E-mail accounts used as usernames are very common in web applications. Having access to an e-mail account could mean access to sensitive data including more credentials for other services. Unfortunately, as attackers sometimes, we don't even have a username list. So, finding valid users is one of the very first steps when auditing mail servers. Enumerating users via SMTP commands can obtain excellent results, and thanks to the Nmap Scripting Engine, we can automate this task.
This recipe shows how to enumerate users on an SMTP server with Nmap.
To enumerate users of an SMTP server with Nmap, enter the following command:
$ nmap -p25 --script smtp-enum-users <target>
Any usernames found will be included in the script output section:
`Host script results:
| smtp-enum-users:
|_ RCPT, webmaster