smtp-user-enum
Username guessing tool primarily for use against the default Solaris SMTP service. Can use either EXPN, VRFY or RCPT TO. Recent changes are detailed in the CHANGELOG.
Download smtp-user-enum v1.2 here.
MD5 and SHA1 checksums are the packages can be downloaded. They’re based on the package name (below v.v represents the version, e.g. 1.1):
http://pentestmonkey.net/tools/smtp-user-enum/smtp-user-enum-v.v-beta.tar.gz.md5
http://pentestmonkey.net/tools/smtp-user-enum/smtp-user-enum-v.v-beta.tar.gz.sha1
User documentation is also available in PDF format.
smtp-user-enum User Documentation
Contents
Overview
smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN and RCPT TO commands. It could be adapted to work against other vulnerable SMTP daemons, but this hasn’t been done as of v1.0.
Installation
smtp-user-enum is just a stand alone PERL script, so installation is as simple as copying it to your path (e.g. /usr/local/bin). It has only been tested under Linux so far.
It depends on the following PERL modules which you may need to install first:
- Socket
- IO::Handle
- IO::Select
- IO::Socket::INET
- Getopt::Std
If you have PERL installed, you should be able to install the modules from CPAN:
# perl -MCPAN -e shell cpan> install Getopt::Std
Usage
smtp-user-enum simply needs to be passed a list of users and at least one target running an SMTP service.
smtp-user-enum v1.0 ( http://pentestmonkey.net/tools/smtp-user-enum )
Usage: smtp-user-enum.pl [options] (-u username|-U file-of-usernames) (-t host|-T file-of-targets)
options are:
-m n Maximum number of processes (default: 5)
-M mode Method to use for username guessing EXPN, VRFY or RCPT (default: VRFY)
-u user Check if user exists on remote system
-f addr From email address to use for "RCPT TO" guessing (default: user@example.com)
-D dom Domain to append to supplied user list to make email addresses (Default: none)
Use this option when you want to guess valid email addresses instead of just usernames
e.g. "-D example.com" would guess foo@example.com, bar@example.com, etc. Instead of
simply the usernames foo and bar.
-U file File of usernames to check via smtp service
-t host Server host running smtp service
-T file File of hostnames running the smtp service
-p port TCP port on which smtp service runs (default: 25)
-d Debugging output
-t n Wait a maximum of n seconds for reply (default: 5)
-v Verbose
-h This help message
Some Examples
For all of the examples below we need a list of potential usernames. The following output demostrates the format for this list:
$ head users.txt root bin daemon adm lp sync shutdown halt mail news
Using the SMTP VRFY Command
The output below shows how the SMTP server responds differently to VRFY requests for valid and invalid users. It is recommended that a manual check like the following is carried out before running smtp-user-enum. Obviously the tool won’t work if the server doesn’t respond differently to requests for valid and invalid users.
$ telnet 10.0.0.1 25 Trying 10.0.0.1... Connected to 10.0.0.1. Escape character is '^]'. 220 myhost ESMTP Sendmail 8.9.3 HELO 501 HELO requires domain address HELO x 250 myhost Hello [10.0.0.99], pleased to meet you VRFY root 250 Super-User <root@myhost> VRFY blah 550 blah... User unknown
To use smtp-user-enum to enumerate valid usernames using the VRFY command, first prepare a list of usernames (users.txt) and run the tool as follows:
$ smtp-user-enum.pl -M VRFY -U users.txt -t 10.0.0.1 Starting smtp-user-enum v1.0 ( http://pentestmonkey.net/tools/smtp-user-enum ) ---------------------------------------------------------- | Scan Information | ---------------------------------------------------------- Mode ..................... VRFY Worker Processes ......... 5 Usernames file ........... users.txt Target count ............. 1 Username count ........... 47 Target TCP port .......... 25 Query timeout ............ 5 secs Relay Server ............. Not used ######## Scan started at Sun Jan 21 18:01:50 2007 ######### root@10.0.0.1: Exists bin@10.0.0.1: Exists daemon@10.0.0.1: Exists lp@10.0.0.1: Exists adm@10.0.0.1: Exists uucp@10.0.0.1: Exists postmaster@10.0.0.1: Exists nobody@10.0.0.1: Exists ftp@10.0.0.1: Exists ######## Scan completed at Sun Jan 21 18:01:50 2007 ######### 9 results. 47 queries in 1 seconds (47.0 queries / sec)
It’s worth noting that postmaster is not actually a valid OS-level user account – it’s a mail alias.
Using the SMTP EXPN Command
The output below shows how the SMTP server responds differently to EXPN requests for valid and invalid users.
