SMTP question

Hi guys i need help with SMTP
The question is: Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.
I used nmap script smtp-enum-users.nse but every username i tried is not the answer. Can anyone help me?

Have you ever figured this out? I am stuck at this question. I have tried to use all wordlists in the “Names” directory to no avail.

Have exactly the same problem… tried enumerating using many number of wordlists but to no avail.

In skipping this question and going to the next section (pop3) it actually gives the answer there but I’d rather work out how they got it as I’m sure it would have been included in the wordlists that I used initially but didnt work.

I didn’t manage to get it working with smtp-enum-users so instead resorted to an auxiliary module in a popular exploitation framework :wink:

1 Like

I tried both smtp user enum and metasploit with the provided list of user name still no hit. I dont know why. I was also unable to solve the last question in the previous section ie. to find the FQDN with ending of 203

1 Like

It worked for me using metasploit and the provided footprinting-wordlist.

i found the user, nice.

still, why one of the tree ways we know doesnt work? famous framework is nice and telnet okay too, the github script doesnt work, checked source code and is a bash script using telnet aswell. I may have an idea why but dont know enough to be sure of. If someone knows or hmu id love that thanks

you need to use a command that they didn’t show us previously !! Go read about smtp-user-enum command :wink:

Yes the FQDN with .203 ending was a “FIERCE” one :wink:

1 Like

Also reading the hint does state that some smtp servers have longer timeouts therefore even by default smtp-user-enum wont work. You have to play with the timeout of it. They wont teach you about every tool nor should they. Alot of this field is about actively learning and finding ways to accomplish the task at hand. Thats part of the fun and reward.


Thanks for the timeout hint. I completely missed that. I solved it with what we learned in the next section, but wanted to solve it in this one. Your comment got me to dig deeper and learn more about the smtp-user-enum command!

1 Like

SKipped it :sleepy:

1 Like

yeah I did the same haha took me a while to figure this out xD

It’s pretty simple once you find the smtp-user-enum command, you just have to find how to use it

Remember that some SMTP servers have higher response times :slight_smile:

Where is that wordlist? I’m not sure what this module is talking about.

1 Like

One tool gives me over 30 users and the other one 5-10 users depending on the method I use and only one of those isn’t in the list from the first tool, oddly enough it’s capitalized so I thought for sure it was the right one but it isn’t. I even manually validated more than half of the results directly on the server and nothing works.

I used the standard Unix users wordlist.

Clearly there’s something I’m not getting since according to the question I should only find one user on the server…

Learn how to use smtp-user-enum, here.
After understanding how it works, pay attention to this hint “Remember that some SMTP servers have higher response times.”
Use it and check for a single user “root”.

Pay attention to the “-w” option

1 Like

tip: the user is in this wordlist SecLists/snmp.txt at master · danielmiessler/SecLists · GitHub

1 Like