Service Detection
Banner Grab
User Enumeration
VRFY
250 = exists/verified, 550 = doesn’t exist. 252 means the server can’t verify (uncertain / VRFY disabled) — not a positive confirmation.
EXPN (Mailing List)
RCPT TO
250 = valid, 550 = invalid.
Automated — smtp-user-enum
Nmap
Open Relay Detection
Manual Check
250 OK after DATA → open relay.
Send Email (Phishing / Spoofing)
swaks
sendemail
Brute-Force
NSE Scripts
Quick Reference
| Check | Command |
|---|---|
| User enum (VRFY) | smtp-user-enum -M VRFY -U users.txt -t TARGET |
| Open relay | nmap --script smtp-open-relay TARGET |
| Send email | swaks --to victim --from admin --server TARGET |
| Brute-force | hydra -L users.txt -P pass.txt smtp://TARGET |