# smtp-user-enum
[](https://github.com/psf/black)
[](https://pypi.org/project/smtp-user-enum/)
[](https://pypi.org/project/smtp-user-enum/)
[](https://pypi.org/project/smtp-user-enum/)
[](https://pypi.org/project/smtp-user-enum/)
[](https://pypi.org/project/smtp-user-enum/)
[](https://pypi.org/project/smtp-user-enum/)
[](https://github.com/cytopia/smtp-user-enum/actions?workflow=linting)
SMTP user enumeration via `VRFY`, `EXPN` and `RCPT` with clever timeout, retry and reconnect functionality.
Some SMTP server take a long time for initial communication (banner and greeting) and then
handle subsequent commands quite fast. Then again they randomly start to get slow again.
This implementation of SMTP user enumeration counteracts with granular timeout, retry and
reconnect options for initial communication and enumeration separately.
The defaults should work fine, however if you encounter slow enumeration, adjust the settings
according to your needs.
Additionally if it encounters anything like `421 Too many errors on this connection` it will
automatically and transparently reconnect and continue from where it left off.
> Inspired by [smtp-user-enum](http://pentestmonkey.net/tools/user-enumeration/smtp-user-enum) Perl script and rewritten in Python with full Python2 and Python3 support.
**Table of contents**
1. [Installation](#tada-installation)
2. [Features](#star-features)
3. [Usage](#computer-usage)
4. [VRFY mode (default)](#smiling_imp-vrfy-mode-default)
1. [How does VRFY work](#how-does-vrfy-work)
2. [Successful VRFY enumeration](#successful-vrfy-enumeration)
3. [Failed VRFY enumeration](#failed-vrfy-enumeration)
5. [EXPN mode](#smiling_imp-expn-mode)
1. [How does EXPN work](#how-does-expn-work)
2. [Successful EXPN enumeration](#successful-expn-enumeration)
3. [Failed EXPN enumeration](#failed-expn-enumeration)
6. [RCPT mode](#smiling_imp-rcpt-mode)
1. [How does RCPT work](#how-does-rcpt-work)
2. [Successful RCPT enumeration](#successful-rcpt-enumeration)
3. [Troubleshooting EXPN enumeration](#troubleshooting-expn-enumeration)
1. [550 A valid address is required](#550-a-valid-address-is-required)
2. [450 Relaying temporarily denied](#450-relaying-temporarily-denied)
3. [False positives](#false-positives)
4. [Investigating timeouts](#investigating-timeouts)
7. [Mitigation](#cop-mitigation)
1. [VRFY and EXPN](#vrfy-and-expn)
1. [Postfix](#postfix)
2. [Sendmail](#sendmail)
3. [Exim](#exim)
2. [RCPT TO](#rcpt-to)
8. [cytopia sec tools](#lock-cytopia-sec-tools)
9. [Contributing](#octocat-contributing)
10. [Disclaimer](#exclamation-disclaimer)
11. [License](#page_facing_up-license)
## :tada: Installation
```bash
pip install smtp-user-enum
```
## :star: Features
* Enumerate users via `VRFY`, `EXPN` or `RCPT`
* Find out which users are aliases via `RCPT`
* Fully customize from email for `RCPT` mode
* Append domains to usernames
* Wrap usernames or emails in `<` and `>`
* Very verbose mode
* Very granular timing, retry and reconnect options for all phases
* Works with Python2 and Python3
See troubleshooting section for examples on how to use different options
## :computer: Usage
```bash
$ smtp-user-enum --help
usage: smtp-user-enum [options] -u/-U host port
smtp-user-enum --help
smtp-user-enum --version
SMTP user enumeration tool with clever timeout, retry and reconnect functionality.
Some SMTP server take a long time for initial communication (banner and greeting) and then
handle subsequent commands quite fast. Then again they randomly start to get slow again.
This implementation of SMTP user enumeration counteracts with granular timeout, retry and
reconnect options for initial communication and enumeration separately.
The defaults should work fine, however if you encounter slow enumeration, adjust the settings
according to your needs.
Additionally if it encounters anything like '421 Too many errors on this connection' it will
automatically and transparently reconnect and continue from where it left off.
positional arguments:
host IP or hostname to connect to.
port Port to connect to.
optional arguments:
-h, --help show this help message and exit
-v, --version Show version information,
-m mode, --mode mode Mode to enumerate SMTP users.
Supported modes: VRFY, EXPN, RCPT
Default: VRFY
-d addr, --domain addr
Domain to append to users to convert into email addresses.
Useful if you see this response: '550 A valid address is required'
Default: Nothing appended
-w, --wrap Wrap the username or email address in '<' and '>' characters.
Usefule if you see this response: '501 5.5.2 Syntax error in parameters or arguments'.
Makes sense to combine with -d/--domain option.
Default: Nothing wrapped
-f addr, --from-mail addr
MAIL FROM email address. Only used in RCPT mode
Default: user@example.com
-l addr, --helo addr Domain name of sending host used in HELO command.
-u user, --user user Username to test.
-U file, --file file Newline separated wordlist of users to test.
-V, --verbose Show verbose output. Useful to adjust your timing and retry settings.
--timeout-init sec Timeout for initial communication (connect, banner and greeting).
Default: 25
--timeout-enum sec Timeout for user enumeration.
Default: 10
--retry-init int Number of retries for initial communication (connect, banner and greeting).
Default: 4
--retry-enum int Number of retries for user enumeration.
Default: 5
--reconnect int Number of reconnects during user enumeration after retries have exceeded.
Default: 3
```
## :smiling_imp: VRFY mode (default)
> The SMTP "VRFY" command allows you to verify whether a the system can deliver mail to a particular user.
>
> Source: https://www.rapid7.com/db/vulnerabilities/smtp-general-vrfy
### How does VRFY work
The `VRFY` mode can easily be tested with `nc` or `telnet` as shown below:
```bash
$ nc mail.example.tld 25
```
```
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Thu, 23 Jan 2020 16:03:22 +0200
HELO changeme
250 mail.example.tld Hello [10.0.0.1], pleased to meet you
VRFY someuser
550 5.1.1 someuser... User unknown
VRFY bob
250 2.1.5 <bob@mail.example.tld>
```
As can be seen `VRFY someuser` tells us it does not exist whereas `VRFY bob` yields a positive result.
### Successful VRFY enumeration
```bash
$ smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25
Connecting to mail.example.tld 25 ...
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200
250 mail.example.tld Hello [10.0.0.1], pleased to meet you
Start enumerating users with VRFY mode ...
