smtp-user-enum

smtp-user-enum is designed primarily for use against the default Solaris SMTP service but works with other SMTP implementations. It enumerates valid usernames by sending specific SMTP commands that reveal whether a user exists. This tool is useful in penetration testing to identify valid accounts on mail servers before attempting further attacks like brute-force or phishing.

The tool supports multithreaded operation with configurable worker processes and can handle single targets or lists of hosts and usernames. It can also append domains to usernames to guess full email addresses, making it versatile for both username and email enumeration scenarios.

Use cases include reconnaissance during network pentests, especially when targeting mail servers that have VRFY or EXPN enabled, which are often disabled on hardened systems.

The tool connects to the SMTP service on TCP port 25 and uses one of three methods: VRFY (verify user), EXPN (expand mailing list), or RCPT TO (recipient validation during SMTP transaction). It sends these commands for each username against the target(s), interpreting responses to determine if the user exists. Multiple worker processes handle parallel queries with configurable timeouts. For RCPT TO mode, it uses a MAIL FROM address to initiate the transaction. Domain appending transforms usernames into email addresses for validation.