id: smtp-user-enum

info:
  name: SMTP User Enumeration
  author: pussycat0x
  severity: medium
  description: |
    enumerate the users on a SMTP server by issuing the VRFY/EXPN commands
  reference:
    - https://nmap.org/nsedoc/scripts/smtp-enum-users.html
  metadata:
    max-request: 1
    verified: "true"
    shodan-query: 'smtp'
  tags: network,enum,smtp,mail

tcp:
  - inputs:
      - data: "VRFY {{useraccounts}}\n"
        read: 1024
      - data: "EXPN {{useraccounts}}\n"
        read: 1024

    host:
      - "{{Hostname}}"
      - "{{Host}}:25"

    attack: batteringram
    payloads:
      useraccounts:
        - msfadmin
        - admin
        - root

    matchers:
      - type: word
        words:
          - "252"
          - "250"
        condition: or