# 25 - SMTP

We can attempt to enumerate SMTP by attempting to connect, then using basic commands to gather information.

### Connecting

```
nc -nv $targetip 25
telnet $targetip 25
```

### Enumeration

```
VRFY user- asks the server to verify an email address
EXPN - asks the server for the membership of a mailing list
```

### NSE Scripts

```
smtp-commands.nse -- lists available smtp commands
smtp-enum-users.nse -- Attempts to enumerate users using VRFY, EXPN or RCPT TO commands
smtp-open-relay.nse -- tests if authentication is required to send emails
smtp-vuln-cve2010-4344.nse
smtp-vuln-cve2011-1720.nse
smtp-vuln-cve2011-1764.nse
```