144 Chapter 6 ■ Enumeration of Services
The previous code used VRFY to validate the user accounts for linking and zelda. The
server responded with information that indicates chell is a valid user whereas a “User
unknown” response for glados indicates the opposite.In many cases the VRFY command can be deactivated, but before you per-
form this defensive step on your e-mail server, research to determine if
your environment needs to have the command enabled.Using EXPN
EXPN is another valuable command for a pen tester or an attacker. The command is similar
in functioning to the VRFY command, but rather than returning one user, it can return all
the users on a distribution list:
telnet 10.0.0.1 25 (where 10.0.0.1 is the server IP and 25 is the port for
SMTP)
220 server1 ESMTP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
250 server1 Hello [10.0.0.72], pleased to meet you
EXPN link
250 Super-User <link@myhost>
EXPN zelda
550 zelda... User unknownMuch like the VRFY command, EXPN may be disabled in some cases, but
before doing so make sure that in your environment this is acceptable.Using RCPT TO
The command RCPT TO identifies the recipient of an e-mail message. This command can be
repeated multiple times for a given message in order to deliver a single message to multiple
recipients. Here’s an example:
telnet 10.0.0.1 25
220 server1 ESMTP Sendmail 8.9.3