Skip to content

16. Nmap SMTP Enumeration

1. SMTP Command Enumeration

Command:

nmap -p 25 --script smtp-commands 192.168.1.1

Explanation:

  • -p 25: Specifies port 25, the default port for SMTP.
  • --script smtp-commands: Runs the smtp-commands NSE script to enumerate supported SMTP commands.
  • 192.168.1.1: Target IP address.

Purpose:

  • Identifies which SMTP commands are supported by the server.
  • Useful for understanding the capabilities and configuration of the SMTP server.

Example Output:

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-commands: 
|   192.168.1.1 Hello
|   Supported commands:
|     HELO
|     MAIL
|     RCPT
|     DATA
|     RSET
|     NOOP
|     QUIT
|     VRFY
|     EXPN
|     AUTH
|_    STARTTLS

Key Findings:

  • Lists standard SMTP commands like HELO, MAIL, RCPT.
  • Indicates support for VRFY (verify email address), EXPN (expand mailing list), AUTH (authentication), and STARTTLS (encryption).

2. Enumerating SMTP Users

Command:

nmap -p 25 --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY} 192.168.1.1

Explanation:

  • -p 25: Specifies port 25 for SMTP.
  • --script smtp-enum-users: Runs the smtp-enum-users NSE script to enumerate users.
  • --script-args smtp-enum-users.methods={VRFY}: Specifies the method to use for user enumeration. Common methods include:
    • VRFY (verify email address).
    • EXPN (expand mailing list).
  • 192.168.1.1: Target IP address.

Purpose:

  • Enumerates valid email addresses or usernames by testing the server’s response to specific SMTP commands.

Example Output:

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-enum-users:
|   admin@example.com
|   user1@example.com
|   support@example.com
|_  guest@example.com

Key Findings:

  • Reveals valid email addresses or usernames on the target system.
  • Useful for identifying potential accounts for further enumeration or social engineering attacks.

3. Testing for SMTP Open Relay

Command:

nmap -p 25 --script smtp-open-relay 192.168.1.1

Explanation:

  • -p 25: Specifies port 25 for SMTP.
  • --script smtp-open-relay: Runs the smtp-open-relay NSE script to check if the SMTP server is misconfigured to allow unauthorized relaying of emails.
  • 192.168.1.1: Target IP address.

Purpose:

  • Detects if the SMTP server is vulnerable to being used as an open relay.
  • Open relay servers can be exploited by spammers or attackers to send malicious emails.

Example Output:

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-open-relay: 
|_ Server is not an open relay.

or, if misconfigured:

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-open-relay: 
|   Server is an open relay.
|_  Relayed message successfully.

Key Findings:

  • Secure Server: "Server is not an open relay."
  • Vulnerable Server: "Server is an open relay." This indicates a significant security issue.

Summary of Commands

Command Purpose Key Findings
smtp-commands Enumerates supported SMTP commands. Lists commands like HELO, MAIL, AUTH, STARTTLS.
smtp-enum-users Enumerates valid email addresses or usernames. Reveals valid accounts on the SMTP server.
smtp-open-relay Checks if the SMTP server is an open relay. Identifies misconfigured servers vulnerable to abuse.

Usage Notes

  • Ethical Use: Ensure you have proper authorization before scanning SMTP servers. Unauthorized scanning may be illegal.
  • Remediation:
    • Disable unsupported or unnecessary SMTP commands like VRFY and EXPN.
    • Configure SMTP servers to reject relay requests from unauthorized sources.
  • Context: These scripts are valuable for penetration testing, vulnerability assessments, and identifying security misconfigurations in mail servers.