One tool gives me over 30 users and the other one 5-10 users depending on the method I use and only one of those isn’t in the list from the first tool, oddly enough it’s capitalized so I thought for sure it was the right one but it isn’t. I even manually validated more than half of the results directly on the server and nothing works.
I used the standard Unix users wordlist.
Clearly there’s something I’m not getting since according to the question I should only find one user on the server…
Learn how to use smtp-user-enum, here.
After understanding how it works, pay attention to this hint “Remember that some SMTP servers have higher response times.”
Use it and check for a single user “root”.
Pay attention to the “-w” option
tip: the user is in this wordlist SecLists/snmp.txt at master · danielmiessler/SecLists · GitHub
For anyone else still struggling with this specific question, like others have mentioned: start by doing a dig Zone Transfer command on the main domain using the target machine’s IP as the DNS server. Then record all the subdomains you get back. Then use dig to try and Zone Transfer on those subdomains (app.inlanefreight.htb, internal.inlanefreight.htb, dev.inlanefreight.htb, etc.) and record any that you cannot get records for.
Finally, use either the bash script or the DNSEnum tool to brute force the subdomains you couldn’t get records for using a very “fierce” wordlist. Good luck and hope you learn something new like I did!
Huge help, thanks
Guys I Am Going To Help You Out :slight_smile 
Note :- Download The Worslist Which is provided by htb at starting of smtp room and unzip in your downloads folder
Just Run This
–>smtp-user-enum -w 25 -M VRFY -U ~/Downloads/footprinting-wordlist.txt -t 10.129.41.115
–>Note:- Wait Atleast 5-10 min
Finally you Get
10.129.41.115: r**** exists
any hints for IMAP/POP3? the last question? I tried literally everything, nothing worked out
i think its robin but not sure
How did you know that exactly this timeout would be sufficient? Trial and error method? About the beginning I knew what command it was about, but for several minutes I could not find the right timeout
Run smtp-user-enum with verbosity and you’ll see either “no result” or “no such user” after each name. The more names you see with no result means the tool was unable to confirm if they were actually a user or not. Increasing the wait time should increase the amount of user’s confirmed as “no such user”.
Can anyone say to me where HTB have provided the so called wordlists. I have checked all section of this module and no one mentions any list. Please tell me if I am missing something.
Ok, but what command gives you that?
Ok, where in this section is the freaking Wordlist you mention? I just simply don’t find it! Please just tell where it is!
Could you tell me how did you do it? i.e. what command did you use? and which wordlist did you use?
There is a wordlist provided by HTB in this section.
+1 - tried the nse script and python enum script with good lists. Found it with Metasploit
