SMTP (25/465/587)

User enumeration (VRFY)

Verify valid usernames — Build username list for other services

smtp-user-enum -M VRFY -U users.txt -t $IP
Example Output
smtp-user-enum -M VRFY -U users.txt -t 10.10.10.5
250 2.1.5 admin
250 2.1.5 john
550 5.1.1 <fakeuser>: Recipient not found

User enumeration (RCPT TO)

Alternative method — If VRFY is disabled

smtp-user-enum -M RCPT -U users.txt -t $IP
Example Output
smtp-user-enum -M RCPT -U users.txt -t 10.10.10.5
10.10.10.5: admin exists
10.10.10.5: john exists
10.10.10.5: postmaster exists

User enumeration (EXPN)

Expand mailing lists — May reveal users

smtp-user-enum -M EXPN -U users.txt -t $IP
Example Output
smtp-user-enum -M EXPN -U users.txt -t 10.10.10.5
10.10.10.5: admin <admin@corp.local>
10.10.10.5: all-staff <john@corp.local, jane@corp.local>

Nmap SMTP scripts

All SMTP nmap scripts — Enum, open relay, vulns

nmap --script smtp-* -p 25 $IP
Example Output
nmap --script smtp-* -p 25 10.10.10.5
|_smtp-open-relay: Server is an open relay
| smtp-enum-users:
|   root, admin, postmaster
(OPEN RELAY = can send emails as anyone)

Send test email

Test for open relay — Can send phishing emails

swaks --to user@domain --from test@test.com --server $IP
Example Output
swaks --to admin@corp.local --from ceo@corp.local --server 10.10.10.5 --body 'Test'
=== Connected to 10.10.10.5
<-  250 2.0.0 Ok: queued
(Open relay confirmed - phishing possible)