SMTP Enumeration

Interacting with SMTP is easy and since the protocol is straight forward.

  1. #!/usr/bin/env ruby
  2. # KING SABRI | @KINGSABRI
  3. #
  4. require 'socket'
  6. users =
  7.     %w{
  8.         root rubyfu www apache2 bin daemon sshd
  9.         gdm  nobody ftp operator postgres mysqld
  10.       }
  11. found = []
  13. @s = TCPSocket.new('192.168.0.19', 25)
  14. @banner = @s.recv(1024).chomp
  15. users.each do |user|
  16.   @s.send "VRFY #{user} \n\r", 0
  17.   resp = @s.recv(1024).chomp
  18.   found << user if resp.split[2] == user
  19. end
  20. @s.close
  22. puts "[*] Result:-"
  23. puts "[+] Banner: " + @banner
  24. puts "[+] Found users: \n#{found.join("\n")}"

Results

  1. [*] Result:-
  2. [+] Banner: 220 VulnApps.localdomain ESMTP Postfix
  3. [+] Found users: 
  4. root
  5. rubyfu
  6. www
  7. bin
  8. daemon
  9. sshd
  10. gdm
  11. nobody
  12. ftp
  13. operator
  14. postgres

Your turn, there are other commands that can be used such as EXPN, RCPT. Enhance the above script to include all these commands to avoid restricted commands that might you face. Tweet your code and output to @Rubyfu.