This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

SMTP

What is SMTP?

Simple Mail Transfer Protocol or SMTP, and as the name suggests, it is simple! SMTP servers often implement interactive commands ( VRFY, EXPN, HELO/EHLO, MAIL FROM, RCPT TO) that when enabled or misconfigured can reveal useful information about valid recipients, relaying policies, and server capabilities. Treat enumeration results as leads, not definitive proof.

Key points

  • User enumeration: Commands such as VRFY and EXPN can be abused to confirm whether an account or mailing-list membership exists. Many modern servers disable or restrict these commands, but older or misconfigured servers may respond differently to valid vs invalid users.

  • Service fingerprinting: The SMTP banner and responses to EHLO reveal server software/version and supported extensions (STARTTLS, AUTH, SIZE).

  • Relaying behaviour: Tests can reveal whether the server is an open relay (dangerous misconfiguration) or only accepts local recipients.

  • Safety: Avoid sending actual emails to validate users; use protocol-level commands and non-destructive checks.

Ports

  • SMTP (plain): 25/tcp

  • SMTP over TLS (implicit): 465/tcp

  • SMTP submission (with STARTTLS): 587/tcp

SMTP Enumeration

Linux

Using Nmap

  • Ports scanning

sudo nmap -p 25,465,587 <target>

  • Nmap scripts

    • smtp-enum-users — attempts to enumerate users.

    • smtp-commands — lists supported SMTP commands.

    • smtp-open-relay — checks relay behaviour. Example:

    sudo nmap -p 25 --script=smtp-enum-users <target>

Using NetCat

Open a raw TCP session and issue SMTP commands:

nc -nv 192.168.5.64 25
220 mail.example.com ESMTP Postfix (Ubuntu)
EHLO attacker.local
250-mail.example.com
250-PIPELINING
250-SIZE 10485760
250-STARTTLS
VRFY root
252 2.0.0 root
VRFY nonexistent
550 5.1.1 <nonexistent>: Recipient address rejected: User unknown in local recipient table
QUIT
221 2.0.0 Bye

Differing success/error codes indicate the server distinguishes valid users from invalid ones.

Windows

Using PowerShell

  • Using Test-NetConnection

Test-NetConnection -Port 25 -ComputerName <target_ip>

Using Telnet

  • Telnet in not added by default for windows so you can add it using:

 dism /online /Enable-Feature /FeatureName:TelnetClient

  • Interaction like Linux

telnet 192.168.5.64 25
220 mail.example.com ESMTP Postfix (Ubuntu)
VRFY alice
250 2.1.5 alice
VRFY bob
550 5.1.1 <bob>: Recipient address rejected: User unknown in local recipient table
PreviousSMBNextSNMP

Last updated

Was this helpful?