# Commands | **Command** | **Description** | | ------------ | ------------------------------------------------------------------------------------------------ | | `AUTH PLAIN` | AUTH is a service extension used to authenticate the client. | | `HELO` | The client logs in with its computer name and thus starts the session. | | `MAIL FROM` | The client names the email sender. | | `RCPT TO` | The client names the email recipient. | | `DATA` | The client initiates the transmission of the email. | | `RSET` | The client aborts the initiated transmission but keeps the connection between client and server. | | `VRFY` | The client checks if a mailbox is available for message transfer. | | `EXPN` | The client also checks if a mailbox is available for messaging with this command. | | `NOOP` | The client requests a response from the server to prevent disconnection due to time-out. | | `QUIT` | The client terminates the session. | # HELO/EHLO ```bash telnet <IP> 25 HELO mail1.inlanefreight.htb VRFY root MAIL FROM: <email address> RCPT TO: <email address> ``` # Nmap ```bash smtp-commands # default Nmap scripts smtp-open-relay ``` # Enumerate users in SMTP server ```bash sudo apt install smtp-user-enum smtp-user-enum -M VRFY -U userlist.txt -t <target_ip> -p 25 smtp-user-enum -M VRFY -U ../footprinting-wordlist.txt -t 10.129.144.53 -p 25 -v -w 10 ``` - `-M`: Method (`VRFY`, `EXPN`, or `RCPT`). - `-U`: Path to user list. - `-t`: Target IP address. - `-p`: SMTP port. - `-w`: wait a maximum of n seconds for reply