A mail service company has hired a penetration tester to conduct an enumeration of all user accounts on an SMTP server to identify whether previous staff member accounts are still active.
Which of the following commands should be used to accomplish the goal?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
https://hackerone.com/reports/193314In order to enumerate all user accounts on an SMTP server, the penetration tester needs to test whether a particular username exists or not on the server. To accomplish this, the tester can use the VRFY and RCPT TO commands.
The VRFY (Verify) command can be used to check whether a specific username exists on the SMTP server. The syntax for the VRFY command is as follows:
VRFY <username>
If the server responds with a message stating that the username is valid, then the username exists on the server. If the server responds with an error message stating that the username is invalid, then the username does not exist on the server.
The RCPT TO (Recipient) command can also be used to enumerate user accounts on an SMTP server. The syntax for the RCPT TO command is as follows:
RCPT TO: <username>
If the server responds with a message stating that the recipient is valid, then the username exists on the server. If the server responds with an error message stating that the recipient is invalid, then the username does not exist on the server.
Therefore, the correct answer is option D, which suggests using both VRFY and RCPT TO commands to enumerate all user accounts on an SMTP server. The EXPN and TURN commands do not provide functionality for enumerating user accounts on an SMTP server.