SMTP用户枚举原理与工具使用详解<\/h1>

一、SMTP用户枚举原理<\/h2>
SMTP(简单邮件传输协议)是安全测试中常见的服务类型，其不安全的配置(未禁用某些命令)会导致用户枚举问题。主要通过以下SMTP命令实现：<\/p>

1. 关键SMTP命令<\/h3>

命令<\/th> 功能描述<\/th> <\/tr> <\/thead>

MAIL FROM<\/td> 指定发件人地址<\/td> <\/tr>

RCPT TO<\/td> 指定单个邮件接收人；可有多个RCPT TO；常在MAIL FROM命令之后<\/td> <\/tr>

VRFY<\/td> 用于验证指定用户\/邮箱是否存在；由于安全原因，服务器常禁止此命令<\/td> <\/tr>

EXPN<\/td>

验证给定的邮箱列表是否存在，也常被禁用<\/td> <\/tr> <\/tbody> <\/table>

2. 关键返回码<\/h3>

返回码<\/th> 含义<\/th> <\/tr> <\/thead>

250<\/td> 要求的邮件操作完成<\/td> <\/tr>

550<\/td>

要求的邮件操作未完成，邮箱不可用(例如邮箱未找到，或不可访问)<\/td> <\/tr> <\/tbody> <\/table>

二、手动枚举方法<\/h2>

1. 使用VRFY命令<\/h3>

$ telnet 202.38.xxx.xxx 25<\/span>
<\/span><\/span>Trying 202.38.xxx.xxx...
<\/span><\/span>Connected to 202.38.xxx.xxx.
<\/span><\/span>Escape character is '^]'<\/span>.
<\/span><\/span>220<\/span> mxt.xxx.xxx.cn ESMTP Postfix
<\/span><\/span>VRFY root
<\/span><\/span>252<\/span> 2.0.0 root
<\/span><\/span>VRFY bin
<\/span><\/span>252<\/span> 2.0.0 bin
<\/span><\/span>VRFY admin
<\/span><\/span>550<\/span> 5.1.1 <admin>: Recipient address rejected: User unknown in local recipient table
<\/span><\/span><\/code><\/pre>2. 使用MAIL FROM+RCPT TO命令<\/h3>
$ telnet 202.38.xxx.xxx 25<\/span>
<\/span><\/span>Trying 202.38.xxx.xxx...
<\/span><\/span>Connected to 202.38.xxx.xxx.
<\/span><\/span>Escape character is '^]'<\/span>.
<\/span><\/span>220<\/span> mxt.xxx.xxx.cn ESMTP Postfix
<\/span><\/span>MAIL FROM:root
<\/span><\/span>250<\/span> 2.1.0 Ok
<\/span><\/span>RCPT TO:root
<\/span><\/span>250<\/span> 2.1.5 Ok
<\/span><\/span>RCPT TO:bin
<\/span><\/span>250<\/span> 2.1.5 Ok
<\/span><\/span>RCPT TO:admin
<\/span><\/span>550<\/span> 5.1.1 <admin>: Recipient address rejected: User unknown in local recipient table
<\/span><\/span><\/code><\/pre>三、自动化工具使用<\/h2>
1. smtp-user-enum工具<\/h3>
kali自带的Perl编写工具，支持VRFY、RCPT和EXPN三种枚举方式。<\/p>
基本参数<\/h4>
Usage: smtp-user-enum.pl [options] ( -u username | -U file-of-usernames ) ( -t host | -T file-of-targets )

options:
  -m <number>  最大线程数(默认: 5)
  -M <mode>    使用方法方式 EXPN, VRFY or RCPT (默认: VRFY)
  -u <user>    指定用户
  -f <addr>    邮箱地址，只能用在 "RCPT TO" mode (默认: user@example.com)
  -D <domaim>  使用电子邮件地址添加到用户列表在域 (默认: none)
  -U <file>    通过smtp服务指定文件里的用户名检查
  -t <host>    指定主机来运行smtp服务器主机服务
  -T <file>    指定文件来运行smtp服务器主机服务
  -p <port>    设置TCP端口号 (默认: 25)
  -d           调试
  -t <time>    最大返回时间 (default: 5)
  -v           版本
  -h           帮助
<\/code><\/pre>
使用示例<\/h4>
VRFY方式<\/strong><\/p>
$ smtp-user-enum -M VRFY -u root -t 202.38.xxx.xxx
<\/span><\/span><\/code><\/pre>RCPT方式<\/strong><\/p>
$ smtp-user-enum -M RCPT -u bin -t 202.38.xxx.xxx
<\/span><\/span><\/code><\/pre>EXPN方式<\/strong><\/p>
$ smtp-user-enum -M EXPN -u bin -t 202.38.xxx.xxx
<\/span><\/span><\/code><\/pre>2. Metasploit的smtp_enum模块<\/h3>
msf > use auxiliary\/scanner\/smtp\/smtp_enum
<\/span><\/span>msf auxiliary(<\/span>scanner\/smtp\/smtp_enum)<\/span> > show options
<\/span><\/span>
<\/span><\/span>Module options (<\/span>auxiliary\/scanner\/smtp\/smtp_enum)<\/span>:
<\/span><\/span>   Name         Current Setting        Required  Description
<\/span><\/span>   ----         ---------------        --------  -----------
<\/span><\/span>   RHOSTS                             yes       The target address range or CIDR identifier
<\/span><\/span>   RPORT        25<\/span>                     yes       The target port (<\/span>TCP)<\/span>
<\/span><\/span>   THREADS      1<\/span>                      yes       The number of concurrent threads
<\/span><\/span>   UNIXONLY     true                   yes       Skip Microsoft bannered servers when testing unix users
<\/span><\/span>   USER_FILE    \/usr\/share\/metasploit-framework\/data\/wordlists\/unix_users.txt yes       The file that contains a list of probable users accounts.
<\/span><\/span>
<\/span><\/span>msf auxiliary(<\/span>scanner\/smtp\/smtp_enum)<\/span> > set rhosts 202.38.xxx.xxx
<\/span><\/span>rhosts =<\/span>> 202.38.xxx.xxx
<\/span><\/span>msf auxiliary(<\/span>scanner\/smtp\/smtp_enum)<\/span> > run
<\/span><\/span><\/code><\/pre>3. Nmap的smtp-enum-users脚本<\/h3>
$ nmap -p 25<\/span> --script smtp-enum-users.nse 202.38.193.203
<\/span><\/span>
<\/span><\/span>Nmap scan report for<\/span> news.scut.edu.cn (<\/span>202.38.193.203)<\/span>
<\/span><\/span>Host is up (<\/span>0.054s latency)<\/span>.
<\/span><\/span>PORT   STATE SERVICE
<\/span><\/span>25\/tcp open  smtp
<\/span><\/span>| smtp-enum-users:
<\/span><\/span>|   root
<\/span><\/span>|   admin
<\/span><\/span>|   administrator
<\/span><\/span>|   webadmin
<\/span><\/span>|   sysadmin
<\/span><\/span>|   netadmin
<\/span><\/span>|   guest
<\/span><\/span>|   user
<\/span><\/span>|   web
<\/span><\/span>|_  test
<\/span><\/span>
<\/span><\/span>Nmap done<\/span>: 1<\/span> IP address (<\/span>1<\/span> host up)<\/span> scanned in 1.27 seconds
<\/span><\/span><\/code><\/pre>自定义参数：<\/strong><\/p>

