An essential component of a security audit is SMTP enumeration, which counts genuine email addresses and helps find any weaknesses in email servers and setups. The following describes how to efficiently use SMTP enumeration to find legitimate email addresses without taxing the server:
Tools and Techniques for SMTP Enumeration
1. Nmap
Nmap is a versatile network scanning tool that includes an NSE (Nmap Scripting Engine) script specifically for enumerating email addresses through SMTP. This script is very useful for automated email enumeration.
Using the Nmap Script (smtp-enum-users)
Nmap’s smtp-enum-users NSE script is designed to interact with an SMTP server and attempt to determine valid email addresses by simulating email transactions.
nmap -p 25 --script smtp-enum-users <target-IP>
This command attempts to discover valid email addresses by connecting to the SMTP service on port 25 and issuing RCPT TO commands to check if they are valid.
Advanced Usage: To customize the script further, you can set the --script-args option to specify user lists, verbosity, or even set limits on how many users to test:
nmap -p 25 --script smtp-enum-users --script-args smtp-enum-users.userdb=userlist.txt,smtp-enum-users.suppress-vrfy-err,smpt-enum-users.max-users=10 <target-IP>
Here, userlist.txt contains usernames you want to test, suppress-vrfy-err suppresses error messages related to users not found, and max-users=10 limits the number of user attempts.
2. MailSniper
MailSniper is another tool that automates email enumeration against an SMTP server. It can perform brute-force username and domain enumeration.
MailSniper can use lists of usernames and domains to check which ones are valid by sending RCPT TO commands.
mailsniper -t <target-IP> -u userlist.txt -d domainlist.txt
-t specifies the target IP, -u is the file containing usernames, and -d is the file containing domains.
Configuration Options: You can configure MailSniper to handle errors more gracefully or set limits on the number of attempts:
mailsniper -t <target-IP> -u userlist.txt -d domainlist.txt -v -l 50
The -v option increases verbosity, and -l 50 sets the maximum number of username attempts to 50.
3. Metasploit Framework
The Metasploit Framework includes auxiliary modules for SMTP enumeration which can be used to identify valid email addresses.
Auxiliary Module:
use auxiliary/scanner/smtp/smtp_enum_users
After selecting this module, configure it with the target IP address and start the enumeration:
set RHOSTS <target-IP>
run
This module checks for valid email addresses by connecting to the SMTP server and issuing RCPT TO commands.
4. Custom Scripts
You can also write your own custom scripts using Python or another scripting language. For example, using Python’s smtplib library allows you to connect to the SMTP server and manually enumerate valid email addresses:
import smtplib
def check_email(server, port, domain, user):
try:
with smtplib.SMTP(server, port) as smtp:
smtp.helo()
smtp.mail('test@example.com')
code, message = smtp.rcpt(user + '@' + domain)
if code == 250:
return True
else:
return False
except Exception as e:
print(f"Error connecting to SMTP server: {e}")
return False
server = 'smtp.example.com'
port = 25
domain = 'example.com'
user_list = ['user1', 'user2', 'user3']
for user in user_list:
if check_email(server, port, domain, user):
print(f"{user}@{domain} is a valid email address")
else:
print(f"{user}@{domain} is not a valid email address")