SMTP Enumeration How-to

Once you identify open ports and the services listening (See my post How to do Basic Port Scanning with Nmap), the next step in a security  Why? Because “63% of confirmed data breaches involved leveraging weak, stolen or default passwords” (“Verizon,” 2016). In fact, SplashData’s sixth annual 2016 “Worst Passwords” report found that “Simple numerical passwords remain common, with five of the top 10 passwords on this year’s list comprised of numbers only” … “with nearly 4% of people using the worst password, 123456” (See

The first step to assess and audit the use of default or weak passwords is to check if it is possible to collect valid usernames by interacting with services. The usernames gathered are then used for brute force testing, in which we verify if, given a correct username, it is possible to find its password. This post will address how to identify Linux usernames using Kali Linux on a host. I will address Windows in a separate post.

pentestmonkey smtp-user-enum

The Simple Mail Transfer Protocol (SMTP) defined in RFC 821 is a TCP/IP protocol used to send and receive email. SMTP uses port 25 by default. However, since SMTP is limited in its ability to queue messages, it is used with one of two other protocols, POP3 or IMAP, that let users save messages in a server mailbox and download them periodically from the server. So, users typically use an SMTP program for sending e-mail and either POP3 or IMAP for receiving e-mail. On Unix-based systems, Sendmail is the most widely-used SMTP server for e-mail. A commercial package, Sendmail, includes a POP3 server. Microsoft Exchange includes an SMTP server and can be installed with POP3 support.

There are two SMTP commands; VRFY and EXPN, that if not disabled by the administrator can discloser usernames. The SMTP VRFY command allows a user to connect to your email server and ask to verify that an address is valid. Using this command, an attacker can verify if an account is valid. The SMTP EXPN command allows an attacker to telnet to your Sendmail server and gives the server an alias. The EXPN command expands the alias into the list of actual recipients.

The first tool I use is pentestmonkey’s SMTP-user-enum, username guessing tool primarily for use against the default Solaris SMTP service. SMTP-user-enum can use either EXPN, VRFY or RCPT TO. But first I need to identify a username list to test.

Some familiar, well-known, usernames exist on default installations of operating systems and software.  This information can be used to create a list of usernames.  For example, it is reasonable to assume, that Linux will have a root account and Windows will have an administrator. Account (though the Windows best practice is to disable the Administrator account). Kali includes many default username and passwords lists that I can use with smtp-user-enum to test:

I select unix_users.txt and run smtp-user-enum. It identifies 17 usernames. Many look like processes, but “root” and “user” seem promising. In another post, I will combine these usernames along with others I harvest to create a master list that I will use to check for the use default or weak passwords by brute force testing:

About the Author

David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in a variety of roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado. Regis University’s School of Computer & Information Sciences, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.


2016 Verizon data breach investigations report.  (2016).  Retrieved October 24, 2017 from

File smtp-enum-users.  (n.d).  Retrieved October 24, 2017 from

User enumeration.  (n.d.).  Retrieved October 24, 2017 from

Scanner SMTP auxiliary modules.  (n.d.).  Retrieved October 24, 2017 from

smtp-user-enum.  (n.d.).  Retrieved October 24, 2017

Leave a Reply

Your email address will not be published. Required fields are marked *