[----] admin 550 5.1.1 admin... User unknown
[----] OutOfBox 550 5.1.1 OutOfBox... User unknown
[SUCC] root 250 2.1.5 root <root@mail.example.tld>
[SUCC] adm 250 2.1.5 <adm@mail.example.tld>
[----] avahi-autoipd 550 5.1.1 avahi-autoipd... User unknown
[----] backup 550 5.1.1 backup... User unknown
[TEST] bin ...
```
### Failed VRFY enumeration
In case the VRFY mode is not successful as shown below, you will need to try out a different mode.
```bash
$ smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25
Connecting to mail.example.tld 25 ...
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200
250 mail.example.tld Hello [10.0.0.1], pleased to meet you
Start enumerating users with VRFY mode ...
[----] 4Dgifts 502 VRFY disallowed.
[----] EZsetup 502 VRFY disallowed.
[----] OutOfBox 502 VRFY disallowed.
[----] root 502 VRFY disallowed.
[----] adm 502 VRFY disallowed.
[----] admin 502 VRFY disallowed.
[----] administrator 502 VRFY disallowed.
[----] anon 502 VRFY disallowed.
```
## :smiling_imp: EXPN mode
> The SMTP "EXPN" command allows you to expand a mailing list or alias, to see where mail addressed to the alias actually goes. For example, many organizations alias postmaster to root, so that mail addressed to postmaster will get delivered to the system administrator. Issuing "EXPN postmaster" via SMTP would reveal that postmaster is aliased to root.
>
> The "EXPN" command can be used by attackers to learn about valid usernames on the target system. On some SMTP servers, EXPN can be used to show the subscribers of a mailing list -- subscription lists are generally considered to be sensitive information.
>
> Source: https://www.rapid7.com/db/vulnerabilities/smtp-general-expn
### How does EXPN work
The `EXPN` mode can easily be tested with `nc` or `telnet` as shown below:
```bash
$ nc mail.example.tld 25
```
```
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Thu, 23 Jan 2020 16:03:22 +0200
HELO changeme
250 mail.example.tld [10.0.0.1], pleased to meet you
EXPN someuser
550 5.1.1 someuser... User unknown
EXPN bob
250 2.1.5 <bob@mail.example.tld>
EXPN bin
250 2.1.5 root <root@mail.example.tld>
```
As can be seen `EXPN someuser` tells us it does not exist whereas `EXPN bob` and `EXPN bin` yield positive results. You can also see from the output that `bob` is a real user on the system, whereas
`bin` is just an alias pointing to `root`.
### Successful EXPN enumeration
```bash
$ smtp-user-enum -m EXPN -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25
Connecting to mail.example.tld 25 ...
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200
250 mail.example.tld Hello [10.0.0.1], pleased to meet you
Start enumerating users with EXPN mode ...
[----] 4Dgifts 550 5.1.1 4Dgifts... User unknown
[----] EZsetup 550 5.1.1 EZsetup... User unknown
[----] OutOfBox 550 5.1.1 OutOfBox... User unknown
[SUCC] root 250 2.1.5 root <root@barry>
[SUCC] adm 250 2.1.5 root <root@barry>
[----] admin 550 5.1.1 admin... User unknown
[----] administrator 550 5.1.1 administrator... User unknown
[----] anon 550 5.1.1 anon... User unknown
[----] auditor 550 5.1.1 auditor... User unknown
```
**Note:** the right side shows to what mailbox the email will be forwarded for the alias.
### Failed EXPN enumeration
In case the EXPN mode is not successful as shown below, you will need to try out a different mode.
```bash
$ smtp-user-enum -m EXPN -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25
Connecting to mail.example.tld 25 ...
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200
250 mail.example.tld Hello [10.0.0.1], pleased to meet you
Start enumerating users with EXPN mode ...
[----] adm 502 Unimplemented command.
[----] admin 502 Unimplemented command.
[----] administrator 502 Unimplemented command.
[----] anon 502 Unimplemented command.
[----] auditor 502 Unimplemented command.
[----] avahi 502 Unimplemented command.
[----] avahi-autoipd 502 Unimplemented command.
[----] bbs 502 Unimplemented command.
[----] bin 502 Unimplemented command.
```
## :smiling_imp: RCPT mode
This is usually the most useful command to fish for usernames as `VRFY` and `EXPN` are often disabled.
### How does RCPT work
The `RCPT` mode can easily be tested with `nc` or `telnet` as shown below:
```bash
$ nc mail.example.tld 25
```
```
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Thu, 23 Jan 2020 16:03:22 +0200
HELO changeme
250 mail.example.tld [10.0.0.1], pleased to meet you
MAIL FROM:user@example.com
250 2.1.0 user@example.com... Sender ok
RCPT TO:someuser
550 5.1.1 someuser... User unknown
RCPT TO:bob
250 2.1.5 bob... Recipient ok
```
As can be seen `RCPT TO: someuser` tells us it does not exist whereas `RCPT TO: bob` yields a positive result.
### Successful RCPT enumeration
```bash
$ smtp-user-enum -m RCPT -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25
Connecting to mail.example.tld 25 ...
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200
250 mail.example.tld Hello [10.0.0.1], pleased to meet you
250 2.1.0 user@example.com... Sender ok
Start enumerating users with RCPT mode ...
[----] OutOfBox 550 5.1.1 OutOfBox... User unknown
[SUCC] root 250 2.1.5 root... Recipient ok
[SUCC] adm 250 2.1.5 adm... Recipient ok
[----] admin 550 5.1.1 admin... User unknown
[----] administrator 550 5.1.1 administrator... User unknown
[----] backup 550 5.1.1 backup... User unknown
[----] bbs 550 5.1.1 bbs... User unknown
[SUCC] bin 250 2.1.5 bin... Recipient ok
[----] checkfs 550 5.1.1 checkfs... User unknown
[----] checksys 550 5.1.1 checksys... User unknown
```
### Troubleshooting EXPN enumeration
#### 550 A valid address is required
```bash
$ smtp-user-enum -m RCPT -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25
Connecting to mail.example.tld 25 ...
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200
250 mail.example.tld Hello [10.0.0.1], pleased to meet you
250 2.1.0 user@example.com... Sender ok
Start enumerating users with RCPT mode ...
[----] 4Dgifts 550 A valid address is required.
[----] EZsetup 550 A valid address is required.
[----] OutOfBox 550 A valid address is required.
[----] root 550 A valid address is required.
[----] adm 550 A valid address is required.
```
By the above output you can see that pure usernames are not allowed to be specified,
this can be counteracted with the `-d` command, to append a domain to each username during enumeration:
#### 450 Relaying temporarily denied
```bash
$ smtp-user-enum -m RCPT -d 'example.com' -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25
Connecting to mail.example.tld 25 ...
