# Commands |**Command**|**Description**| |---|---| |`AUTH PLAIN`|AUTH is a service extension used to authenticate the client.| |`HELO`|The client logs in with its computer name and thus starts the session.| |`MAIL FROM`|The client names the email sender.| |`RCPT TO`|The client names the email recipient.| |`DATA`|The client initiates the transmission of the email.| |`RSET`|The client aborts the initiated transmission but keeps the connection between client and server.| |`VRFY`|The client checks if a mailbox is available for message transfer.| |`EXPN`|The client also checks if a mailbox is available for messaging with this command.| |`NOOP`|The client requests a response from the server to prevent disconnection due to time-out.| |`QUIT`|The client terminates the session.| # HELO/EHLO ```bash telnet <IP> 25 HELO mail1.inlanefreight.htb VRFY root MAIL FROM: <email address> RCPT TO: <email address> ``` # Nmap ```bash smtp-commands # default Nmap scripts smtp-open-relay ``` # Enumerate users in SMTP server ```bash sudo apt install smtp-user-enum smtp-user-enum -M VRFY -U userlist.txt -t <target_ip> -p 25 smtp-user-enum -M VRFY -U ../footprinting-wordlist.txt -t 10.129.144.53 -p 25 -v -w 10 ``` - `-M`: Method (`VRFY`, `EXPN`, or `RCPT`). - `-U`: Path to user list. - `-t`: Target IP address. - `-p`: SMTP port. - `-w`: wait a maximum of n seconds for reply