Way later, but the problem with nmap is that the nse script mark the 252 and 550 response status code as “not permitted”, and those are the response status codes for the VRFY method, on this server.
(cf line 163)
Which results in the method being skipped
(cf line 340)
Now since in our case 550 is a valid status code for “user doesn’t exist” and 252 for “user exists”, the only way to make it work would be to tweak the script
Now the tweaked nse script will find the user sudo nmap $TARGET -p25 --script=smtp-enum-users.nse --script-args userdb=/home/$USER/Desktop/test/footprinting-wordlist.txt,methods={VRFY} -dd -packet
Conclusion: this reminds of a sentence from the footprinting module, SMB chapter “we should never rely only on automated tools where we do not know precisely how they were written.”
Guys, I just got the answer by editing the smtp-user-enum perl script
sudo nano $(which smtp-user-enum)
my $VERSION = "1.2";
my $debug = 0;
my @child_handles = ();
my $verbose = 0;
my $max_procs = 5;
my $smtp_port = 25;
my @usernames = ();
my @hosts = ();
my $recursive_flag = 1;
my $query_timeout = 5; <----------------- EDIT THIS
my $mode = "VRFY";
my $from_address = 'user@example.com';
my $start_time = time();
I put the timeout to 30 seconds and run, then the user just showed
I scanned with the default -w 5 at first and got no results, continued adding longer time periods 10, 15, 20 and finally got results! The best hint was: The server takes time responding, and sometimes some of them take even longer. Hope it helps you both in answering the question and the reason behind it!
hey u can still use the smtp user enum tool, u should tweak the command a little bit, remember the server can take time to respond so make sure to give some time.
Yea, I’m not sure why the module doesn’t talk about this specific tool unless the goal is to make you research…which is a skill. But yes, it is frustrating. THey could at least say “You will need to research a command line tool to solve this last question.”