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200
250 mail.example.tld Hello [10.0.0.1], pleased to meet you
250 2.1.0 user@example.com... Sender ok
Start enumerating users with RCPT mode ...
[----] 4Dgifts 450 4.7.1 4Dgifts@example.com... Relaying temporarily denied. Cannot resolve PTR record for 10.0.0.1
[----] EZsetup 450 4.7.1 EZsetup@example.com... Relaying temporarily denied. Cannot resolve PTR record for 10.0.0.1
[----] OutOfBox 450 4.7.1 OutOfBox@example.com... Relaying temporarily denied. Cannot resolve PTR record for 10.0.0.1
[----] root 450 4.7.1 root@example.com... Relaying temporarily denied. Cannot resolve PTR record for 10.0.0.1
[----] adm 450 4.7.1 adm@example.com... Relaying temporarily denied. Cannot resolve PTR record for 10.0.0.1
```
Looks like the server is also hardened against relaying. To circumvent this, you could try to specify the server's hostname (cann be seen in the banner or greeting) or use `127.0.0.1` as the domain for users:
#### False positives
```bash
$ smtp-user-enum -m RCPT -d '127.0.0.1' -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25
Connecting to mail.example.tld 25 ...
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200
250 mail.example.tld Hello [10.0.0.1], pleased to meet you
250 2.1.0 user@example.com... Sender ok
Start enumerating users with RCPT mode ...
[SUCC] 4Dgifts 250 2.1.5 4Dgifts@127.0.0.1... Recipient ok (will queue)
[SUCC] EZsetup 250 2.1.5 EZsetup@127.0.0.1... Recipient ok (will queue)
[SUCC] OutOfBox 250 2.1.5 OutOfBox@127.0.0.1... Recipient ok (will queue)
[SUCC] root 250 2.1.5 root@127.0.0.1... Recipient ok (will queue)
[SUCC] adm 250 2.1.5 adm@127.0.0.1... Recipient ok (will queue)
[SUCC] admin 250 2.1.5 admin@127.0.0.1... Recipient ok (will queue)
[SUCC] administrator 250 2.1.5 administrator@127.0.0.1... Recipient ok (will queue)
[SUCC] anon 250 2.1.5 anon@127.0.0.1... Recipient ok (will queue)
[SUCC] auditor 250 2.1.5 auditor@127.0.0.1... Recipient ok (will queue)
[SUCC] backup 250 2.1.5 backup@127.0.0.1... Recipient ok (will queue)
```
Looks like `127.0.0.1` as the user's domain leads to false positives, let's try the exact domain speified in the banner `mail.example.tld`:
```bash
$ smtp-user-enum -m RCPT -d '127.0.0.1' -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25
Connecting to mail.example.tld 25 ...
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200
250 mail.example.tld Hello [10.0.0.1], pleased to meet you
250 2.1.0 user@example.com... Sender ok
Start enumerating users with RCPT mode ...
[----] 4Dgifts 550 5.1.1 4Dgifts@mail.example.tld... User unknown
[----] EZsetup 550 5.1.1 EZsetup@mail.example.tld... User unknown
[----] OutOfBox 550 5.1.1 OutOfBox@mail.example.tld... User unknown
[SUCC] ROOT 250 2.1.5 ROOT@mail.example.tld... Recipient ok
[SUCC] adm 250 2.1.5 adm@mail.example.tld... Recipient ok
[----] admin 550 5.1.1 admin@mail.example.tld... User unknown
[----] administrator 550 5.1.1 administrator@mail.example.tld... User unknown
[----] anon 550 5.1.1 anon@mail.example.tld... User unknown
[----] auditor 550 5.1.1 auditor@mail.example.tld... User unknown
[----] avahi 550 5.1.1 avahi@mail.example.tld... User unknown
[----] avahi-autoipd 550 5.1.1 avahi-autoipd@mail.example.tld... User unknown
[----] backup 550 5.1.1 backup@mail.example.tld... User unknown
[----] bbs 550 5.1.1 bbs@mail.example.tld... User unknown
[SUCC] bin 250 2.1.5 bin@mail.example.tld... Recipient ok
[----] checkfs 550 5.1.1 checkfs@mail.example.tld... User unknown
```
#### Investigating timeouts
```bash
$ smtp-user-enum -m RCPT -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25
Connecting to mail.example.tld 25 ...
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200
250 mail.example.tld Hello [10.0.0.1], pleased to meet you
timed out
```
Let's add the `-V` to get some verbosity:
```bash
$ smtp-user-enum -V -m RCPT -U /usr/share/wordlists/metasploit/unix_users.txt -l mydomain.com mail.example.tld 25
Connecting to mail.example.tld 25 ...
[1/4] Connecting to mail.example.tld:25 ...
[1/4] Waiting for banner ...
220 beta SMTP Server (JAMES SMTP Server 2.3.2) ready Wed, 22 Jan 2020 16:10:10 -0500 (EST)
[1/4] Sending greeting: HELO mydomain.com
[1/4] Waiting for greeting reply ...
250 beta Hello test (10.0.0.1 [10.0.0.1])
[1/4] Sending: MAIL FROM: user@example.com
[1/4] Waiting for MAIL FROM reply ...
501 5.1.7 Syntax error in MAIL command
[2/4] Waiting for MAIL FROM reply ...
[3/4] Waiting for MAIL FROM reply ...
[4/4] Waiting for MAIL FROM reply ...
timed out
```
So apparently the mailserver does not like our command: `MAIL FROM: user@example.com`.
To circumvent this, let's put the from email in brackets like so: `MAIL FROM: <user@example.com>` via the `-f` argument:
```bash
$ smtp-user-enum -f '<user@example.com>' -m RCPT -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25
Connecting to mail.example.tld 25 ...
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200
250 mail.example.tld Hello [10.0.0.1], pleased to meet you
250 2.1.0 Sender <user@example.com> OK
Start enumerating users with RCPT mode ...
[----] 4Dgifts 501 5.5.2 Syntax error in parameters or arguments
[----] EZsetup 501 5.5.2 Syntax error in parameters or arguments
[----] OutOfBox 501 5.5.2 Syntax error in parameters or arguments
[----] root 501 5.5.2 Syntax error in parameters or arguments
```
Looks like the usernames also need to be wrapped in `<` and `>` to satisfy this specific mailserver. To do this, simply add the `-w` option:
```bash
$ smtp-user-enum -w -f '<user@example.com>' -m RCPT -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25
Connecting to mail.example.tld 25 ...
