Results 1 to 9 of 9

Thread: SMTP enumeration

  1. #1
    Junior Member mRM3e's Avatar
    Join Date
    Oct 2008
    Posts
    28

    Default SMTP enumeration

    Ok guys I am a little nervous but here is my first real tutorial. Im sorry if it seems a little simple, also if there are any mistakes please correct me as I am still learning!

    For this tutorial it is assumed that the SMTP server is listening on port 25 and that you replace your target IP where you see XX.XX.XX.XX.

    1. Ensure that you target server has port 25 listening for SMTP traffic. This can be done by banner grabbing with netcat

    Code:
    nc -v XX.XX.XX.XX 25
    or scanning

    Code:
    nmap -p 25 XX.XX.XX.XX
    2. Once connected use VRFY or EXPN commands to verify for valid users or expand a mailing list. save this file as vrfy-smtp.py

    Code:
    #!/usr/bin/python
    # This was written for educational and learning purposes only.
    # The author will be not responsible for any damage!
    # SMTP VRFY Scanner muhahhahahaha :)	
     
    import socket, sys, fileinput, re, time 
    from optparse import OptionParser 
     
    usage =  "./%prog -t <target> -p <port> -i <inputfile>\nExample: ./%prog -t 74.52.252.187 -p 25 -f names.txt" 
    parser = OptionParser(usage=usage) 
    parser.add_option("-t", type="string", 
                      action="store", dest="target", 
                      help="Target Host") 
    parser.add_option("-p", type="int", 
                      action="store", dest="port", 
                      help="Target Port") 
    parser.add_option("-f", action="store", 
    		  dest="filename",help="Inputfile") 
    (options, args) = parser.parse_args() 
     
    host = options.target 
    port = options.port 
    inputfile = options.filename 
     
    if len(sys.argv) != 7: 
    	print "\n|---------------------------------------------------------------|" 
            print "|             SMTP vrfy enumeration scanner v0.5                |" 
            print "|                      by MrMe 07/2009                          |" 
    	print "|                    Special Greetz: krma                       |" 
            print "|---------------------------------------------------------------|\n" 
       	parser.print_help() 
       	sys.exit() 
    try: 
    	names = open(sys.argv[6], "r") 
    except(IOError): 
    	print "Error: Check your wordlist path\n" 
      	sys.exit(1) 
     
    line = names.readline() 
    counter = 0 
     
    print "[+] Connecting to server" 
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 
     
     
    def connect(): 
    	try: 
    		connect=s.connect((host,port)) 
    	except socket.timeout: 
      		print "\n[-] Server timed out" 
    		sys.exit(1) 
    	except socket.error: 
      		print "\n[-] There was an error with the server" 
    		sys.exit(1) 
    	print "[+] Connected on" +timer() 
    	print "[+] Waiting for SMTP banner" 
    	banner=s.recv(1024) 
    	print banner 
     
    def timer(): 
    	now = time.localtime(time.time()) 
    	return time.asctime(now) 
     
    connect() 
     
    for line in names: 
    	s.send('VRFY '+line) 
            result=s.recv(1024) 
    	bad = re.match("502",result)  
    	bad1 = re.search("send some mail",result)
    	found = re.search("252",result)
    	notfound = re.match("550",result)
    	if bad or bad1: 
    		print "[-] This server is not vulnerable!" 
    		sys.exit(1)  
    	elif notfound:
    		print "[-] Not found "+line
    	elif found: 
            	print "[+] Found! "+line 
    	if counter == 20: 
    		s.close() 
    		print "[+] Resetting connection" 
    		s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 
    		connect() 
    		counter = 0 
    	counter +=1 
     
    s.close()
    3. Make or find a file with a list of names taking a single line that you can authenticate with against the SMTP server eg:

    Code:
    bob
    jane
    jilly
    root
    mat
    steve
    eddie
    simon
    4. Run the script

    Code:
    ./smtp-vrfy.py -t www.smtp-vun.com -p 25 -f names.txt
    5. Hopefully you get some usernames!

