SMTP question

tip: the user is in this wordlist SecLists/snmp.txt at master · danielmiessler/SecLists · GitHub

1 Like

The list of users in the lesson module can be downloaded here


For anyone else still struggling with this specific question, like others have mentioned: start by doing a dig Zone Transfer command on the main domain using the target machine’s IP as the DNS server. Then record all the subdomains you get back. Then use dig to try and Zone Transfer on those subdomains (app.inlanefreight.htb, internal.inlanefreight.htb, dev.inlanefreight.htb, etc.) and record any that you cannot get records for.

Finally, use either the bash script or the DNSEnum tool to brute force the subdomains you couldn’t get records for using a very “fierce” wordlist. Good luck and hope you learn something new like I did!

Huge help, thanks


Dont Worry Direct Ans Is Here :slight_smile:
(Academy - Footprinting - DNS - #67 by Neverakswhy)

any hints for IMAP/POP3? the last question? I tried literally everything, nothing worked out

Can anyone say to me where HTB have provided the so called wordlists. I have checked all section of this module and no one mentions any list. Please tell me if I am missing something.

1 Like

Could you tell me how did you do it? i.e. what command did you use? and which wordlist did you use?

There is a wordlist provided by HTB in this section.

+1 - tried the nse script and python enum script with good lists. Found it with Metasploit

Did you manage to find the wordlist?

Hi can you tell me where is the wordlist.

It is under the resources on the right hand side of the page. Unfortunately, it is not working with the smtp-user-enum.

It is under resources at the right hand of the page.

thanks to everybody for the golden tips/hints and the solutions.
Yes HTB’s “plan” is to let us thinking outside the Box… but for beginners its maybe sometimes to difficult… not enough examples in the modules… i mean: Where is the info that we can use the single “smtp-user-enum” tool we’ve never heard before? I was thinking they are meaning the Nmap script like in the examples… to be fair, its a medium module. There are a lot of this difficult questions…i dont know…at the end im happy with the community hints. But i think there could be a better way with a “little” more pointing in the right way.


I found that Nmap isn’t great here. It’s fine for the first question but the second requires a different tool set. Both msploit and smtp-user-enum will work with the proper wordlist. Try a fuzzy one. However, with smtp-user-enum, I found I had to experiment with timings. Pro-tip: longer timeouts will be VERY beneficial here.

But if you just can’t be bothered: the wordlist that will get your answer is /usr/shared/wordlists/wfuzz/general/medium.txt.

You can also use the wordlist that is provided in the resources, but I find that trying to use wordlists available on your own VM attack box or a list you may have compiled over time gives a more “real-world” feel in terms of execution and the patience required to get a hit.

And remember, while rockyou is great…it’s not always the most pragmatic choice. Know your wordlists and which ones are ideal for a given scenario. This bit comes with time.

Before revealing - dig a bit deeper and embrace the patience!


The file “footprinting-wordlist.txt” is in the resource

I’m stuck. Tried everything i could find in this topic but no success. Anyone any tips how to come to the admin email and last flag in SMTP?

how would i write the command to include the wordlist.txt?