SMTP-User-Enum

SMTP-User-Enum is a tool for enumerating valid usernames on SMTP servers using various techniques including VRFY, EXPN, and RCPT TO commands.

Installation

Linux/Ubuntu

# Install from repository
sudo apt update
sudo apt install smtp-user-enum

# Or from source
wget http://pentestmonkey.net/tools/smtp-user-enum/smtp-user-enum-1.2.tar.gz
tar -xzf smtp-user-enum-1.2.tar.gz
cd smtp-user-enum-1.2
chmod +x smtp-user-enum.pl

Kali Linux

# Pre-installed
smtp-user-enum -h

# Or install
sudo apt install smtp-user-enum

macOS

# Via Homebrew
brew install smtp-user-enum

# Or from source
git clone https://github.com/smtptools/smtp-user-enum.git
cd smtp-user-enum
perl smtp-user-enum.pl -h

Basic Usage

# Show help
smtp-user-enum -h

# VRFY method
smtp-user-enum -M VRFY -U wordlist.txt -t mail.example.com

# EXPN method
smtp-user-enum -M EXPN -U wordlist.txt -t mail.example.com

# RCPT TO method (default)
smtp-user-enum -M RCPT -U wordlist.txt -t mail.example.com

# All methods
smtp-user-enum -M ALL -U wordlist.txt -t mail.example.com

SMTP Enumeration Methods

VRFY (Verify Command)

# Basic VRFY enumeration
smtp-user-enum -M VRFY -U users.txt -t mail.example.com

# With custom port
smtp-user-enum -M VRFY -U users.txt -t mail.example.com -p 25

# Verbose output
smtp-user-enum -M VRFY -U users.txt -t mail.example.com -v

# Save results
smtp-user-enum -M VRFY -U users.txt -t mail.example.com -o vrfy_results.txt

EXPN (Expand Command)

# EXPN enumeration
smtp-user-enum -M EXPN -U users.txt -t mail.example.com

# With timeout
smtp-user-enum -M EXPN -U users.txt -t mail.example.com -w 5

# Group enumeration
smtp-user-enum -M EXPN -U groups.txt -t mail.example.com

# Verbose with output
smtp-user-enum -M EXPN -U users.txt -t mail.example.com -v -o expn_results.txt

RCPT TO (Recipient Validation)

# RCPT TO enumeration (default)
smtp-user-enum -U users.txt -t mail.example.com

# Manual RCPT method
smtp-user-enum -M RCPT -U users.txt -t mail.example.com

# Fast RCPT enumeration
smtp-user-enum -M RCPT -U users.txt -t mail.example.com -t 2

# Different domain
smtp-user-enum -M RCPT -U users.txt -t mail.example.com -D example.org

Wordlist Management

Creating Wordlists

# Common user list
cat > users.txt << EOF
admin
root
postmaster
info
support
sales
test
user
EOF

# From file
cat /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt > users.txt

# Generate from CSV
awk -F',' '{print $1}' employees.csv > users.txt

Comprehensive Enumeration

# User enumeration from multiple sources
cat users_admin.txt users_it.txt users_generic.txt > combined_users.txt

# Remove duplicates
sort -u combined_users.txt > unique_users.txt

# Large wordlist (be cautious)
smtp-user-enum -M VRFY -U /usr/share/wordlists/common-users.txt -t mail.example.com

Advanced Options

Timeout and Throttling

# Custom timeout (seconds)
smtp-user-enum -M VRFY -U users.txt -t mail.example.com -w 10

# Connection timeout
smtp-user-enum -M VRFY -U users.txt -t mail.example.com -s 5

# Delay between requests (throttle)
# Note: Not all versions support this directly

Domain Specification

# Default domain
smtp-user-enum -M RCPT -U users.txt -t mail.example.com -D example.com

# Different SMTP domain
smtp-user-enum -M RCPT -U users.txt -t mail.example.com -D mail.example.org

# Test multiple domains
for domain in example.com example.org example.net; do
    smtp-user-enum -M RCPT -U users.txt -t mail.example.com -D $domain
done

