SMTP enumeration

[mRM3e]

Ok guys I am a little nervous but here is my first real tutorial. Im sorry if it seems a little simple, also if there are any mistakes please correct me as I am still learning!

For this tutorial it is assumed that the SMTP server is listening on port 25 and that you replace your target IP where you see XX.XX.XX.XX.

1. Ensure that you target server has port 25 listening for SMTP traffic. This can be done by banner grabbing with netcat

Code:

nc -v XX.XX.XX.XX 25

or scanning

Code:

nmap -p 25 XX.XX.XX.XX

2. Once connected use VRFY or EXPN commands to verify for valid users or expand a mailing list. save this file as vrfy-smtp.py

Code:

#!/usr/bin/python
# This was written for educational and learning purposes only.
# The author will be not responsible for any damage!
# SMTP VRFY Scanner muhahhahahaha :)	
 
import socket, sys, fileinput, re, time 
from optparse import OptionParser 
 
usage =  "./%prog -t <target> -p <port> -i <inputfile>\nExample: ./%prog -t 74.52.252.187 -p 25 -f names.txt" 
parser = OptionParser(usage=usage) 
parser.add_option("-t", type="string", 
                  action="store", dest="target", 
                  help="Target Host") 
parser.add_option("-p", type="int", 
                  action="store", dest="port", 
                  help="Target Port") 
parser.add_option("-f", action="store", 
		  dest="filename",help="Inputfile") 
(options, args) = parser.parse_args() 
 
host = options.target 
port = options.port 
inputfile = options.filename 
 
if len(sys.argv) != 7: 
	print "\n|---------------------------------------------------------------|" 
        print "|             SMTP vrfy enumeration scanner v0.5                |" 
        print "|                      by MrMe 07/2009                          |" 
	print "|                    Special Greetz: krma                       |" 
        print "|---------------------------------------------------------------|\n" 
   	parser.print_help() 
   	sys.exit() 
try: 
	names = open(sys.argv[6], "r") 
except(IOError): 
	print "Error: Check your wordlist path\n" 
  	sys.exit(1) 
 
line = names.readline() 
counter = 0 
 
print "[+] Connecting to server" 
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 
 
 
def connect(): 
	try: 
		connect=s.connect((host,port)) 
	except socket.timeout: 
  		print "\n[-] Server timed out" 
		sys.exit(1) 
	except socket.error: 
  		print "\n[-] There was an error with the server" 
		sys.exit(1) 
	print "[+] Connected on" +timer() 
	print "[+] Waiting for SMTP banner" 
	banner=s.recv(1024) 
	print banner 
 
def timer(): 
	now = time.localtime(time.time()) 
	return time.asctime(now) 
 
connect() 
 
for line in names: 
	s.send('VRFY '+line) 
        result=s.recv(1024) 
	bad = re.match("502",result)  
	bad1 = re.search("send some mail",result)
	found = re.search("252",result)
	notfound = re.match("550",result)
	if bad or bad1: 
		print "[-] This server is not vulnerable!" 
		sys.exit(1)  
	elif notfound:
		print "[-] Not found "+line
	elif found: 
        	print "[+] Found! "+line 
	if counter == 20: 
		s.close() 
		print "[+] Resetting connection" 
		s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 
		connect() 
		counter = 0 
	counter +=1 
 
s.close()

3. Make or find a file with a list of names taking a single line that you can authenticate with against the SMTP server eg:

Code:

bob
jane
jilly
root
mat
steve
eddie
simon

4. Run the script

Code:

./smtp-vrfy.py -t www.smtp-vun.com -p 25 -f names.txt

5. Hopefully you get some usernames!

This is my first python script and if anyone can help me rewrite the script to input a single user vrfy as well as a file it would be greatly appreciated.

[shad0w_crash]

Heey rmr3e,

I rewrited your script in PERL (i like perl better). I'll attach my code in the message later. When i tested my script and your's width bigger user lists options i came to the conclusion that the smtp server didn't accept a lot of VRFY message's. You should extend your script width a function that reboot the connection after some attempts. I tryed 20 and reset after a found one. More information about VRFY and SMTP (http www ietf.org/rfc/rfc0821.txt).

my code:

Code:

#This script searches for common used alliases like all and people etc.
use Net::SMTP;

if ($ARGV[0] ne "")
{
	$smtp = Net::SMTP->new($ARGV[0],Hello => '',Timeout => 6000);
	$counter=0;
	open (DIRS, "common_aliases.txt") || die "Bestand common_aliases.txt kan niet ingeladen worden";
	while($addres = <DIRS>)
	{
			if($counter == 20)
			{
				$smtp = Net::SMTP->new($ARGV[0],Hello => '',Timeout => 6000);
				$counter = 0;
			}
			$vrfy = $smtp->verify($addres);
			if($vrfy eq "1")
			{
				print "Found: $addres";
				$smtp = Net::SMTP->new($ARGV[0],Hello => '',Timeout => 6000);
			}
			else
			{
				#debug purpose
				print "Not found: $address errorcode: $vrfy";
			}
			$counter++;
	}
}
else
{
	print "This script tries to find common used mail adresses";
	print "Example: smtpenum <hostname>";
}

[fr0zen.sm0ke]

Nice start mRM3e. Keep the spirits high!!!

[Anti-NewWorldOrder]

Nice script mRM3e,

Don't forget though, most SMTP servers by default have VRFY and EXPN commands disabled by default. You will get hit by the server with an error code 502, either disabled or not implemented.

Still thanks for contributing to the community, it is a nice SMTP enumeration process

[mRM3e]

Thanks guys yep still playing with it. Many more and better scripts to come!

[Mosh_]

Great tutorial

[mRM3e]

Heey rmr3e,

I rewrited your script in PERL (i like perl better). I'll attach my code in the message later. When i tested my script and your's width bigger user lists options i came to the conclusion that the smtp server didn't accept a lot of VRFY message's. You should extend your script width a function that reboot the connection after some attempts. I tryed 20 and reset after a found one. More information about VRFY and SMTP (http www ietf.org/rfc/rfc0821.txt).

Thanks mate, I finally found some time so I fixed it up some more. Still working on it

[thorin]

Nice script mRM3e,

Don't forget though, most SMTP servers by default have VRFY and EXPN commands disabled by default. You will get hit by the server with an error code 502, either disabled or not implemented.

Still thanks for contributing to the community, it is a nice SMTP enumeration process

I still see Nessus pop VRFY and EXPN as a vulnerability for SMTP servers regularly, now I have an easy way to validate with these scripts.

Hmmm maybe I should submit a modified nasl to Tenable that actually includes the ability to list some users (IIRC the Nessus plugin only looks for root).

[mRM3e]

lol updated for the last time I promise!