host -t MX hackthebox.eu
host -t MX microsoft.com
host -t A mail1.inlanefreight.htb.
dig mx plaintext.do | grep "MX" | grep -v ";"
dig mx inlanefreight.com | grep "MX" | grep -v ";"
we can enumerate the following ports:
| Port | Service |
|---|---|
TCP/25 |
SMTP Unencrypted |
TCP/143 |
IMAP4 Unencrypted |
TCP/110 |
POP3 Unencrypted |
TCP/465 |
SMTP Encrypted |
TCP/587 |
SMTP Encrypted/STARTTLS |
TCP/993 |
IMAP4 Encrypted |
TCP/995 |
POP3 Encrypted |
VRFY this command instructs the receiving SMTP server to check the validity of a particular email username. The server will respond, indicating if the user exists or not. This feature can be disabled.
telnet 10.10.10.10 25
VRFY root
VRFY new-user
EXPN is similar to VRFY, except that when used with a distribution list, it will list all users on that list. This can be a bigger problem than the VRFY command since sites often have an alias such as "all."
telnet 10.10.10.10 25
EXPN john
EXPN support-team
RCPT TO identifies the recipient of the email message. This command can be repeated multiple times for a given message to deliver a single message to multiple recipients.
telnet 10.10.110.20 25
MAIL <FROM:test@htb.com>
RCPT TO:julio
RCPT TO:john
We can also use the POP3 protocol to enumerate users depending on the service implementation. For example, we can use the command USER followed by the username, and if the server responds OK. This means that the user exists on the server.
telnet 10.10.10.10 110
USER john
To automate our enumeration process, we can use a tool named smtp-user-enum.
smtp-user-enum -M RCPT -U userlist.txt -D inlanefreight.htb -t 10.129.203.7