220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200
250 mail.example.tld Hello [10.0.0.1], pleased to meet you
250 2.1.0 Sender <user@example.com> OK
Start enumerating users with RCPT mode ...
[SUCC] 4Dgifts 250 2.1.5 Recipient <4Dgifts@localhost> OK
[SUCC] EZsetup 250 2.1.5 Recipient <EZsetup@localhost> OK
[SUCC] OutOfBox 250 2.1.5 Recipient <OutOfBox@localhost> OK
[SUCC] root 250 2.1.5 Recipient <root@localhost> OK
[SUCC] adm 250 2.1.5 Recipient <adm@localhost> OK
[SUCC] admin 250 2.1.5 Recipient <admin@localhost> OK
[SUCC] administrator 250 2.1.5 Recipient <administrator@localhost> OK
[SUCC] anon 250 2.1.5 Recipient <anon@localhost> OK
[SUCC] auditor 250 2.1.5 Recipient <auditor@localhost> OK
```
Unfortunately this yields to false positives again as it seems to be an open relay.
However, lessons learned from this is to use the `-V` option in case of issues to troubleshoot what is going on.
Maybe the open relay is another vector to hunt down.
## :cop: Mitigation
Now that you've seen how easy it could be to enumerate usernames on systems, you should ensure that your servers are hardened against this technique.
### VRFY and EXPN
#### Postfix
On Postfix `VRFY` seems to be not disabled by default as shown by [their documentation](http://www.postfix.org/postconf.5.html#disable_vrfy_command). It also looks like Postfix did not implement the `EXPN` command, so only `VRFY` needs to be disabled.
`main.cf`:
```ini
disable_vrfy_command = yes
```
#### Sendmail
On Sendmail you will have to adjust the privacy settings and reload its configuration afterwards in order to disable `VRFY` and `EXPN`.
`sendmail.cf`:
```diff
- O PrivacyOptions=
+ O PrivacyOptions=noexpn novrfy
```
or
```diff
- O PrivacyOptions=
+ O PrivacyOptions=goaway
```
#### Exim
On Exim you should check if those values have already been disabled and then disable them accordingly. For the `EXPN` directive, ensure to either comment it out or set it to `localhost` only.
`exim.conf`:
```diff
- smtp_verify = true
+ smtp_verify = false
- smtp_expn_hosts = ...
+ smtp_expn_hosts = localhost
```
### RCPT TO
The `RCPT TO` command cannot be disabled without breaking a mail server. What you should do instead is to require authentication:
* [Postifx SASL](http://www.postfix.org/SASL_README.html)
* [Sendmail SASL](https://www.sendmail.org/~ca/email/auth.html)
* [Exim SASL](https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_cyrussasl_authenticator.html)
## :lock: [cytopia](https://github.com/cytopia) sec tools
Below is a list of sec tools and docs I am maintaining.
| Name | Category | Language | Description |
|----------------------|----------------------|------------|-------------|
| **[offsec]** | Documentation | Markdown | Offsec checklist, tools and examples |
| **[header-fuzz]** | Enumeration | Bash | Fuzz HTTP headers |
| **[smtp-user-enum]** | Enumeration | Python 2+3 | SMTP users enumerator |
| **[urlbuster]** | Enumeration | Python 2+3 | Mutable web directory fuzzer |
| **[pwncat]** | Pivoting | Python 2+3 | Cross-platform netcat on steroids |
| **[badchars]** | Reverse Engineering | Python 2+3 | Badchar generator |
| **[fuzza]** | Reverse Engineering | Python 2+3 | TCP fuzzing tool |
[offsec]: https://github.com/cytopia/offsec
[header-fuzz]: https://github.com/cytopia/header-fuzz
[smtp-user-enum]: https://github.com/cytopia/smtp-user-enum
[urlbuster]: https://github.com/cytopia/urlbuster
[pwncat]: https://github.com/cytopia/pwncat
[badchars]: https://github.com/cytopia/badchars
[fuzza]: https://github.com/cytopia/fuzza
## :octocat: Contributing
See **[Contributing guidelines](CONTRIBUTING.md)** to help to improve this project.
## :exclamation: Disclaimer
This tool may be used for legal purposes only. Users take full responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If these terms are not acceptable to you, then do not use this tool.
## :page_facing_up: License
**[MIT License](LICENSE.txt)**
Copyright (c) 2020 **[cytopia](https://github.com/cytopia)**
Raw data
{
"_id": null,
"home_page": "https://github.com/cytopia/smtp-user-enum",
"name": "smtp-user-enum",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "",
"author": "cytopia",
"author_email": "cytopia@everythingcli.org",
"download_url": "https://files.pythonhosted.org/packages/a0/16/4f1f7b9de45307529bf65aab990ee718344d9ee2cc645917c55bfd43ac56/smtp-user-enum-0.7.0.tar.gz",
"platform": null,
"description": "# smtp-user-enum\n\n[](https://github.com/psf/black)\n[](https://pypi.org/project/smtp-user-enum/)\n[](https://pypi.org/project/smtp-user-enum/)\n[](https://pypi.org/project/smtp-user-enum/)\n[](https://pypi.org/project/smtp-user-enum/)\n[](https://pypi.org/project/smtp-user-enum/)\n[](https://pypi.org/project/smtp-user-enum/)\n\n[](https://github.com/cytopia/smtp-user-enum/actions?workflow=linting)\n\nSMTP user enumeration via `VRFY`, `EXPN` and `RCPT` with clever timeout, retry and reconnect functionality.\n\nSome SMTP server take a long time for initial communication (banner and greeting) and then\nhandle subsequent commands quite fast. Then again they randomly start to get slow again.\n\nThis implementation of SMTP user enumeration counteracts with granular timeout, retry and\nreconnect options for initial communication and enumeration separately.\nThe defaults should work fine, however if you encounter slow enumeration, adjust the settings\naccording to your needs.\n\nAdditionally if it encounters anything like `421 Too many errors on this connection` it will\nautomatically and transparently reconnect and continue from where it left off.\n\n\n> Inspired by [smtp-user-enum](http://pentestmonkey.net/tools/user-enumeration/smtp-user-enum) Perl script and rewritten in Python with full Python2 and Python3 support.