Spoiler Alert !!!
use metasploit smtp_enum payload and use the provided footprinting list.
thanks for the -w hint
I got it with metasploit but kinda feel like I cheated.
I had tried this command (from my VM with VPN) but no luck:
smtp-user-enum -M VRFY -U /home/kali/Downloads/footprinting-wordlist.txt -t TARGET-IP -D 5 -w 5
Hi all!
Couple tips given that we are not supposed to ātrustā automated tools like metasploit:
-
Use the list provided
-
Use smtp-user-enum, available on kali tools.
-
Define the mode, the list to be used, the target, the port, use verbose mode.
-
Play around with the number of processes and the wait time (clue: is more than 10 secs per request)
-
Last tip > Pay attention to the verbose, to know if you are actually getting information on your requests.
Hope this helps!
Hi all, though I would add some tips that I found while working this Q
- Hint is extremely helpful in this Q.
- The wordlist resource is found in the Resources section of the Footprinting module. (Apparently found in another SecLists resource too)
- The key to getting the smtp-user-enum tool to work is to trial different wait times with the -w flag. (Just like the hint tells us!!)
3.1 The way to do this is to run it with the default (5) and increase it every time you see a āNo resultā response for a user. (-v will help you too).
Your command should look something like:
smtp-user-enum -w -M VRFY -U footprinting.txt -t -v
Hope this helps! also if someone has any way to identify what the wait time should be automatically please feel free to reply! Love learning new tips
Hi,
Iāve got a question regarding the provided footprinting list. How can I use that ? When dowloading it, it is on my local PC , but of course not in the HTB workstation Is there some trick to download it there?
Regards
I managed to obtain the user with Metasploit and smtp-user-enum, but I couldnāt do it with the Nmap tool, specifically with the smtp-enum-users script, even though I tried several arguments for the script. If someone succeeded in doing it, would they be so kind as to help me?
I imagine you are referring to loading it in Metasploit. First, you should check the options provided by the exploit using the command: show options
. Since you want to load a specific list, you would need to use: set USER_FILE /path/file.txt
, where /path/file.txt
is the path to your list. Good luck!
[Solved - I set waiting time to 150 (-w 150)]
Hi everyone! I tried footprinting-wordlist.txt
from resource, snmp.txt from Seclists
with smtp-user-enum
and even used Metasploit but I still donāt have result. Could somebody help me?
My command: smtp-user-enum -M VRFY -U footprinting-wordlist.txt -t <target IP> -D 5 -w 120
My Metasploit configuration:
Your Metasploit list doesnāt contain the user; preferably, set the list that HTB provides you.
u will get wordlist from htb resources at top and only thing need to care of is -w cmd
just increase query timeout like -w 15 in smtp-user-enum and you will get the answer.
Iām hacking the box on HTBās Instance just like you and hereās how I solved this:
Open the provided footprinting list ā select all ā cut/copy.
Use your Instance and create a new *.txt file. Paste the names there and save it.
Hot(ish) tip: you can use either terminal or the small notepad thingy (Pluma) in the upper part of your screen. Both will get you the same result: a file to refer to when using the right tool.
Hope this helps!
For this question your could try resolve using metasploit, as seen below
I hide the user in field: Users found
Remenber them that this file: foot.txt is the file that HTB give us in resource sectionā¦!!
Guys first download the footprinting wordlist from the resources tab on the top right next to the SMTP title. Next this question can be solved using a very famous framework and you provide the list for enumeration, or you can use another tool like smtp-user-enum BUT you got to read the different type of methods, which is -M, and use the appropriate one, and DO NOT forget the hint provided by HTB concerning the reply time of certain SMTP servers, good luck
my problem was that I was adding a domain to these usernames with option -D inlanefreight.htb ā¦
SOLUTION:
smtp-user-enum -M VRFY -U wordlist.txt -t 10.x.x.x -w 15 -v
All right I finally made it, the command is:
smtp-user-enum -M VRFY -U <path-to-your-list/list.txt> -t <ipv4 target address> -p 25 -w 15 -v
Important things to notice:
- <path-to-your-list/list.txt>
you need to change this with the path to the file containing the list of users
- <ipv4-target-address
is the address that you have spawned
- the order of the element in the script is important. Here the link to official kali documentation of
smtp-user-enum
including an example. - Must check out the official documentation of pentestmonkey here
Just to make your life easier here is a syntax explanation:
smtp-user-enum
is the name of the tool/package-M
followed by EXPN, VRFY or RCPT is used to specify the method. If the method is not specified it uses by default VRFY, so you can omit from your command-M VRFY
-U
followed by the file containing the usernames-t
followed by the host address running the smtp service (aka our target IPV4 address)-p
followed by the port number which is actually set by default to 25-w
followed by a maximum of n seconds for reply (default: 5)you donāt find the explanation of the flag
-w
in pentestmonkey documentation, but you can find it in kali documentation which I have linked before-v
is the usual verbosity thing, useful to see whatās going on while the script is running
By any chance someone manage to make it work also with nmap smtp-enum-users.nse
?
I canāt figure out how to use the list with nmap nse, please explain me how if you managed to
Simply used MSF because smtp-user-enum didnāt work for me.
Going to do the same and use metasploit I guess as this isnāt working for me either. Very frustrating. Iāve tried everywhere from 30 second to 100 second timeouts. Exact command I used is listed below, the list Iām using is the one downloaded from resources section:
smtp-user-enum -M VRFY -u /usr/share/seclists/Usernames/smtp-footprinting.txt -t 10.129.5.88 -w 100
When I click on it, it doesnāt open anything, why?