Back to All Modules

Email Enumeration

#Overview

Email enumeration involves discovering email infrastructure through DNS (MX records), fingerprinting mail servers (SMTP on port 25, SMTPS on 465, submission on 587, IMAP on 143/993, POP3 on 110/995), and enumerating valid email users through SMTP protocol commands (VRFY, EXPN, RCPT TO). In Active Directory environments, Exchange Server integration provides additional enumeration avenues via Exchange Web Services (EWS), Outlook Web App (OWA), and Autodiscover endpoints. Valid email users often map directly to domain accounts, enabling password spraying.

#Prerequisites

  • Tools: nc/telnet, smtp-user-enum, nmap (smtp-commands, smtp-enum-users), Metasploit, OWA/EWS enumeration tools
  • Access Level: Network access to SMTP ports (25, 465, 587), Exchange HTTP(S) endpoints
  • Wordlists: Common usernames for user enumeration

#Detection & Enumeration

#DNS Mail Record Discovery

# MX records (mail servers)
dig MX domain.htb
nslookup -type=MX domain.htb
host -t MX domain.htb

# SRV records (service records -- often reveal Exchange)
dig SRV _autodiscover._tcp.domain.htb

# SPF records (may reveal mail server IPs and domains)
dig TXT domain.htb | grep spf

# DMARC records
dig TXT _dmarc.domain.htb
BASH

#SMTP Enumeration

# Banner grab
nc -nv 10.10.10.161 25

# Check supported SMTP commands via EHLO
nc -nv 10.10.10.161 25
# HELO test.com
# EHLO test.com
# Observe advertised extensions: STARTTLS, AUTH, VRFY, EXPN

# nmap SMTP enumeration
nmap --script smtp-commands -p 25 10.10.10.161
nmap --script smtp-enum-users -p 25 10.10.10.161
BASH

SMTP user enumeration commands:

  • VRFY <username> : Verify if a username/mailbox exists on the system. Responses: 252 (exists), 550 (does not exist).
  • EXPN <username> : Expand a mailing list or alias. Returns members of distribution groups.
  • RCPT TO:<user@domain.htb> : During a mail delivery attempt, the server accepts or rejects recipients. Most modern servers delay this response until after DATA, but some older servers leak information immediately.

#Automated SMTP User Enumeration

# smtp-user-enum (dedicated tool)
smtp-user-enum -M VRFY -U users.txt -t 10.10.10.161
smtp-user-enum -M EXPN -U users.txt -t 10.10.10.161
smtp-user-enum -M RCPT -U users.txt -t 10.10.10.161

# Metasploit SMTP enumeration
msfconsole -q -x "use auxiliary/scanner/smtp/smtp_enum; set RHOSTS 10.10.10.161; set USER_FILE users.txt; run"
BASH

#Exchange Server Enumeration

Exchange provides rich enumeration opportunities through web-based interfaces:

# Autodiscover endpoint (common URL pattern)
curl -s https://mail.domain.htb/autodiscover/autodiscover.xml
curl -s https://autodiscover.domain.htb/autodiscover/autodiscover.xml

# OWA (Outlook Web App) -- webmail interface
curl -s -D- https://mail.domain.htb/owa/
curl -s -D- https://mail.domain.htb/owa/auth.owa

# EWS (Exchange Web Services) -- SOAP API endpoint
curl -s https://mail.domain.htb/EWS/Exchange.asmx

# Common Exchange virtual directories
# /owa/          - Outlook Web App
# /ecp/          - Exchange Control Panel
# /ews/          - Exchange Web Services
# /autodiscover/ - Autodiscover service
# /mapi/         - MAPI over HTTP
# /rpc/          - Outlook Anywhere (RPC over HTTP)
# /powershell/   - Exchange PowerShell endpoint
BASH

#Exchange Time-Based User Enumeration

Exchange OWA/EWS can be used for user enumeration via response timing:

# OWA timing enumeration (valid users take slightly longer to respond)
curl -s -D- -X POST https://mail.domain.htb/owa/auth.owa \
  -d 'username=testuser&password=anything' 2>&1 | grep -i "X-OWA-Error\|Location"

# Valid internal Exchange usernames can be derived from AD enumeration
# Exchange mailboxes often match sAMAccountName
BASH

#Domain User to Email Mapping

In Active Directory environments, userPrincipalName (UPN) often matches the email address:

  • username@domain.local maps to username@domain.com or username@mail.domain.com
  • Users discovered via LDAP/RPC enumeration can be tried as email addresses

#Common Pitfalls

  • Most modern SMTP servers disable VRFY and EXPN commands entirely. If they return "502 Command not implemented," move on.
  • RCPT TO enumeration is unreliable on modern mail servers. Post-delivery rejection (after DATA) prevents user enumeration.
  • Exchange Autodiscover sometimes requires NTLM authentication before returning useful information.
  • OWA timing attacks are subtle and require statistical analysis. Single request comparisons are unreliable.
  • Email enumeration may trigger account lockout policies on systems that integrate SMTP auth with AD authentication.
  • MX records pointing to third-party services (Google Workspace, Microsoft 365) mean the mail infrastructure is hosted externally and is out of scope.

#OPSEC Considerations

  • SMTP VRFY/EXPN commands are logged by the mail server (Postfix, Sendmail, Exchange). A series of failed VRFY attempts is a reconnaissance IOC.
  • SMTP user enumeration generates distinct protocol-level events that SIEMs can correlate. smtp-user-enum sends hundreds of VRFY commands which is a clear pattern.
  • Exchange OWA authentication attempts generate IIS logs (HTTP POST to /owa/auth.owa) and Windows Security Event Log entries (Event ID 4625 for failed logins, Event ID 4776 for failed NTLM).
  • Autodiscover endpoint probing is less logged than actual authentication attempts and may blend in with legitimate client activity.
  • DNS MX/SRV record queries are passive and generate no server-side alert on the target. Use this first.
  • Exchange enumeration is noisy because Exchange logs extensively and integrates deeply with AD auditing. Multiple authentication failures from a non-corporate IP are a high-severity alert.

#Post-Exploitation Value

  • Valid email users map to Active Directory accounts, enabling password spraying against the entire domain.
  • Exchange access (OWA, EWS) provides email content, calendars, contacts, and file attachments containing sensitive data.
  • Exchange PowerShell endpoint (/powershell/) enables administrative Exchange management if privileged credentials are obtained.
  • Exchange group membership (Exchange Windows Permissions, Exchange Trusted Subsystem) often grants DCSync or WriteDacl on the domain.
  • SMTP server version information guides vulnerability research (e.g., Exchange ProxyLogon, ProxyShell).

#Cross-References

#Tool References

ToolDescriptionLink
smtp-user-enumSMTP user enumeration (VRFY, EXPN, RCPT)Built into Kali
nmap (smtp-commands, smtp-enum-users)NSE scripts for SMTP enumerationBuilt into nmap
Metasploit smtp_enumSMTP user enumeration moduleBuilt into Metasploit
dig/nslookup/hostDNS query toolsBuilt into most systems
curlHTTP client for Exchange endpoint probingBuilt into most systems

#Source Machines

  • Forest (Easy, AD) -- Exchange installed, Exchange Windows Permissions group used for DCSync privilege escalation
  • Exchange enumeration is relevant to most AD machines with port 443/80 and IIS running. While SMTP user enumeration (VRFY/EXPN) is less common on modern servers, Exchange web endpoints are frequently present on Domain Controllers with Exchange installed.