\n\n**Table of contents**\n\n1. [Installation](#tada-installation)\n2. [Features](#star-features)\n3. [Usage](#computer-usage)\n4. [VRFY mode (default)](#smiling_imp-vrfy-mode-default)\n 1. [How does VRFY work](#how-does-vrfy-work)\n 2. [Successful VRFY enumeration](#successful-vrfy-enumeration)\n 3. [Failed VRFY enumeration](#failed-vrfy-enumeration)\n5. [EXPN mode](#smiling_imp-expn-mode)\n 1. [How does EXPN work](#how-does-expn-work)\n 2. [Successful EXPN enumeration](#successful-expn-enumeration)\n 3. [Failed EXPN enumeration](#failed-expn-enumeration)\n6. [RCPT mode](#smiling_imp-rcpt-mode)\n 1. [How does RCPT work](#how-does-rcpt-work)\n 2. [Successful RCPT enumeration](#successful-rcpt-enumeration)\n 3. [Troubleshooting EXPN enumeration](#troubleshooting-expn-enumeration)\n 1. [550 A valid address is required](#550-a-valid-address-is-required)\n 2. [450 Relaying temporarily denied](#450-relaying-temporarily-denied)\n 3. [False positives](#false-positives)\n 4. [Investigating timeouts](#investigating-timeouts)\n7. [Mitigation](#cop-mitigation)\n 1. [VRFY and EXPN](#vrfy-and-expn)\n 1. [Postfix](#postfix)\n 2. [Sendmail](#sendmail)\n 3. [Exim](#exim)\n 2. [RCPT TO](#rcpt-to)\n8. [cytopia sec tools](#lock-cytopia-sec-tools)\n9. [Contributing](#octocat-contributing)\n10. [Disclaimer](#exclamation-disclaimer)\n11. [License](#page_facing_up-license)\n\n\n## :tada: Installation\n```bash\npip install smtp-user-enum\n```\n\n\n## :star: Features\n\n* Enumerate users via `VRFY`, `EXPN` or `RCPT`\n* Find out which users are aliases via `RCPT`\n* Fully customize from email for `RCPT` mode\n* Append domains to usernames\n* Wrap usernames or emails in `<` and `>`\n* Very verbose mode\n* Very granular timing, retry and reconnect options for all phases\n* Works with Python2 and Python3\n\nSee troubleshooting section for examples on how to use different options\n\n\n## :computer: Usage\n\n```bash\n$ smtp-user-enum --help\n\nusage: smtp-user-enum [options] -u/-U host port\n smtp-user-enum --help\n smtp-user-enum --version\n\nSMTP user enumeration tool with clever timeout, retry and reconnect functionality.\n\nSome SMTP server take a long time for initial communication (banner and greeting) and then\nhandle subsequent commands quite fast. Then again they randomly start to get slow again.\n\nThis implementation of SMTP user enumeration counteracts with granular timeout, retry and\nreconnect options for initial communication and enumeration separately.\nThe defaults should work fine, however if you encounter slow enumeration, adjust the settings\naccording to your needs.\n\nAdditionally if it encounters anything like '421 Too many errors on this connection' it will\nautomatically and transparently reconnect and continue from where it left off.\n\npositional arguments:\n host IP or hostname to connect to.\n port Port to connect to.\n\noptional arguments:\n -h, --help show this help message and exit\n -v, --version Show version information,\n -m mode, --mode mode Mode to enumerate SMTP users.\n Supported modes: VRFY, EXPN, RCPT\n Default: VRFY\n -d addr, --domain addr\n Domain to append to users to convert into email addresses.\n Useful if you see this response: '550 A valid address is required'\n Default: Nothing appended\n -w, --wrap Wrap the username or email address in '<' and '>' characters.\n Usefule if you see this response: '501 5.5.2 Syntax error in parameters or arguments'.\n Makes sense to combine with -d/--domain option.\n Default: Nothing wrapped\n -f addr, --from-mail addr\n MAIL FROM email address. Only used in RCPT mode\n Default: user@example.com\n -l addr, --helo addr Domain name of sending host used in HELO command.\n -u user, --user user Username to test.\n -U file, --file file Newline separated wordlist of users to test.\n -V, --verbose Show verbose output. Useful to adjust your timing and retry settings.\n --timeout-init sec Timeout for initial communication (connect, banner and greeting).\n Default: 25\n --timeout-enum sec Timeout for user enumeration.\n Default: 10\n --retry-init int Number of retries for initial communication (connect, banner and greeting).\n Default: 4\n --retry-enum int Number of retries for user enumeration.\n Default: 5\n --reconnect int Number of reconnects during user enumeration after retries have exceeded.\n Default: 3\n```\n\n\n## :smiling_imp: VRFY mode (default)\n\n> The SMTP \"VRFY\" command allows you to verify whether a the system can deliver mail to a particular user.\n>\n> Source: https://www.rapid7.com/db/vulnerabilities/smtp-general-vrfy\n\n### How does VRFY work\n\nThe `VRFY` mode can easily be tested with `nc` or `telnet` as shown below:\n```bash\n$ nc mail.example.tld 25\n```\n```\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Thu, 23 Jan 2020 16:03:22 +0200\nHELO changeme\n250 mail.example.tld Hello [10.0.0.1], pleased to meet you\nVRFY someuser\n550 5.1.1 someuser... User unknown\nVRFY bob\n250 2.1.5 <bob@mail.example.tld>\n```\n\nAs can be seen `VRFY someuser` tells us it does not exist whereas `VRFY bob` yields a positive result.\n\n### Successful VRFY enumeration\n\n```bash\n$ smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25\n\nConnecting to mail.example.tld 25 ...\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200\n250 mail.example.tld Hello [10.0.0.1], pleased to meet you\nStart enumerating users with VRFY mode ...\n[----] admin 550 5.1.1 admin... User unknown\n[----] OutOfBox 550 5.1.1 OutOfBox... User unknown\n[SUCC] root 250 2.1.5 root <root@mail.example.tld>\n[SUCC] adm 250 2.1.5 <adm@mail.example.tld>\n[----] avahi-autoipd 550 5.1.1 avahi-autoipd... User unknown\n[----] backup 550 5.1.1 backup... User unknown\n[TEST] bin ...\n```\n\n### Failed VRFY enumeration\n\nIn case the VRFY mode is not successful as shown below, you will need to try out a different mode.\n\n```bash\n$ smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25\n\nConnecting to mail.example.tld 25 ...\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200\n250 mail.example.tld Hello [10.0.0.1], pleased to meet you\nStart enumerating users with VRFY mode ...