SMTP (25/465/587)
User enumeration (VRFY)
Verify valid usernames — Build username list for other services
smtp-user-enum -M VRFY -U users.txt -t $IP
Example Output
smtp-user-enum -M VRFY -U users.txt -t 10.10.10.5
250 2.1.5 admin
250 2.1.5 john
550 5.1.1 <fakeuser>: Recipient not found
User enumeration (RCPT TO)
Alternative method — If VRFY is disabled
smtp-user-enum -M RCPT -U users.txt -t $IP
Example Output
smtp-user-enum -M RCPT -U users.txt -t 10.10.10.5
10.10.10.5: admin exists
10.10.10.5: john exists
10.10.10.5: postmaster exists
User enumeration (EXPN)
Expand mailing lists — May reveal users
smtp-user-enum -M EXPN -U users.txt -t $IP
Example Output
smtp-user-enum -M EXPN -U users.txt -t 10.10.10.5
10.10.10.5: admin <admin@corp.local>
10.10.10.5: all-staff <john@corp.local, jane@corp.local>
Nmap SMTP scripts
All SMTP nmap scripts — Enum, open relay, vulns
nmap --script smtp-* -p 25 $IP
Example Output
nmap --script smtp-* -p 25 10.10.10.5
|_smtp-open-relay: Server is an open relay
| smtp-enum-users:
| root, admin, postmaster
(OPEN RELAY = can send emails as anyone)
Send test email
Test for open relay — Can send phishing emails
swaks --to user@domain --from test@test.com --server $IP
Example Output
swaks --to admin@corp.local --from ceo@corp.local --server 10.10.10.5 --body 'Test'
=== Connected to 10.10.10.5
<- 250 2.0.0 Ok: queued
(Open relay confirmed - phishing possible)