    This is my first python script and if anyone can help me rewrite the script to input a single user vrfy as well as a file it would be greatly appreciated.
    I feel sorry for them - those who take authority as the truth and not truth as the authority -- Zeitgeist

  2. #2
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    15

    Default

    Heey rmr3e,

    I rewrited your script in PERL (i like perl better). I'll attach my code in the message later. When i tested my script and your's width bigger user lists options i came to the conclusion that the smtp server didn't accept a lot of VRFY message's. You should extend your script width a function that reboot the connection after some attempts. I tryed 20 and reset after a found one. More information about VRFY and SMTP (http www ietf.org/rfc/rfc0821.txt).

    my code:

    Code:
    #This script searches for common used alliases like all and people etc.
    use Net::SMTP;
    
    if ($ARGV[0] ne "")
    {
    	$smtp = Net::SMTP->new($ARGV[0],Hello => '',Timeout => 6000);
    	$counter=0;
    	open (DIRS, "common_aliases.txt") || die "Bestand common_aliases.txt kan niet ingeladen worden";
    	while($addres = <DIRS>)
    	{
    			if($counter == 20)
    			{
    				$smtp = Net::SMTP->new($ARGV[0],Hello => '',Timeout => 6000);
    				$counter = 0;
    			}
    			$vrfy = $smtp->verify($addres);
    			if($vrfy eq "1")
    			{
    				print "Found: $addres";
    				$smtp = Net::SMTP->new($ARGV[0],Hello => '',Timeout => 6000);
    			}
    			else
    			{
    				#debug purpose
    				print "Not found: $address errorcode: $vrfy";
    			}
    			$counter++;
    	}
    }
    else
    {
    	print "This script tries to find common used mail adresses";
    	print "Example: smtpenum <hostname>";
    }
    Two things are infinite: the universe and human stupidity;

  3. #3
    Junior Member
    Join Date
    Jan 2010
    Posts
    42

    Default

    Nice start mRM3e. Keep the spirits high!!!

  4. #4

    Default

    Nice script mRM3e,

    Don't forget though, most SMTP servers by default have VRFY and EXPN commands disabled by default. You will get hit by the server with an error code 502, either disabled or not implemented.

    Still thanks for contributing to the community, it is a nice SMTP enumeration process

  5. #5
    Junior Member mRM3e's Avatar
    Join Date
    Oct 2008
    Posts
    28

    Default

    Thanks guys yep still playing with it. Many more and better scripts to come!
    I feel sorry for them - those who take authority as the truth and not truth as the authority -- Zeitgeist

  6. #6
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    10

    Default

    Great tutorial

  7. #7
    Junior Member mRM3e's Avatar
    Join Date
    Oct 2008
    Posts
    28

    Default

    Quote Originally Posted by shad0w_crash View Post
    Heey rmr3e,

    I rewrited your script in PERL (i like perl better). I'll attach my code in the message later. When i tested my script and your's width bigger user lists options i came to the conclusion that the smtp server didn't accept a lot of VRFY message's. You should extend your script width a function that reboot the connection after some attempts. I tryed 20 and reset after a found one. More information about VRFY and SMTP (http www ietf.org/rfc/rfc0821.txt).
    Thanks mate, I finally found some time so I fixed it up some more. Still working on it
    I feel sorry for them - those who take authority as the truth and not truth as the authority -- Zeitgeist

  8. #8
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by Anti-NewWorldOrder View Post
    Nice script mRM3e,

    Don't forget though, most SMTP servers by default have VRFY and EXPN commands disabled by default. You will get hit by the server with an error code 502, either disabled or not implemented.

    Still thanks for contributing to the community, it is a nice SMTP enumeration process
    I still see Nessus pop VRFY and EXPN as a vulnerability for SMTP servers regularly, now I have an easy way to validate with these scripts.

    Hmmm maybe I should submit a modified nasl to Tenable that actually includes the ability to list some users (IIRC the Nessus plugin only looks for root).
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  9. #9
    Junior Member mRM3e's Avatar
    Join Date
    Oct 2008
    Posts
    28

    Default

    lol updated for the last time I promise!
    I feel sorry for them - those who take authority as the truth and not truth as the authority -- Zeitgeist

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •