> For the complete documentation index, see [llms.txt](https://www.hackbook.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.hackbook.io/initial-access/services/smtp.md).

# SMTP

In certain vulnerable configurations, mail servers can also be used to gather information about a host or network. SMTP39 supports several important commands, such as VRFY and EXPN. A VRFY request asks the server to verify an email address, while EXPN asks the server for the membership of a mailing list. These can often be abused to verify existing users on a mail server, which can later aid the attacker.\
\
**Check for enabled methods:**\
`nmap --script smtp-commands 172.16.80.27 -p25`\
\
//connect to a mail server\
`#nc -nv <ip> 25`\
//will reply with a banner and smtp shell\
`>VRFY root` //checks if bob is a user on the system\
//check bash script section for enumeration of this ^^\
\
We can utilize the response to brute force check users.

![](/files/-McqjxMpji2sk3V2f4_Q)

We can edit this slightly to add the ability to grab a text file of users and check many:

{% tabs %}
{% tab title="SMTP Leak Users (python)" %}

```python
#!/usr/bin/python
import socket
import sys
if len(sys.argv) != 2:
 print "Usage: vrfy.py <username> "
 sys.exit(0)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('10.11.1.215',25))
banner=s.recv(1024)
print banner
# VRFY a user
s.send('VRFY ' + sys.argv[1] + '\r\n')
result=s.recv(1024)
print result

s.close()
```

{% endtab %}

{% tab title="V2" %}

```python
#!/usr/bin/python

import socket
import sys

#param check
if len(sys.argv) !=2:
 print “Usage: vrfy.py <username>”
 sys.exit(0)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)#create a socket
connect=s.connect(('192.168.31.215', 25))#connect to the server
banner=s.recv(1024) #receiv the banner
print banner
s.send('VRFY ‘ + sys.argv[1]+’\r\n')#vrfy a user
result=s.recv(1024)
print result
s.close()
```

{% endtab %}
{% endtabs %}