\n[----] 4Dgifts 502 VRFY disallowed.\n[----] EZsetup 502 VRFY disallowed.\n[----] OutOfBox 502 VRFY disallowed.\n[----] root 502 VRFY disallowed.\n[----] adm 502 VRFY disallowed.\n[----] admin 502 VRFY disallowed.\n[----] administrator 502 VRFY disallowed.\n[----] anon 502 VRFY disallowed.\n```\n\n\n## :smiling_imp: EXPN mode\n\n> The SMTP \"EXPN\" command allows you to expand a mailing list or alias, to see where mail addressed to the alias actually goes. For example, many organizations alias postmaster to root, so that mail addressed to postmaster will get delivered to the system administrator. Issuing \"EXPN postmaster\" via SMTP would reveal that postmaster is aliased to root.\n>\n> The \"EXPN\" command can be used by attackers to learn about valid usernames on the target system. On some SMTP servers, EXPN can be used to show the subscribers of a mailing list -- subscription lists are generally considered to be sensitive information.\n>\n> Source: https://www.rapid7.com/db/vulnerabilities/smtp-general-expn\n\n### How does EXPN work\n\nThe `EXPN` mode can easily be tested with `nc` or `telnet` as shown below:\n```bash\n$ nc mail.example.tld 25\n```\n```\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Thu, 23 Jan 2020 16:03:22 +0200\nHELO changeme\n250 mail.example.tld [10.0.0.1], pleased to meet you\nEXPN someuser\n550 5.1.1 someuser... User unknown\nEXPN bob\n250 2.1.5 <bob@mail.example.tld>\nEXPN bin\n250 2.1.5 root <root@mail.example.tld>\n```\n\nAs can be seen `EXPN someuser` tells us it does not exist whereas `EXPN bob` and `EXPN bin` yield positive results. You can also see from the output that `bob` is a real user on the system, whereas\n`bin` is just an alias pointing to `root`.\n\n### Successful EXPN enumeration\n\n```bash\n$ smtp-user-enum -m EXPN -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25\n\nConnecting to mail.example.tld 25 ...\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200\n250 mail.example.tld Hello [10.0.0.1], pleased to meet you\nStart enumerating users with EXPN mode ...\n[----] 4Dgifts 550 5.1.1 4Dgifts... User unknown\n[----] EZsetup 550 5.1.1 EZsetup... User unknown\n[----] OutOfBox 550 5.1.1 OutOfBox... User unknown\n[SUCC] root 250 2.1.5 root <root@barry>\n[SUCC] adm 250 2.1.5 root <root@barry>\n[----] admin 550 5.1.1 admin... User unknown\n[----] administrator 550 5.1.1 administrator... User unknown\n[----] anon 550 5.1.1 anon... User unknown\n[----] auditor 550 5.1.1 auditor... User unknown\n```\n\n**Note:** the right side shows to what mailbox the email will be forwarded for the alias.\n\n### Failed EXPN enumeration\n\nIn case the EXPN mode is not successful as shown below, you will need to try out a different mode.\n\n```bash\n$ smtp-user-enum -m EXPN -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25\n\nConnecting to mail.example.tld 25 ...\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200\n250 mail.example.tld Hello [10.0.0.1], pleased to meet you\nStart enumerating users with EXPN mode ...\n[----] adm 502 Unimplemented command.\n[----] admin 502 Unimplemented command.\n[----] administrator 502 Unimplemented command.\n[----] anon 502 Unimplemented command.\n[----] auditor 502 Unimplemented command.\n[----] avahi 502 Unimplemented command.\n[----] avahi-autoipd 502 Unimplemented command.\n[----] bbs 502 Unimplemented command.\n[----] bin 502 Unimplemented command.\n```\n\n## :smiling_imp: RCPT mode\n\nThis is usually the most useful command to fish for usernames as `VRFY` and `EXPN` are often disabled.\n\n### How does RCPT work\n\nThe `RCPT` mode can easily be tested with `nc` or `telnet` as shown below:\n```bash\n$ nc mail.example.tld 25\n```\n```\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Thu, 23 Jan 2020 16:03:22 +0200\nHELO changeme\n250 mail.example.tld [10.0.0.1], pleased to meet you\nMAIL FROM:user@example.com\n250 2.1.0 user@example.com... Sender ok\nRCPT TO:someuser\n550 5.1.1 someuser... User unknown\nRCPT TO:bob\n250 2.1.5 bob... Recipient ok\n```\n\nAs can be seen `RCPT TO: someuser` tells us it does not exist whereas `RCPT TO: bob` yields a positive result.\n\n\n### Successful RCPT enumeration\n\n```bash\n$ smtp-user-enum -m RCPT -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25\n\nConnecting to mail.example.tld 25 ...\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200\n250 mail.example.tld Hello [10.0.0.1], pleased to meet you\n250 2.1.0 user@example.com... Sender ok\nStart enumerating users with RCPT mode ...\n[----] OutOfBox 550 5.1.1 OutOfBox... User unknown\n[SUCC] root 250 2.1.5 root... Recipient ok\n[SUCC] adm 250 2.1.5 adm... Recipient ok\n[----] admin 550 5.1.1 admin... User unknown\n[----] administrator 550 5.1.1 administrator... User unknown\n[----] backup 550 5.1.1 backup... User unknown\n[----] bbs 550 5.1.1 bbs... User unknown\n[SUCC] bin 250 2.1.5 bin... Recipient ok\n[----] checkfs 550 5.1.1 checkfs... User unknown\n[----] checksys 550 5.1.1 checksys... User unknown\n```\n\n### Troubleshooting EXPN enumeration\n\n#### 550 A valid address is required\n```bash\n$ smtp-user-enum -m RCPT -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25\n\nConnecting to mail.example.tld 25 ...\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200\n250 mail.example.tld Hello [10.0.0.1], pleased to meet you\n250 2.1.0 user@example.com... Sender ok\nStart enumerating users with RCPT mode ...\n[----] 4Dgifts 550 A valid address is required.\n[----] EZsetup 550 A valid address is required.\n[----] OutOfBox 550 A valid address is required.\n[----] root 550 A valid address is required.\n[----] adm 550 A valid address is required.\n```\n\nBy the above output you can see that pure usernames are not allowed to be specified,\nthis can be counteracted with the `-d` command, to append a domain to each username during enumeration:\n\n#### 450 Relaying temporarily denied\n```bash\n$ smtp-user-enum -m RCPT -d 'example.com' -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25\n\nConnecting to mail.example.tld 25 ...