From the given image you can read the valid username found in the targeted server as well as it also grabs the SMTP banner. Type following command to enumerate username using a dictionary of usernames:.
From the given image you can see out of total 7 queries only 5 names are valid and exist in SMTP server. Type following command to verify user email address on mail server:. From the given image you can see it has shown [email protected] is valid email ID for user raj.
Type following command to enumerate valid email ID of targeted server:. From the given image you can see blue color text refer to a valid email account and the red color text refers to an invalid account. Clients use it to send email to their mail service, and email MX servers use it to forward email messages to each other. Although most clients use an encrypted version on TCP or , most server-server email is still sent in cleartext over the Internet, with no authentication between the servers.
Although many SMTP products have code vulnerabilities that allow an attacker to gain root privilege and run arbitrary commands through an overflow attack, many pen testers also seek to enumerate email accounts from the server, as well as relay spam and phishing messages.
SMTP has two commands in particular that help with enumeration. This service can help the penetration tester to perform username enumeration via the EXPN and VRFY commands if these commands have not been disabled by the system administrator. There are a number of ways which this enumeration through the SMTP can be achieved and there will be explained in this article.
The role of the EXPN command is to reveal the actual address of users aliases and lists of email and VRFY which can confirm the existance of names of valid users. The SMTP enumeration can be performed manually through utilities like telnet and netcat or automatically via a variety of tools like metasploit,nmap and smtp-user-enum. The only thing that this module requires is to enter the IP address of the remote host and to execute it with the run command as the other options have been filled automatically from metasploit.
We can see the results of the metasploit in the next image:. Another tool that can be used is the smtp-user-enum which provides 3 methods of user enumeration.
0コメント