SMTP question

Spoiler Alert !!!
use metasploit smtp_enum payload and use the provided footprinting list. :wink:

1 Like

thanks for the -w hint

I got it with metasploit but kinda feel like I cheated.

I had tried this command (from my VM with VPN) but no luck:

smtp-user-enum -M VRFY -U /home/kali/Downloads/footprinting-wordlist.txt -t TARGET-IP -D 5 -w 5

Hi all!

Couple tips given that we are not supposed to ā€œtrustā€ automated tools like metasploit:

  • Use the list provided

  • Use smtp-user-enum, available on kali tools.

  • Define the mode, the list to be used, the target, the port, use verbose mode.

  • Play around with the number of processes and the wait time (clue: is more than 10 secs per request)

  • Last tip > Pay attention to the verbose, to know if you are actually getting information on your requests.

Hope this helps!

1 Like

Hi all, though I would add some tips that I found while working this Q :slight_smile:

  1. Hint is extremely helpful in this Q.
  2. The wordlist resource is found in the Resources section of the Footprinting module. (Apparently found in another SecLists resource too)
  3. The key to getting the smtp-user-enum tool to work is to trial different wait times with the -w flag. (Just like the hint tells us!!)
    3.1 The way to do this is to run it with the default (5) and increase it every time you see a ā€œNo resultā€ response for a user. (-v will help you too).

Your command should look something like:

smtp-user-enum -w -M VRFY -U footprinting.txt -t -v

Hope this helps! also if someone has any way to identify what the wait time should be automatically please feel free to reply! Love learning new tips :smiley:

1 Like

Hi,
I’ve got a question regarding the provided footprinting list. How can I use that ? When dowloading it, it is on my local PC , but of course not in the HTB workstation Is there some trick to download it there?
Regards

I managed to obtain the user with Metasploit and smtp-user-enum, but I couldn’t do it with the Nmap tool, specifically with the smtp-enum-users script, even though I tried several arguments for the script. If someone succeeded in doing it, would they be so kind as to help me?

I imagine you are referring to loading it in Metasploit. First, you should check the options provided by the exploit using the command: show options . Since you want to load a specific list, you would need to use: set USER_FILE /path/file.txt , where /path/file.txt is the path to your list. Good luck!

[Solved - I set waiting time to 150 (-w 150)]
Hi everyone! I tried footprinting-wordlist.txt from resource, snmp.txt from Seclists with smtp-user-enum and even used Metasploit but I still don’t have result. Could somebody help me?
My command: smtp-user-enum -M VRFY -U footprinting-wordlist.txt -t <target IP> -D 5 -w 120
My Metasploit configuration:
image

1 Like

Your Metasploit list doesn’t contain the user; preferably, set the list that HTB provides you. :slight_smile:

1 Like

u will get wordlist from htb resources at top and only thing need to care of is -w cmd

just increase query timeout like -w 15 in smtp-user-enum and you will get the answer.

I’m hacking the box on HTB’s Instance just like you and here’s how I solved this:

Open the provided footprinting list → select all → cut/copy.
Use your Instance and create a new *.txt file. Paste the names there and save it.

Hot(ish) tip: you can use either terminal or the small notepad thingy (Pluma) in the upper part of your screen. Both will get you the same result: a file to refer to when using the right tool.

Hope this helps!

For this question your could try resolve using metasploit, as seen below
I hide the user in field: Users found
Remenber them that this file: foot.txt is the file that HTB give us in resource section…!!

Guys first download the footprinting wordlist from the resources tab on the top right next to the SMTP title. Next this question can be solved using a very famous framework and you provide the list for enumeration, or you can use another tool like smtp-user-enum BUT you got to read the different type of methods, which is -M, and use the appropriate one, and DO NOT forget the hint provided by HTB concerning the reply time of certain SMTP servers, good luck

my problem was that I was adding a domain to these usernames with option -D inlanefreight.htb …

SOLUTION:

smtp-user-enum -M VRFY -U wordlist.txt -t 10.x.x.x -w 15 -v

All right I finally made it, the command is:

smtp-user-enum -M VRFY -U <path-to-your-list/list.txt> -t <ipv4 target address> -p 25 -w 15 -v

Important things to notice:

Just to make your life easier here is a syntax explanation:

  • smtp-user-enum is the name of the tool/package
  • -M followed by EXPN, VRFY or RCPT is used to specify the method. If the method is not specified it uses by default VRFY, so you can omit from your command -M VRFY
  • -U followed by the file containing the usernames
  • -t followed by the host address running the smtp service (aka our target IPV4 address)
  • -p followed by the port number which is actually set by default to 25
  • -w followed by a maximum of n seconds for reply (default: 5) :warning: you don’t find the explanation of the flag -w in pentestmonkey documentation, but you can find it in kali documentation which I have linked before
  • -v is the usual verbosity thing, useful to see what’s going on while the script is running

By any chance someone manage to make it work also with nmap smtp-enum-users.nse ?
I can’t figure out how to use the list with nmap nse, please explain me how if you managed to

1 Like

Simply used MSF because smtp-user-enum didn’t work for me.

Going to do the same and use metasploit I guess as this isn’t working for me either. Very frustrating. I’ve tried everywhere from 30 second to 100 second timeouts. Exact command I used is listed below, the list I’m using is the one downloaded from resources section:

smtp-user-enum -M VRFY -u /usr/share/seclists/Usernames/smtp-footprinting.txt -t 10.129.5.88 -w 100

When I click on it, it doesn’t open anything, why?