--script-args smtp-enum-users.methods={EXPN,RCPT,VRFY}<\/code> 设置扫描方式<\/li>
--script-args userdb=user_path,passdb=pass_path<\/code> 指定字典<\/li>
<\/ul>
四、防御措施<\/h2>

禁用不必要的SMTP命令(VRFY、EXPN)<\/li>
配置SMTP服务对所有用户查询返回相同响应<\/li>
实施速率限制防止暴力枚举<\/li>
使用防火墙规则限制SMTP访问<\/li>
<\/ol>
五、完整SMTP返回码参考<\/h2>



返回码<\/th>
含义<\/th>
<\/tr>
<\/thead>


500<\/td>
格式错误，命令不可识别(此错误也包括命令行过长)<\/td>
<\/tr>

501<\/td>
参数格式错误<\/td>
<\/tr>

502<\/td>
命令不可实现<\/td>
<\/tr>

503<\/td>
错误的命令序列<\/td>
<\/tr>

504<\/td>
命令参数不可实现<\/td>
<\/tr>

211<\/td>
系统状态或系统帮助响应<\/td>
<\/tr>

214<\/td>
帮助信息<\/td>
<\/tr>

220<\/td>
服务就绪<\/td>
<\/tr>

221<\/td>
服务关闭传输信道<\/td>
<\/tr>

421<\/td>
服务未就绪，关闭传输信道(当必须关闭时，此应答可以作为对任何命令的响应)<\/td>
<\/tr>

250<\/td>
要求的邮件操作完成<\/td>
<\/tr>

251<\/td>
用户非本地，将转发向<\/td>
<\/tr>

450<\/td>
要求的邮件操作未完成，邮箱不可用(例如，邮箱忙)<\/td>
<\/tr>

550<\/td>
要求的邮件操作未完成，邮箱不可用(例如，邮箱未找到，或不可访问)<\/td>
<\/tr>

451<\/td>
放弃要求的操作；处理过程中出错<\/td>
<\/tr>

551<\/td>
用户非本地，请尝试<\/td>
<\/tr>

452<\/td>
系统存储不足，要求的操作未执行<\/td>
<\/tr>

552<\/td>
过量的存储分配，要求的操作未执行<\/td>
<\/tr>

553<\/td>
邮箱名不可用，要求的操作未执行(例如邮箱格式错误)<\/td>
<\/tr>

354<\/td>
开始邮件输入，以.结束<\/td>
<\/tr>

554<\/td>
操作失败<\/td>
<\/tr>

535<\/td>
用户验证失败<\/td>
<\/tr>

235<\/td>
用户验证成功<\/td>
<\/tr>

334<\/td>
等待用户输入验证信息<\/td>
<\/tr>
<\/tbody>
<\/table>
通过以上方法和技术，安全测试人员可以有效地枚举SMTP服务上的有效用户账户，为后续的渗透测试提供有价值的信息。同时，系统管理员也应了解这些技术以更好地保护自己的SMTP服务。<\/p>

SMTP用户枚举原理与工具使用详解<\/h1>

一、SMTP用户枚举原理<\/h2> SMTP(简单邮件传输协议)是安全测试中常见的服务类型，其不安全的配置(未禁用某些命令)会导致用户枚举问题。主要通过以下SMTP命令实现：<\/p>

二、手动枚举方法<\/h2>

三、自动化工具使用<\/h2>

1. smtp-user-enum工具<\/h3> kali自带的Perl编写工具，支持VRFY、RCPT和EXPN三种枚举方式。<\/p>

一、SMTP用户枚举原理<\/h2>
SMTP(简单邮件传输协议)是安全测试中常见的服务类型，其不安全的配置(未禁用某些命令)会导致用户枚举问题。主要通过以下SMTP命令实现：<\/p>

1. smtp-user-enum工具<\/h3>
kali自带的Perl编写工具，支持VRFY、RCPT和EXPN三种枚举方式。<\/p>