Output Options

# Save results to file
smtp-user-enum -M VRFY -U users.txt -t mail.example.com -o results.txt

# Verbose output
smtp-user-enum -M VRFY -U users.txt -t mail.example.com -v

# Very verbose (debug)
smtp-user-enum -M VRFY -U users.txt -t mail.example.com -vv

# Quiet mode
smtp-user-enum -M VRFY -U users.txt -t mail.example.com -q

Manual SMTP Enumeration

Netcat Method

# Connect to SMTP server
nc -v mail.example.com 25

# Commands (interact manually)
VRFY admin
EXPN support
RCPT TO:<user@example.com>
QUIT

Using Telnet

# Connect
telnet mail.example.com 25

# Test commands
VRFY postmaster
EXPN admin
RCPT TO:<test@example.com>

Python Script Method

#!/usr/bin/env python3
import socket

def check_user(server, port, user, method='VRFY'):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((server, port))
    banner = s.recv(1024)
    print(f"[*] {banner.decode()}")

    # Send command
    cmd = f"{method} {user}\r\n"
    s.send(cmd.encode())
    response = s.recv(1024)

    s.close()
    return response.decode()

# Test
server = "mail.example.com"
port = 25
users = ["admin", "postmaster", "root"]

for user in users:
    print(f"[*] Testing {user}...")
    result = check_user(server, port, user)
    print(f"[+] {result}")

Complete Enumeration Workflow

#!/bin/bash
# Comprehensive SMTP enumeration script

TARGET="mail.example.com"
WORDLIST="/usr/share/wordlists/common-users.txt"
OUTPUT_DIR="smtp_enum_$(date +%Y%m%d_%H%M%S)"

mkdir -p $OUTPUT_DIR

echo "[*] Starting SMTP enumeration against $TARGET"

# Test connectivity
echo "[*] Testing SMTP connectivity..."
timeout 5 bash -c "echo > /dev/tcp/$TARGET/25" && echo "[+] SMTP port open" || echo "[-] SMTP port closed"

# VRFY enumeration
echo "[*] Running VRFY enumeration..."
smtp-user-enum -M VRFY -U $WORDLIST -t $TARGET -o $OUTPUT_DIR/vrfy_results.txt -v

# EXPN enumeration
echo "[*] Running EXPN enumeration..."
smtp-user-enum -M EXPN -U $WORDLIST -t $TARGET -o $OUTPUT_DIR/expn_results.txt -v

# RCPT enumeration
echo "[*] Running RCPT enumeration..."
smtp-user-enum -M RCPT -U $WORDLIST -t $TARGET -D example.com -o $OUTPUT_DIR/rcpt_results.txt -v

# Combine results
echo "[*] Combining results..."
cat $OUTPUT_DIR/*.txt | grep -i "^250\|^252" | cut -d: -f1 | sort -u > $OUTPUT_DIR/valid_users.txt

echo "[+] Enumeration complete!"
echo "[*] Valid users found: $(wc -l < $OUTPUT_DIR/valid_users.txt)"
cat $OUTPUT_DIR/valid_users.txt

Integration with Other Tools

Combine with Metasploit

# Enumerate users
smtp-user-enum -M VRFY -U users.txt -t mail.example.com -o found_users.txt

# Use in Metasploit
# scanner/smtp/smtp_enum
# set RHOSTS mail.example.com
# set USER_FILE found_users.txt

Password Spraying

# After finding valid users
cat valid_users.txt | while read user; do
    # Attempt auth with common password
    sendmail_auth.py $user password mail.example.com
done

Detecting Detection

Identifying Filters

# Test server response patterns
echo "Testing spam filter..."
smtp-user-enum -M VRFY -U test_invalid.txt -t mail.example.com

# If all return success, likely filtering VRFY
# Test with small list first
smtp-user-enum -M VRFY -U top_users.txt -t mail.example.com

Response Analysis

# Check response codes
# 250 = User exists (Positive)
# 550/551/552 = User doesn't exist (Negative)
# 421 = Service unavailable (Timeout/Blocked)

smtp-user-enum -M VRFY -U users.txt -t mail.example.com -v | grep "^5[0-9][0-9]"

Security Considerations

Defense Against Enumeration

• Disable VRFY and EXPN commands
• Uniform responses for valid/invalid users
• Rate limiting on RCPT attempts
• SMTP AUTH required
• Monitor enumeration attempts

Responsible Testing

• Only test authorized targets
• Use approved wordlists
• Don’t spam or overload servers
• Document findings properly
• Report responsibly

Common Response Codes

Code	Meaning
250	Command OK
252	Cannot verify (user may exist)
421	Service unavailable
500	Command unrecognized
550	User not found
551	User not local
552	Storage exceeded
553	Mailbox name invalid

Related Tools

• Metasploit - smtp_enum module
• Nessus - SMTP enumeration scan
• Nmap - smtp-enum NSE script
• Hydra - SMTP password brute-force

---

Last updated: 2026-03-30 | SMTP-User-Enum v1.2