Academy - Footprinting -SMTP

You need to give the tool more time to search :wink:

I could only solve this with metasploit. However, this has not yet been introduced in the course. I couldn’t solve it with the nmap script or the smtp-user-enum ? Did anyone succeed with the later?

Hint 1: smtp-user-enum
Hint 2: smtp-user-enum -h
Hint 3: -w option might be useful

Go to the top of the module page where you find a wordlist. Download, use the word-list and follow the hints above, trial and error will pay off :stuck_out_tongue_winking_eye:


While using smtp-user-enum: …no results is not what you want :wink:

The timing thing is bs. The msf way works out of the box. If you use GitHub - cytopia/smtp-user-enum: SMTP user enumeration via VRFY, EXPN and RCPT with clever timeout, retry and reconnect functionality., this will also work out of the box. Installing from pkg manager on kali docker, and arch was broken. The timing flag did absolutely nothing. I hope this helps someone out.

I recommend using msfconsole

use auxiliary/scanner/smtp/smtp_enum

El primer resultado lo obtuve con nmap utilizando el escaneo de versiones y de scripts por defecto al puerto en el que correo el servicio smtp… (en el encabezado esta la respuesta, pista son 3 palabras)

La segunda la obtuve utilizando snmtp-user-enum… se debe utilizar la lista de palabras dispuesta en los recursos de hack the box en este modulo, se debe especificar el método de ataque… (pista, el tiempo es muy importante en este caso, marca la diferencia en el resultado)

so basically what i did was execute this:
(sleep 10;
for i in $(cat /home/htb-ac-776279/footprinting-wordlist.txt); do echo “vrfy $i”;
sleep 100;) | telnet 25

It gave me error every 20 tries but the file only had 101 names so i only needed to execute this 5 times(names on the fkn last 20 names). What is this whole thing about smtp enum? And is there another way aside from what i did using what is mentioned on the module cus seeing my method gives error every 20 tries it would be super inefficient if the list was longer Thanks


There is a resource section? Is this no longer in Academy?

It’s at the top right of the page under the cheatsheet link


Hi all, i solved this now with Metasploit but i feel kind cheating and i dont like using Metasploit.
is there another way to solve this module besides Metasploit?? I just wanna know every possible way to explore SMTP Enumeration. I am trying with smtp-user-enum but, i got everytime timedout. look at my screenshot:

Hint to solve this with Metasploit: First download the Resources (footprinting-wordlist.txt) to your Hacking machine, then search for smtp enum in Metasploit. After u found auxiliary then modify it. u have to make two changes: RHOSTS and the file u Downloaded. Hit run, thats all.

This does not seem to work even with a 90 sec timeout.

Doing a ping on the target every 2 mins reveals that the IP is up, then down, then up, constantly wavering between connected and not. I like HTB Academy’s courses a lot, but the academy machines are very hit or miss.It seems you must run the same commands multipule times to receive a proper response. Sometimes it works, most times it doesn’t. Its a shame. I’ve run the commands exactly as stated here in this thread and still nothing. I can only assume that its the target machine at this point, as per the aforementioned ping requests.

EDIT: So, after downloading a new vpn file on port 443 and connecting, I was able to reach the target. The other problem I was having was that for some reason, I had acquired multiple tun0 IP’s of my own. This was leading to unstable connections with the target. Not sure how that happened. Something to keep in mind. The commands listed in this thread do work, if you are connected and and have only one tun0 IP lol

@noobsaibot You wrote -u, if you pass a wordlist you should use -U

Any1 can help me with the first question : Enumerate the SMTP service and submit the banner, including its version as the answer.

I dont get what i should do… i tried to connect with telnet and checked stuff, but i dont get how to get the banner…

1 Like

did you get it?

yea xD

For the “non-cheating” way, you can use nc with the wordlist provided. It’s a bit slow so you should run it in the background with something like:

for user in $(<wordlist_provided)
nc ip_address port <<< “command used to verify! mailbox” &

And then, you probably want to filter by the status code of each request.

1 Like

My question is why doesnt smtp-user-enum generate any data telling us that servers are either timing out between reqest or havent provided data back yet. I wasted way to much time on these footprinting pages because lack of detail when running certain commands and experience with them.

i got the banner and the username using msfconsole in kali. search for smtp and you will find enum for that.

Here i take other approach i use python for that and it goes well , btw can anyone explain that why I cant get any status code when using smtp-enum-user , I only get this 102 queries in 106 seconds (1.0 queries / sec)

i can share my way to find the answer, It may not be smart enough to find results, but it can find them, and you can add code to make it a bit more automatic.

Contains answer disclosures, please read with caution! must use the wordlist from the resources of the module. the default wordlist on the system will not match.
1.nmap’s script named smtp-enum-users is good ,but i can’t find the result with it

  1. i’ve tried to use nc && File redirector < ,but each time the server only handle 20 entries, so i split the wordlist, luckily its only about 100 lines there
  2. then use the nc or telnet ,you can find it.