\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200\n250 mail.example.tld Hello [10.0.0.1], pleased to meet you\n250 2.1.0 user@example.com... Sender ok\nStart enumerating users with RCPT mode ...\n[----] 4Dgifts 450 4.7.1 4Dgifts@example.com... Relaying temporarily denied. Cannot resolve PTR record for 10.0.0.1\n[----] EZsetup 450 4.7.1 EZsetup@example.com... Relaying temporarily denied. Cannot resolve PTR record for 10.0.0.1\n[----] OutOfBox 450 4.7.1 OutOfBox@example.com... Relaying temporarily denied. Cannot resolve PTR record for 10.0.0.1\n[----] root 450 4.7.1 root@example.com... Relaying temporarily denied. Cannot resolve PTR record for 10.0.0.1\n[----] adm 450 4.7.1 adm@example.com... Relaying temporarily denied. Cannot resolve PTR record for 10.0.0.1\n```\n\nLooks like the server is also hardened against relaying. To circumvent this, you could try to specify the server's hostname (cann be seen in the banner or greeting) or use `127.0.0.1` as the domain for users:\n\n#### False positives\n```bash\n$ smtp-user-enum -m RCPT -d '127.0.0.1' -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25\n\nConnecting to mail.example.tld 25 ...\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200\n250 mail.example.tld Hello [10.0.0.1], pleased to meet you\n250 2.1.0 user@example.com... Sender ok\nStart enumerating users with RCPT mode ...\n[SUCC] 4Dgifts 250 2.1.5 4Dgifts@127.0.0.1... Recipient ok (will queue)\n[SUCC] EZsetup 250 2.1.5 EZsetup@127.0.0.1... Recipient ok (will queue)\n[SUCC] OutOfBox 250 2.1.5 OutOfBox@127.0.0.1... Recipient ok (will queue)\n[SUCC] root 250 2.1.5 root@127.0.0.1... Recipient ok (will queue)\n[SUCC] adm 250 2.1.5 adm@127.0.0.1... Recipient ok (will queue)\n[SUCC] admin 250 2.1.5 admin@127.0.0.1... Recipient ok (will queue)\n[SUCC] administrator 250 2.1.5 administrator@127.0.0.1... Recipient ok (will queue)\n[SUCC] anon 250 2.1.5 anon@127.0.0.1... Recipient ok (will queue)\n[SUCC] auditor 250 2.1.5 auditor@127.0.0.1... Recipient ok (will queue)\n[SUCC] backup 250 2.1.5 backup@127.0.0.1... Recipient ok (will queue)\n```\n\nLooks like `127.0.0.1` as the user's domain leads to false positives, let's try the exact domain speified in the banner `mail.example.tld`:\n\n```bash\n$ smtp-user-enum -m RCPT -d '127.0.0.1' -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25\n\nConnecting to mail.example.tld 25 ...\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200\n250 mail.example.tld Hello [10.0.0.1], pleased to meet you\n250 2.1.0 user@example.com... Sender ok\nStart enumerating users with RCPT mode ...\n[----] 4Dgifts 550 5.1.1 4Dgifts@mail.example.tld... User unknown\n[----] EZsetup 550 5.1.1 EZsetup@mail.example.tld... User unknown\n[----] OutOfBox 550 5.1.1 OutOfBox@mail.example.tld... User unknown\n[SUCC] ROOT 250 2.1.5 ROOT@mail.example.tld... Recipient ok\n[SUCC] adm 250 2.1.5 adm@mail.example.tld... Recipient ok\n[----] admin 550 5.1.1 admin@mail.example.tld... User unknown\n[----] administrator 550 5.1.1 administrator@mail.example.tld... User unknown\n[----] anon 550 5.1.1 anon@mail.example.tld... User unknown\n[----] auditor 550 5.1.1 auditor@mail.example.tld... User unknown\n[----] avahi 550 5.1.1 avahi@mail.example.tld... User unknown\n[----] avahi-autoipd 550 5.1.1 avahi-autoipd@mail.example.tld... User unknown\n[----] backup 550 5.1.1 backup@mail.example.tld... User unknown\n[----] bbs 550 5.1.1 bbs@mail.example.tld... User unknown\n[SUCC] bin 250 2.1.5 bin@mail.example.tld... Recipient ok\n[----] checkfs 550 5.1.1 checkfs@mail.example.tld... User unknown\n```\n\n#### Investigating timeouts\n```bash\n$ smtp-user-enum -m RCPT -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25\n\nConnecting to mail.example.tld 25 ...\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200\n250 mail.example.tld Hello [10.0.0.1], pleased to meet you\ntimed out\n```\n\nLet's add the `-V` to get some verbosity:\n\n```bash\n$ smtp-user-enum -V -m RCPT -U /usr/share/wordlists/metasploit/unix_users.txt -l mydomain.com mail.example.tld 25\nConnecting to mail.example.tld 25 ...\n[1/4] Connecting to mail.example.tld:25 ...\n[1/4] Waiting for banner ...\n220 beta SMTP Server (JAMES SMTP Server 2.3.2) ready Wed, 22 Jan 2020 16:10:10 -0500 (EST)\n[1/4] Sending greeting: HELO mydomain.com\n[1/4] Waiting for greeting reply ...\n250 beta Hello test (10.0.0.1 [10.0.0.1])\n[1/4] Sending: MAIL FROM: user@example.com\n[1/4] Waiting for MAIL FROM reply ...\n501 5.1.7 Syntax error in MAIL command\n[2/4] Waiting for MAIL FROM reply ...\n[3/4] Waiting for MAIL FROM reply ...\n[4/4] Waiting for MAIL FROM reply ...\ntimed out\n```\n\nSo apparently the mailserver does not like our command: `MAIL FROM: user@example.com`.\nTo circumvent this, let's put the from email in brackets like so: `MAIL FROM: <user@example.com>` via the `-f` argument:\n\n\n```bash\n$ smtp-user-enum -f '<user@example.com>' -m RCPT -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25\n\nConnecting to mail.example.tld 25 ...\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200\n250 mail.example.tld Hello [10.0.0.1], pleased to meet you\n250 2.1.0 Sender <user@example.com> OK\nStart enumerating users with RCPT mode ...\n[----] 4Dgifts 501 5.5.2 Syntax error in parameters or arguments\n[----] EZsetup 501 5.5.2 Syntax error in parameters or arguments\n[----] OutOfBox 501 5.5.2 Syntax error in parameters or arguments\n[----] root 501 5.5.2 Syntax error in parameters or arguments\n```\n\nLooks like the usernames also need to be wrapped in `<` and `>` to satisfy this specific mailserver. To do this, simply add the `-w` option:\n\n```bash\n$ smtp-user-enum -w -f '<user@example.com>' -m RCPT -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25\n\nConnecting to mail.example.tld 25 ...