π‘οΈ Methodology Checklist
- Banner grab:
nc [TARGET] 25 - EHLO/HELO handshake:
telnet [TARGET] 25βEHLO [DOMAIN] - User enumeration (VRFY):
VRFY [USER]β check 250/252 vs 550 responses - RCPT TO enumeration:
MAIL FROM:<test>thenRCPT TO:<[USER]> - Brute-force:
hydra -L users.txt -P pass.txt smtp://[TARGET] - Check for open relay: attempt relaying email through target
- Enumerate STARTTLS support:
STARTTLSafter EHLO - Review mail server version for known CVEs
π― Operational Context
Think Dumber First: VRFY/RCPT TO user enumeration requires no authentication and reveals valid AD usernames without lockout risk. Try it before any brute-force. Then check for open relay:
MAIL FROM:<a@test.com>βRCPT TO:<external@gmail.com>β if RCPT accepted, open relay = Critical finding immediately.
When you land here: Port 25 open. Banner grab. Try VRFY root, VRFY admin. If VRFY disabled, switch to RCPT TO method. Enumerate users from LinkedIn list. Then check relay. If credentials obtained elsewhere, try SMTP AUTH LOGIN.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP] -p25 -sC -sV | Nmap scan β version, capabilities, relay check |
sudo nmap [TARGET_IP] -p25 --script smtp-open-relay -v | Test for open relay (16 tests) |
telnet [TARGET_IP] 25 | Manual banner grab and SMTP interaction |
smtp-user-enum -M VRFY -U [WORDLIST] -t [TARGET_IP] -w 20 | Enumerate valid users via VRFY |
smtp-user-enum -M RCPT -U [WORDLIST] -t [TARGET_IP] -w 20 | Enumerate via RCPT (fallback if VRFY blocked) |
smtp-user-enum -M EXPN -U [WORDLIST] -t [TARGET_IP] -w 20 | Enumerate via EXPN (mailing list expansion) |
nc -nv [TARGET_IP] 25 β VRFY [username] | Manual user verify β 252 = exists, 550 = unknown |
π¬ Deep Dive & Workflow
Initial Enumeration
- Nmap:
sudo nmap [TARGET_IP] -p25 -sC -sV - Note server software (Postfix, Sendmail, Exim) and version from banner
- Check EHLO response for supported extensions (STARTTLS, AUTH, VRFY)
- Test VRFY-based user enum:
smtp-user-enum -M VRFY -U [WORDLIST] -t [TARGET_IP] -w 20 - If VRFY returns 252 for all β server is hardened, try RCPT method
- Check for open relay:
sudo nmap [TARGET_IP] -p25 --script smtp-open-relay -v
Attacks
- User enumeration β build valid username list for password spraying
- Email spoofing if open relay exists (check
mynetworks = 0.0.0.0/0in Postfix config) - Manual email injection via Telnet to test internal delivery or phishing
- STARTTLS downgrade if 587 available without enforced TLS
Ports & Encryption
| Port | Usage | Encryption |
|---|---|---|
| 25 | Default server-to-server relay | Often cleartext |
| 587 | Client submission | STARTTLS (upgrades connection) |
| 465 | Legacy SMTPS | SSL/TLS from start |
SMTP Architecture
Client (MUA) β Submission Agent (MSA) β Relay (MTA) β Delivery Agent (MDA) β Mailbox
SMTP Command Reference
| Command | Description |
|---|---|
HELO | Basic client identification |
EHLO | Extended SMTP β lists extensions (STARTTLS, AUTH) |
MAIL FROM | Specify sender |
RCPT TO | Specify recipient |
DATA | Begin email body (end with single . on new line) |
VRFY | Verify if user exists (252 = exists, 550 = unknown) |
EXPN | Expand mailing list/alias |
RSET | Reset transaction without dropping connection |
NOOP | Keep connection alive |
QUIT | Close connection |
Manual Email Injection (Telnet)
telnet [TARGET_IP] 25
EHLO myhost.htb
MAIL FROM: <attacker@spoofed.com>
RCPT TO: <victim@target.com>
DATA
From: <attacker@spoofed.com>
To: <victim@target.com>
Subject: Test
Body here.
.
QUIT
Open Relay Misconfiguration (Postfix)
# /etc/postfix/main.cf
mynetworks = 0.0.0.0/0 # Allows any IP to relay β critical risksmtp-user-enum Tips
-w 20is critical for slow/throttled servers β default 5s causes false negatives.- If tool finds 0 users but server seems valid, increase
-wvalue. - Manually verify with
nc -nv [TARGET_IP] 25βVRFY [username].
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| VRFY returns β252 Cannot VRFY userβ for all inputs | VRFY disabled (common hardening) | Switch to RCPT TO: MAIL FROM:<a@a.com>, then RCPT TO:<[USER]@[DOMAIN]> β 250 = valid, 550 = invalid |
| Telnet session drops immediately after banner | Server requires STARTTLS before commands | Send EHLO [DOMAIN] then STARTTLS; continue with openssl s_client -connect [TARGET]:25 -starttls smtp |
| Hydra SMTP brute returns all βlogin failedβ | Rate limiting or connection resets | Reduce threads: -t 2 -W 5; verify correct syntax: hydra -l [USER] -P [PASS] -f [TARGET] smtp |
| smtp-user-enum script returns false negatives | Script uses VRFY only | Add methods: smtp-user-enum -M RCPT -U users.txt -D [DOMAIN] -t [TARGET] |
| Port 25 refused from attack host | ISP blocks port 25 outbound | Use VPN; try port 587 (submission) with AUTH LOGIN; test via: telnet [TARGET] 587 |
π Reporting Trigger
Finding Title: SMTP User Enumeration Enabled / Open SMTP Relay Misconfiguration
Impact: Valid domain account enumeration enables targeted password spraying. Open relay enables sending spoofed email from the target domain β phishing and spam vector.
Root Cause: VRFY/EXPN commands not disabled. No smtpd_recipient_restrictions configured (Postfix) allowing relay to external domains.
Recommendation: Disable VRFY/EXPN (disable_vrfy_command = yes in Postfix). Configure relay restrictions. Implement SPF, DKIM, and DMARC records. Enable STARTTLS enforcement. Monitor for anomalous SMTP connection patterns.