# 25 465 587 - SMTP ## Login Basic ``` nc -nv 25 ``` Secure ``` openssl s_client -crlf -connect :465 ``` Secure with STARTTLS ``` openssl s_client -starttls smtp -crlf -connect :587 ``` ## Commands ``` HELO MAIL FROM RCPT TO DATA RSET VRFY NOOP QUIT ``` Extended SMTP ``` EHLO AUTH STARTTLS SIZE HELP ``` ### Send an email ``` HELO x MAIL FROM RCPT TO DATA . ``` ## Enumeration ``` nmap -p -sV --script smtp-* -vv ``` ### User bruteforce #### Manual ``` HELO x ``` The RCPT TO command requires to specify an email to use as source. Sometimes when providing an incomplete destination address the mail server will autocomplete the email revealing the internal name. ``` HELO x MAIL FROM test@mail.com RCPT TO ``` #### Automatic tools Use to following script to generate possible variants of a given username. Downloadable from [here](https://raw.githubusercontent.com/jseidl/usernamer/master/usernamer.py) ``` python usernamer.py -n '' ``` Verify the existence of the generated usernames. ``` smtp-user-enum -M VRFY -D -u -t smtp-user-enum -M VRFY -D -U .txt -t ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://security-notes.gitbook.io/security-notes/networking/ports/25-465-587-smtp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.