/pentestmonkey.net\/tools\/smtp-user-enum ) \r\n\r\n  ----------------------------------------------------------\r\n |                   Scan Information                       |\r\n  ---------------------------------------------------------- \r\n\r\n Mode ..................... VRFY\r\n Worker Processes ......... 5\r\n Usernames file ........... users.txt\r\n Target count ............. 1\r\n Username count ........... 47\r\n Target TCP port .......... 25\r\n Query timeout ............ 5 secs\r\n Relay Server ............. Not used \r\n\r\n ######## Scan started at Sun Jan 21 18:01:50 2007 #########\r\n root@10.0.0.1: Exists\r\n bin@10.0.0.1: Exists\r\n daemon@10.0.0.1: Exists\r\n lp@10.0.0.1: Exists\r\n adm@10.0.0.1: Exists\r\n uucp@10.0.0.1: Exists\r\n postmaster@10.0.0.1: Exists\r\n nobody@10.0.0.1: Exists\r\n ftp@10.0.0.1: Exists\r\n ######## Scan completed at Sun Jan 21 18:01:50 2007 #########\r\n 9 results. \r\n\r\n 47 queries in 1 seconds (47.0 queries \/ sec)<\/pre>\n<p>It&#8217;s worth noting that postmaster is not actually a valid OS-level user account &#8211; it&#8217;s a mail alias.<\/p>\n<h2><a title=\"SECTION00052000000000000000\" name=\"SECTION00052000000000000000\"><\/a> Using the SMTP EXPN Command<\/h2>\n<p>The output below shows how the SMTP server responds differently to EXPN requests for valid and invalid users.<\/p>\n<pre> $ telnet 10.0.0.1 25\r\n Trying 10.0.0.1...\r\n Connected to 10.0.0.1.\r\n Escape character is '^]'.\r\n 220 myhost ESMTP Sendmail 8.9.3\r\n HELO\r\n 501 HELO requires domain address\r\n HELO x\r\n 250 myhost Hello [10.0.0.99], pleased to meet you\r\n EXPN root\r\n 250 Super-User &lt;root@myhost&gt;\r\n EXPN blah\r\n 550 blah... User unknown<\/pre>\n<p>To use smtp-user-enum to enumerate valid usernames using the VRFY command, first prepare a list of usernames (users.txt) and run the tool as follows (unsurprisingly, we get the same results as above):<\/p>\n<pre> $ smtp-user-enum.pl -M EXPN -U users.txt -t 10.0.0.1\r\n Starting smtp-user-enum v1.0 ( http:\/\/pentestmonkey.net\/tools\/smtp-user-enum ) \r\n\r\n  ----------------------------------------------------------\r\n |                   Scan Information                       |\r\n  ---------------------------------------------------------- \r\n\r\n Mode ..................... EXPN\r\n Worker Processes ......... 5\r\n Usernames file ........... users.txt\r\n Target count ............. 1\r\n Username count ........... 47\r\n Target TCP port .......... 25\r\n Query timeout ............ 5 secs\r\n Relay Server ............. Not used \r\n\r\n ######## Scan started at Sun Jan 21 18:01:50 2007 #########\r\n root@10.0.0.1: Exists\r\n bin@10.0.0.1: Exists\r\n daemon@10.0.0.1: Exists\r\n lp@10.0.0.1: Exists\r\n adm@10.0.0.1: Exists\r\n uucp@10.0.0.1: Exists\r\n postmaster@10.0.0.1: Exists\r\n nobody@10.0.0.1: Exists\r\n ftp@10.0.0.1: Exists\r\n ######## Scan completed at Sun Jan 21 18:01:50 2007 #########\r\n 9 results. \r\n\r\n 47 queries in 1 seconds (47.0 queries \/ sec)<\/pre>\n<h2><a title=\"SECTION00053000000000000000\" name=\"SECTION00053000000000000000\"><\/a> Using the SMTP RCPT TO Command<\/h2>\n<p>The output below shows how the SMTP server responds differently to RCPT TO requests for valid and invalid users. This is often to the most useful technique as VRFY and EXPN are often disabled to prevent username enumeration.<\/p>\n<pre> $ telnet 10.0.0.1 25\r\n Trying 10.0.0.1...\r\n Connected to 10.0.0.1.\r\n Escape character is '^]'.\r\n 220 myhost ESMTP Sendmail 8.9.3\r\n HELO\r\n 501 HELO requires domain address\r\n HELO x\r\n 250 myhost Hello [10.0.0.99], pleased to meet you\r\n MAIL FROM:root\r\n 250 root... Sender ok\r\n RCPT TO:root\r\n 250 root... Recipient ok\r\n RCPT TO: blah\r\n 550 blah... User unknown<\/pre>\n<p>To use smtp-user-enum to enumerate valid usernames using the RCPT TO command, first prepare a list of usernames (users.txt) and run the tool as follows (again, the results are the same as above):<\/p>\n<pre> $ smtp-user-enum.pl -M RCPT -U users.txt -t 10.0.0.1\r\n Starting smtp-user-enum v1.0 ( http:\/\/pentestmonkey.net\/tools\/smtp-user-enum ) \r\n\r\n  ----------------------------------------------------------\r\n |                   Scan Information                       |\r\n  ---------------------------------------------------------- \r\n\r\n Mode ..................... RCPT\r\n Worker Processes ......... 