# SMTP Enumeration (Port 25)

## Quick Intro

* Used to send, receive, and relay outgoing emails
* Used port 25
* Main attacks are user enumeration and using an open relay to send spam

## NSE

```
nmap 192.168.1.101 --script=smtp* -p 25

nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip
```

## User Enumeration

```
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip

for server in $(cat smtpmachines); do echo "******************" $server "*****************"; smtp-user-enum -M VRFY -U userlist.txt -t $server;done #for multiple servers
# For multiple servers
```

## Connection 

```
telnet $ip 25
```

### Command to check if a user exists

```
VRFY root
```

### Command to ask the server if a user belongs to a mailing list

```
EXPN root
```

## Brute Force 

```
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
```

## Send email using netcat

<http://www.microhowto.info/howto/send_an_email_using_netcat.html>