Re: Last call for smtp-open-relay.nse - help needed

[Fyodor <fyodor () insecure org>]

On Sat, Feb 27, 2010 at 06:37:46PM +0000, Duarte Silva wrote:
> I also developed a new script that will try to enumerate the users in
> a SMTP server using the VRFY or the EXPN command (using the
> usernames.lst). If this is found to be useful since it seem that there
> aren't many servers that allow those commands.

Another common technique is to use RCPT for this.  I usually just try
some gibberish first to catch machines which accept anything at
all. For example:

$ ncat -v mail.insecure.org 25
Ncat: Version 5.21 ( http://nmap.org/ncat )
Ncat: Connected to 64.13.134.2:25.
220 mail.titan.net ESMTP Postfix
HELO hax0r
250 mail.titan.net
MAIL FROM:<president () whitehouse gov>
250 2.1.0 Ok
RCPT TO:<sdfasdfblah>
550 5.1.1 <sdfasdfblah>: Recipient address rejected: User unknown in local recipient table
RCPT TO:<fyodor>
250 2.1.5 Ok
QUIT
221 2.0.0 Bye
Ncat: 92 bytes sent, 189 bytes received in 64.17 seconds.


Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/