$ telnet 10.0.0.1 25 Trying 10.0.0.1... Connected to 10.0.0.1. Escape character is '^]'. 220 myhost ESMTP Sendmail 8.9.3 HELO 501 HELO requires domain address HELO x 250 myhost Hello [10.0.0.99], pleased to meet you EXPN root 250 Super-User <root@myhost> EXPN blah 550 blah... User unknown
To use smtp-user-enum to enumerate valid usernames using the VRFY command, first prepare a list of usernames (users.txt) and run the tool as follows (unsurprisingly, we get the same results as above):
$ smtp-user-enum.pl -M EXPN -U users.txt -t 10.0.0.1 Starting smtp-user-enum v1.0 ( http://pentestmonkey.net/tools/smtp-user-enum ) ---------------------------------------------------------- | Scan Information | ---------------------------------------------------------- Mode ..................... EXPN Worker Processes ......... 5 Usernames file ........... users.txt Target count ............. 1 Username count ........... 47 Target TCP port .......... 25 Query timeout ............ 5 secs Relay Server ............. Not used ######## Scan started at Sun Jan 21 18:01:50 2007 ######### root@10.0.0.1: Exists bin@10.0.0.1: Exists daemon@10.0.0.1: Exists lp@10.0.0.1: Exists adm@10.0.0.1: Exists uucp@10.0.0.1: Exists postmaster@10.0.0.1: Exists nobody@10.0.0.1: Exists ftp@10.0.0.1: Exists ######## Scan completed at Sun Jan 21 18:01:50 2007 ######### 9 results. 47 queries in 1 seconds (47.0 queries / sec)
Using the SMTP RCPT TO Command
The output below shows how the SMTP server responds differently to RCPT TO requests for valid and invalid users. This is often to the most useful technique as VRFY and EXPN are often disabled to prevent username enumeration.
$ telnet 10.0.0.1 25 Trying 10.0.0.1... Connected to 10.0.0.1. Escape character is '^]'. 220 myhost ESMTP Sendmail 8.9.3 HELO 501 HELO requires domain address HELO x 250 myhost Hello [10.0.0.99], pleased to meet you MAIL FROM:root 250 root... Sender ok RCPT TO:root 250 root... Recipient ok RCPT TO: blah 550 blah... User unknown
To use smtp-user-enum to enumerate valid usernames using the RCPT TO command, first prepare a list of usernames (users.txt) and run the tool as follows (again, the results are the same as above):
$ smtp-user-enum.pl -M RCPT -U users.txt -t 10.0.0.1 Starting smtp-user-enum v1.0 ( http://pentestmonkey.net/tools/smtp-user-enum ) ---------------------------------------------------------- | Scan Information | ---------------------------------------------------------- Mode ..................... RCPT Worker Processes ......... 5 Usernames file ........... users.txt Target count ............. 1 Username count ........... 47 Target TCP port .......... 25 Query timeout ............ 5 secs Relay Server ............. Not used ######## Scan started at Sun Jan 21 18:01:50 2007 ######### root@10.0.0.1: Exists bin@10.0.0.1: Exists daemon@10.0.0.1: Exists lp@10.0.0.1: Exists adm@10.0.0.1: Exists uucp@10.0.0.1: Exists postmaster@10.0.0.1: Exists nobody@10.0.0.1: Exists ftp@10.0.0.1: Exists ######## Scan completed at Sun Jan 21 18:01:50 2007 ######### 9 results. 47 queries in 1 seconds (47.0 queries / sec)
Enumerating Email Addresses Instead of Usernames
Version 1.1 adds support for optionally appending a domain name to the end of each username:
$ ./smtp-user-enum.pl -D example.com -M RCPT -U users.txt -t 10.0.0.1 Starting smtp-user-enum v1.1 ( http://pentestmonkey.net/tools/smtp-user-enum )
---------------------------------------------------------- | Scan Information | ----------------------------------------------------------
Mode ..................... RCPT Worker Processes ......... 5 Usernames file ........... users.txt Target count ............. 1 Username count ........... 47 Target TCP port .......... 25 Query timeout ............ 5 secs Target domain ............ example.com
######## Scan started at Wed Jan 16 20:43:58 2008 ######### 10.0.0.1: bin@example.com exists 10.0.0.1: daemon@example.com exists 10.0.0.1: root@example.com exists 10.0.0.1: postmaster@example.com exists ######## Scan completed at Wed Jan 16 20:43:58 2008 #########
4 results.
7 queries in 1 seconds (47.0 queries / sec)
License
This tool may be used for legal purposes only. Users take full responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If these terms are not acceptable to you, then do not use this tool.
In all other respects the GPL version 2 applies:
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Leave a Reply
You must be logged in to post a comment.