In my article about What is SMTP?, We took a look on what exactly SMTP works for! In SMTP – Extracting Emails, I will be providing a tutorial on Extracting Emails from the SMTP server.
There are several programs and scripts that are available for Gathering emails from a website. So It would be pretty lame if I gave you a tutorial for Extracting emails from server manually. Since knowledge is important,We will be doing it manually too. But before that I’m going to give you the names of best Email Extracting scripts that help me through.
Yeah, pretty much these two.
Also Read RFC paper for SMTP here
Now Let’s find out how to do it manually.
- OS – Kali
I am using a Virtual Machine in order to show you the scenario. The Virtual machine is Metasploitable 2. I did nmap on Metasploitable 2 and found many open ports. But we are only interested in SMTP that’s port 25.
Before going on the real tutorial, I want to tell you about some commonly used SMTP commands.They have already been explained on many site even in the RFC5321 for SMTP, So I’m not feeling the urge to do that again, On this website you are going to find real stuff, I want to provide accurate answers so if I find some stuff that I found good and understandable then I’m going to share it with you people! So Here’s the Microsoft link providing a well enough to understand description for SMTP commands and it is a short description.
Let’s do this now:
- We have already found out the ports which are open. Now We need to make a connection to SMTP , We are going to do that using telnet. The command goes like “telnet target 25”.
- Once we do that,we are going to send HELO command to identify ourself! So I wrote “HELO www.attacker.com”. You can write anything there.
- Then, We will write EHLO to find out the services which SMTP protocol provides.This will show different commands that are supported and allowed on that particular SMTP server.So here’s what is allowed on Metasploitable 2.
- Now, We will use VRFY, this command is used to verify the existing email in the server. Example, If I write “VRFY root”, This will verify if the server has a user name something like firstname.lastname@example.org, this is what we need to find. So Here’s what I manually did. We have tried root,admin,msfadmin, administrator and sys. Out of which root,msfadmin and sys are the user emails that exist on the server.
- Now this is a manual form, but what if you can apply the whole wordlist to find the number of users. Here, We will be using smtp-user-enum. We ran the query “smtp-user-enum -M VRFY -U /root/Desktop/wordlist.txt -t 192.168.65.140”.(You can download wordlists from Resources page, I have provided different links there.).
- -M command is used to define mode, the mode here is VRFY because we want to VRFY different usernames on SMTP server. By default the mode is VRFY, you if you don’t write this line it would automatically use VRFY.
- -U flag is used to select wordlist.
- -t flag is used to specify host.So Now,we have the usernames list.
This is a really simple tutorial to extract users from SMTP servers. But the thing is the IP you will be providing for telnet connect should be a server which is running SMTP on port 25. Since I have shown you Metasploitable 2 vm, There is no need to find MX records for the domain. But If you are doing it on a company then you have to find the Mail Exchanger for that domain name. Here’s a link to show how to Grab Information from DNS.
Let’s do it!
- Fire Up a Terminal and Type nslookup
- >set q=mx
- or Open Terminal and Type “dig mx google.com” (without quotes).
But why we need to extract email? To pull out social engineering attacks on employers of the particular company. Or to send a legitimate looking email to any one in the world. I am not Responsible if you use the information provided here in an illegal manner. This is just a simple tutorial for extracting emails from SMTP server. The Next tutorial will be on how to send emails using open SMTP relays, but till then stay hungry!
Stay Anonymous 🙂