5\r\n Usernames file ........... users.txt\r\n Target count ............. 1\r\n Username count ........... 47\r\n Target TCP port .......... 25\r\n Query timeout ............ 5 secs\r\n Relay Server ............. Not used \r\n\r\n ######## Scan started at Sun Jan 21 18:01:50 2007 #########\r\n root@10.0.0.1: Exists\r\n bin@10.0.0.1: Exists\r\n daemon@10.0.0.1: Exists\r\n lp@10.0.0.1: Exists\r\n adm@10.0.0.1: Exists\r\n uucp@10.0.0.1: Exists\r\n postmaster@10.0.0.1: Exists\r\n nobody@10.0.0.1: Exists\r\n ftp@10.0.0.1: Exists\r\n ######## Scan completed at Sun Jan 21 18:01:50 2007 #########\r\n 9 results. \r\n\r\n 47 queries in 1 seconds (47.0 queries \/ sec)<\/pre>\n<h2><a title=\"SECTION00060000000000000000\" name=\"SECTION00060000000000000000\"><\/a>Enumerating Email Addresses Instead of Usernames<\/h2>\n<p>Version 1.1 adds support for optionally appending a domain name to the end of each username:<\/p>\n<pre>$ .\/smtp-user-enum.pl -D example.com -M RCPT -U users.txt -t 10.0.0.1\r\nStarting smtp-user-enum v1.1 ( http:\/\/pentestmonkey.net\/tools\/smtp-user-enum )<\/pre>\n<pre>\u00a0----------------------------------------------------------\r\n|\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Scan Information\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |\r\n ----------------------------------------------------------<\/pre>\n<pre>Mode ..................... RCPT\r\nWorker Processes ......... 5\r\nUsernames file ........... users.txt\r\nTarget count ............. 1\r\nUsername count ........... 47\r\nTarget TCP port .......... 25\r\nQuery timeout ............ 5 secs\r\nTarget domain ............ example.com<\/pre>\n<p>&nbsp;<\/p>\n<pre>######## Scan started at Wed Jan 16 20:43:58 2008 #########\r\n10.0.0.1: bin@example.com exists\r\n10.0.0.1: daemon@example.com exists\r\n10.0.0.1: root@example.com exists\r\n10.0.0.1: postmaster@example.com exists\r\n######## Scan completed at Wed Jan 16 20:43:58 2008 #########<\/pre>\n<pre>4 results.<\/pre>\n<pre>7 queries in 1 seconds (47.0 queries \/ sec)<\/pre>\n<h1><a title=\"SECTION00060000000000000000\" name=\"SECTION00060000000000000000\"><\/a>License<\/h1>\n<p>This tool may be used for legal purposes only. Users take full responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If these terms are not acceptable to you, then do not use this tool.<\/p>\n<p>In all other respects the GPL version 2 applies:<\/p>\n<pre> This program is free software; you can redistribute it and\/or modify\r\n it under the terms of the GNU General Public License version 2 as\r\n published by the Free Software Foundation. \r\n\r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\r\n GNU General Public License for more details. \r\n\r\n You should have received a copy of the GNU General Public License along\r\n with this program; if not, write to the Free Software Foundation, Inc.,\r\n 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Username guessing tool primarily for use against the default Solaris SMTP service. Can use either EXPN, VRFY or RCPT TO.\u00a0 Recent changes are detailed in the CHANGELOG. Download smtp-user-enum v1.2 here. MD5 and SHA1 checksums are the packages can be downloaded.\u00a0 They&#8217;re based on the package name (below v.v represents the version, e.g. 1.1): http:\/\/pentestmonkey.net\/tools\/smtp-user-enum\/smtp-user-enum-v.v-beta.tar.gz.md5 [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[13],"tags":[19,89,76,114],"_links":{"self":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/104"}],"collection":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/comments?post=104"}],"version-history":[{"count":5,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/104\/revisions"}],"predecessor-version":[{"id":568,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/104\/revisions\/568"}],"wp:attachment":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/media?parent=104"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/categories?post=104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/tags?post=104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}