Usage: smtp-user-enum.pl [options] ( -u username | -U file-of-usernames )
( -t host | -T file-of-targets )
options are:
-m n Maximum number of processes (default: 5)
-M mode Method to use for username guessing EXPN, VRFY or RCPT
(default: VRFY)
-u user Check if user exists on remote system
-f addr MAIL FROM email address. Used only in "RCPT TO" mode
(default: user@example.com)
-D dom Domain to append to supplied user list to make email addresses
(Default: none)
Use this option when you want to guess valid email addresses
instead of just usernames
e.g. "-D example.com" would guess foo@example.com,
bar@example.com, etc.
Instead of simply the usernames foo and bar.
-U file File of usernames to check via smtp service
-t host Server host running smtp service
-T file File of hostnames running the smtp service
-p port TCP port on which smtp service runs (default: 25)
-d Debugging output
-t n Wait a maximum of n seconds for reply (default: 5)
-v Verbose
-h This help message
Also see smtp-user-enum-user-docs.pdf from the smtp-user-enum tar ball.
Examples:
$ smtp-user-enum.pl -M VRFY -U users.txt -t 10.0.0.1
$ smtp-user-enum.pl -M EXPN -u admin1 -t 10.0.0.1
$ smtp-user-enum.pl -M RCPT -U users.txt -T mail-server-ips.txt
$ smtp-user-enum.pl -M EXPN -D example.com -U users.txt -t 10.0.0.1
SNMP (Port 161)
SNMPv1 and SNMPv2 use cleartext! If you see these, remember you can use sniffer to grab the community string.