# Commands
|**Command**|**Description**|
|---|---|
|`AUTH PLAIN`|AUTH is a service extension used to authenticate the client.|
|`HELO`|The client logs in with its computer name and thus starts the session.|
|`MAIL FROM`|The client names the email sender.|
|`RCPT TO`|The client names the email recipient.|
|`DATA`|The client initiates the transmission of the email.|
|`RSET`|The client aborts the initiated transmission but keeps the connection between client and server.|
|`VRFY`|The client checks if a mailbox is available for message transfer.|
|`EXPN`|The client also checks if a mailbox is available for messaging with this command.|
|`NOOP`|The client requests a response from the server to prevent disconnection due to time-out.|
|`QUIT`|The client terminates the session.|
# HELO/EHLO
```bash
telnet <IP> 25
HELO mail1.inlanefreight.htb
VRFY root
MAIL FROM: <email address>
RCPT TO: <email address>
```
# Nmap
```bash
smtp-commands # default Nmap scripts
smtp-open-relay
```
# Enumerate users in SMTP server
```bash
sudo apt install smtp-user-enum
smtp-user-enum -M VRFY -U userlist.txt -t <target_ip> -p 25
smtp-user-enum -M VRFY -U ../footprinting-wordlist.txt -t 10.129.144.53 -p 25 -v -w 10
```
- `-M`: Method (`VRFY`, `EXPN`, or `RCPT`).
- `-U`: Path to user list.
- `-t`: Target IP address.
- `-p`: SMTP port.
- `-w`: wait a maximum of n seconds for reply