Hack Like a Pro: How to Extract Email Addresses from an SMTP Server

How to Extract Email Addresses from an SMTP Server

Welcome back, my budding hackers!

If we are considering a social engineering attack against a target, we are probably going to need email addresses. By having the email addresses of people within an organization, we can tailor our social engineering attack to particular people and circumstances within that organization (e.g., a sales report to the sales department) and maybe spoof the email address of a colleague within the organization. In this way, they are more likely to click on a link or open a document that we send them.

There are multiple ways of collecting email addresses including Maltego, an email harvester, and others, but what if we could go directly into the organization's SMTP server and ask it if an email address exits? Wouldn't that be best and most reliable method?

Background on SMTP

As you know, SMTP stands for Simple Mail Transport Protocol and operates on port 25. Unlike POP3 and IMAP that operate over ports 110 and 143, respectively, SMTP is a server-to-server protocol. Clients use POP3 or IMAP to retrieve or send messages to the SMTP server, while the SMTP server then communicates to other SMTP servers.

The SMTP server, obviously, maintains a database of every email address in the organization that it must send and receive email for. It is this database that we want to access and query.

To find SMTP servers you can use Nmap or another scanning tool and look for servers with port 25 open. If port 25 is open, it is likely an SMTP server. In addition, you can use DNS querying to find the IP address of its SMTP server.

SMTP Commands

The SMTP protocol, like so many other protocols, has its own subset of commands. Here are a few of the most important SMTP commands.

  • HELO - This is the command that the client sends to the server to initiate a conversation. Generally, the IP address or domain name must accompany this command, such as HELO 192.168.101 or HELO client.microsoft.com.
  • EHLO - This command is the same as HELO, but communicates to the server that the client wants to use Extended SMTP. If the server does not offer ESMTP, it will still recognize this command and reply appropriately.
  • STARTTLS - Normally, SMTP servers communicate in plaintext. To improve security, the connection between SMTP servers can be encrypted by TLS (Transport Layer Security). This command starts the TLS session.
  • RCPT - Specifies the email address of the recipient.
  • DATA - Starts the transfer of the message contents.
  • RSET - Used to abort the current email transaction.
  • MAIL - Specifies the email address of the sender.
  • QUIT - Closes the connection.
  • HELP - Asks for the help screen.
  • AUTH - Used to authenticate the client to the server.
  • VRFY - Asks the server to verify is the email user's mailbox exists.

Step 1: Fire Up Kali & Open a Terminal

Now that we covered the basics of SMTP, let's see if we can use this knowledge to hack the SMTP server to extract email addresses. Let's fire up Kali and open a terminal.

Step 2: Telnet into the SMTP Server

Our next step is to see whether we can manually connect to the SMTP server using telnet.

kali > telnet 192.168.1.101 25

As you can see, we have successfully connected to the Metasploitable server via telnet.

Step 3: Manually Try Email Addresses

Now that we are connected via telnet to the SMTP server, we can use the SMTP commands listed above to query the server. Most importantly, we want to use the VRFY (verify) command. Using this command, followed by the email user name, will prompt the server to verify whether the user account exits, such as:

> VRFY sys

As you can see in the screenshot above, I tried users:

  • sys
  • admin
  • administrator
  • nullbyte
  • root

The server verified that "sys" and "root" have email accounts on the server. Great!

Step 4: Use Smtp-User-Enum

As you could see in Step #3, we can manually query the SMTP server to see whether a particular email address exists. Wouldn't it be easier if we had a script that did this automatically? Fortunately, we do! It's called smtp-user-enum and it's built into Kali.

We can find it at Applications -> Kali Linux -> Information Gathering - SMTP Analysis -> smtp-user-enum.

When we click on it, a help screen like that below opens. Note that the basic syntax for using this tool to find email users is:

kali > smtp-user-enum -M VRFY -U <userlist> -t <target IP>

Now let's construct a command to use against the Metasploitable SMTP server. We can use any of the wordlists in Kali, create our own, or download any of thousands available on the Internet. I've decided to try one built into Kali at:

/usr/share/fern-wifi-cracker/extras/wordlist

Using it, my command becomes:

kali > smtp-user-enum -M VRFY -U /usr/sharefern-wifi-cracker/extras/wordlist -t 192.168.1.101

As you can see in the screenshot below, we started it running and it first displays the scan information.

Then, the users found.

Now that we know what users are on that organization's email server, we can send social engineering emails to them or spoof their email addresses and send social engineering emails to their colleagues.

Keep coming back, my budding hackers, as we continue to explore the art and technique of hacking!

Just updated your iPhone? You'll find new features for TV, Messages, News, and Shortcuts, as well as important bug fixes and security patches. Find out what's new and changed on your iPhone with the iOS 17.6 update.

12 Comments

Wonderful !!!!, Umm a question ??
Does this make noise on the server ...
Thanks for the article ...

# Sergeant

Awesome post. Good luck finding an open SMTP server out there in the wild, though. It used to be as easy as typing in any domain and spoofing some email. Now it seems most of the open 25 ports I find have either a login or are IP filtered going back to the MX records. I'll keep scanning though!

Hi, I love that you said what you said in your post. It is a genuine challenge and also considering how long ago this post was made with all the replies. It would be really helpful to get some recent and more relevant solutions giving how much firewall technologies have been advanced and upgraded.

is it common for the smtp server to block a telnet connection?

Some SMTP servers terminate the connection if VFRY is sent to them, adding the IP address of the sender to a block list. Others simply refuse to reply to the VRFY request.

Overuse of VRFY will alert the admin to your attacks on their server and they will block your IP address and/or contact the abuse department of your provider as appropriate.

how can we send SE mails to their Inbox not to Spam folder?

how can i know my:

domain name of the office e-mail server and name of the exchange server.

My IT won't share that with me.

hy whoever post this article,i got an error while tryng telnet
its says : telnet: Unable to connect to remote host: Connection refused
any suggestion ??

Change ISP, most modern ISPs block outgoing port 25. It sucks.

nice tut

Is it possible to hack a youtube account if we know only the profile name of the user and unfortunately have no clue about his email account or any personal info..

Share Your Thoughts

  • Hot
  • Latest