\n220 mail.example.tld ESMTP Sendmail 8.12.8/8.12.8; Wed, 22 Jan 2020 19:33:07 +0200\n250 mail.example.tld Hello [10.0.0.1], pleased to meet you\n250 2.1.0 Sender <user@example.com> OK\nStart enumerating users with RCPT mode ...\n[SUCC] 4Dgifts 250 2.1.5 Recipient <4Dgifts@localhost> OK\n[SUCC] EZsetup 250 2.1.5 Recipient <EZsetup@localhost> OK\n[SUCC] OutOfBox 250 2.1.5 Recipient <OutOfBox@localhost> OK\n[SUCC] root 250 2.1.5 Recipient <root@localhost> OK\n[SUCC] adm 250 2.1.5 Recipient <adm@localhost> OK\n[SUCC] admin 250 2.1.5 Recipient <admin@localhost> OK\n[SUCC] administrator 250 2.1.5 Recipient <administrator@localhost> OK\n[SUCC] anon 250 2.1.5 Recipient <anon@localhost> OK\n[SUCC] auditor 250 2.1.5 Recipient <auditor@localhost> OK\n```\n\nUnfortunately this yields to false positives again as it seems to be an open relay.\nHowever, lessons learned from this is to use the `-V` option in case of issues to troubleshoot what is going on.\nMaybe the open relay is another vector to hunt down.\n\n\n## :cop: Mitigation\n\nNow that you've seen how easy it could be to enumerate usernames on systems, you should ensure that your servers are hardened against this technique.\n\n### VRFY and EXPN\n\n#### Postfix\n\nOn Postfix `VRFY` seems to be not disabled by default as shown by [their documentation](http://www.postfix.org/postconf.5.html#disable_vrfy_command). It also looks like Postfix did not implement the `EXPN` command, so only `VRFY` needs to be disabled.\n\n`main.cf`:\n```ini\ndisable_vrfy_command = yes\n```\n\n#### Sendmail\n\nOn Sendmail you will have to adjust the privacy settings and reload its configuration afterwards in order to disable `VRFY` and `EXPN`.\n\n`sendmail.cf`:\n```diff\n- O PrivacyOptions=\n+ O PrivacyOptions=noexpn novrfy\n```\nor\n```diff\n- O PrivacyOptions=\n+ O PrivacyOptions=goaway\n```\n\n#### Exim\n\nOn Exim you should check if those values have already been disabled and then disable them accordingly. For the `EXPN` directive, ensure to either comment it out or set it to `localhost` only.\n\n`exim.conf`:\n```diff\n- smtp_verify = true\n+ smtp_verify = false\n\n- smtp_expn_hosts = ...\n+ smtp_expn_hosts = localhost\n```\n\n### RCPT TO\n\nThe `RCPT TO` command cannot be disabled without breaking a mail server. What you should do instead is to require authentication:\n\n* [Postifx SASL](http://www.postfix.org/SASL_README.html)\n* [Sendmail SASL](https://www.sendmail.org/~ca/email/auth.html)\n* [Exim SASL](https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_cyrussasl_authenticator.html)\n\n\n## :lock: [cytopia](https://github.com/cytopia) sec tools\n\nBelow is a list of sec tools and docs I am maintaining.\n\n| Name | Category | Language | Description |\n|----------------------|----------------------|------------|-------------|\n| **[offsec]** | Documentation | Markdown | Offsec checklist, tools and examples |\n| **[header-fuzz]** | Enumeration | Bash | Fuzz HTTP headers |\n| **[smtp-user-enum]** | Enumeration | Python 2+3 | SMTP users enumerator |\n| **[urlbuster]** | Enumeration | Python 2+3 | Mutable web directory fuzzer |\n| **[pwncat]** | Pivoting | Python 2+3 | Cross-platform netcat on steroids |\n| **[badchars]** | Reverse Engineering | Python 2+3 | Badchar generator |\n| **[fuzza]** | Reverse Engineering | Python 2+3 | TCP fuzzing tool |\n\n[offsec]: https://github.com/cytopia/offsec\n[header-fuzz]: https://github.com/cytopia/header-fuzz\n[smtp-user-enum]: https://github.com/cytopia/smtp-user-enum\n[urlbuster]: https://github.com/cytopia/urlbuster\n[pwncat]: https://github.com/cytopia/pwncat\n[badchars]: https://github.com/cytopia/badchars\n[fuzza]: https://github.com/cytopia/fuzza\n\n\n## :octocat: Contributing\n\nSee **[Contributing guidelines](CONTRIBUTING.md)** to help to improve this project.\n\n\n## :exclamation: Disclaimer\n\nThis tool may be used for legal purposes only. Users take full responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If these terms are not acceptable to you, then do not use this tool.\n\n\n## :page_facing_up: License\n\n**[MIT License](LICENSE.txt)**\n\nCopyright (c) 2020 **[cytopia](https://github.com/cytopia)**\n\n\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "SMTP user enumeration tool with clever timeout, retry and reconnect functionality.",
"version": "0.7.0",
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "4369d1a7e00bd93452e1ab86978db09d676d5185b86b590d2236629642494ed1",
"md5": "a525be73a5eff35957224f0b039e3e28",
"sha256": "199cdc727257c306eed2c384bd4d3822d357f9faaf848a055a7498399e2a002a"
},
"downloads": -1,
"filename": "smtp_user_enum-0.7.0-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "a525be73a5eff35957224f0b039e3e28",
"packagetype": "bdist_wheel",
"python_version": "py2.py3",
"requires_python": null,
"size": 12737,
"upload_time": "2023-04-03T10:42:06",
"upload_time_iso_8601": "2023-04-03T10:42:06.493634Z",
"url": "https://files.pythonhosted.org/packages/43/69/d1a7e00bd93452e1ab86978db09d676d5185b86b590d2236629642494ed1/smtp_user_enum-0.7.0-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "a0164f1f7b9de45307529bf65aab990ee718344d9ee2cc645917c55bfd43ac56",
"md5": "506ea60bcf11e3d3532c0e125a48f351",
"sha256": "2ec1a05c4549d8ef5cb35ce8ff7ff9bef09619b7f8f4afe2d335d0baeb6b54d5"
},
"downloads": -1,
"filename": "smtp-user-enum-0.7.0.tar.gz",
"has_sig": false,
"md5_digest": "506ea60bcf11e3d3532c0e125a48f351",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 16127,
"upload_time": "2023-04-03T10:42:08",
"upload_time_iso_8601": "2023-04-03T10:42:08.533273Z",
"url": "https://files.pythonhosted.org/packages/a0/16/4f1f7b9de45307529bf65aab990ee718344d9ee2cc645917c55bfd43ac56/smtp-user-enum-0.7.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-04-03 10:42:08",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "cytopia",
"github_project": "smtp-user-enum",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "smtp-user-enum"
}
JSON
