Enumerating and Exploiting SMTP

James Patrick
5 min readMay 20, 2021

For a description of what SMTP is see the following:

A quick run through of an email messages journey:

1. The mail user agent, which is either your email client or an external program. connects to the SMTP server of your domain, e.g. smtp.google.com. This initiates the SMTP handshake. This connection works over the SMTP port- which is usually 25. Once these connections have been made and validated, the SMTP session starts.

2. The process of sending mail can now begin. The client first submits the sender, and recipient’s email address- the body of the email and any attachments, to the server.

3. The SMTP server then checks whether the domain name of the recipient and the sender is the same.

4. The SMTP server of the sender will make a connection to the recipient’s SMTP server before relaying the email. If the recipient’s server can’t be accessed, or is not available- the Email gets put into an SMTP queue.

5. Then, the recipient’s SMTP server will verify the incoming email. It does this by checking if the domain and user name have been recognised. The server will then forward the email to the POP or IMAP server, as shown in the diagram above.

6. The E-Mail will then show up in the recipient’s inbox.

Enumerating SMTP

Poorly configured or vulnerable mail server can allow initial access into the network , but before the attack we need to gather as much info about the mail server. For this we will use a metas-loot module called “smtp_version” to scan an IP range land get as much info about any mail servers it find.

Enumerating Users from SMTP

The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of user’s aliases and lists of e-mail (mailing lists). Using these SMTP commands, we can reveal a list of valid users

We can do this manually, over a telnet connection- however Metasploit comes to the rescue again, providing a handy module appropriately called “smtp_enum” that will do the legwork for us! Using the module is a simple matter of feeding it a host or range of hosts to scan and a wordlist containing usernames to enumerate.

Lets run a quick scan to see if we can find port 25 open on this box:

We see SMTP running on the default port 25. Now we can use a metasploit tool called smtp_version to gather any information on the target mail server. We will start metasploit using the msfconsole command:

We will search for the module using search smtp_version:

We will select this module and show options:

We will set our RHOSTS to our target machine:

Now we will run the exploit:

We discover the remote hostname is polosmtp.home and is running the Postfix MTA agent:

Now that we have some info lets search for and run the smtp_enum module:

We’re going to be using the “top-usernames-shortlist.txt” word list from the Usernames subsection of seclists (/usr/share/wordlists/SecLists/Usernames if you have it installed). Seclists is an amazing collection of wordlists. If you’re running Kali or Parrot you can install seclists with: “sudo apt install seclists

After showing options we will need to set the location of the list we need to use (USER_FILE) as well as the RHOST:

After running this exploit we find there is an administrator account:

Exploiting SMTP

So far, we have determined the following:

1. A user account name

2. The type of SMTP server and Operating System running.

We know from our port scan, that the only other open port on this machine is an SSH login. We’re going to use this information to try and bruteforce the password of the SSH login for our user using Hydra.


There is a wide array of customizability when it comes to using Hydra, and it allows for adaptive password attacks against of many different services, including SSH. Hydra comes by default on both Parrot and Kali, however if you need it, you can find the GitHub here.

Hydra uses dictionary attacks primarily, both Kali Linux and Parrot OS have many different wordlists in the “/usr/share/wordlists” directory- if you’d like to browse and find a different wordlists to the widely used “rockyou.txt”. Likewise I recommend checking out SecLists for a wider array of other wordlists that are extremely useful for all sorts of purposes, other than just password cracking. E.g. subdomain enumeration

The syntax for the command we’re going to use to find the passwords is this:
“hydra -t 16 -l USERNAME -P /usr/share/wordlists/rockyou.txt -vV ssh”

Here is a quick breakdown for this:

This will take some time to enumerate:

We see we found the admin password “alejandro”:

From here we will SSH into the server (the other port we noticed open) and get the flag: