That was, in a gist, how you can use TELNET to guess email addresses. TELNET is a way to interact with services — kind of like a phone. You ring someone up; if they’re there, they pickup and respond. If they don’t want to answer, they ignore your call. If they pickup, you can begin communicating with them. Either ask them to do something, or ask for information. But you need to speak the language they understand. Otherwise, they won’t be able to respond. Mail servers understand SMTP (among others), which is a protocol for sending and receiving emails via a mail server. SMTP connections are usually made on port 25. A port is like a phone extension.

Now, we need to connect to Microsoft’s mail server using TELNET and verify possible email addresses of Bill Gates by sending SMTP messages to the mail server. When we connect to the mail sever using TELNET, we will receive a prompt ready to accept our SMTP messages.

Well, let’s actually see this in action. Fire up your Command Prompt (Windows) / Terminal (OS X / Linux). Most operating systems come built-in with TELNET, so you likely won’t need to install it. If the TELNET command doesn’t work, google your way through the installation process for your operating system. TELNET’s syntax is simple.

These examples are all run on the Mac OS X Terminal.

telnet HOST PORT

Our HOST here is our mail server, and the PORT is 25 (Remember, mail servers can be connected to on port 25). Let’s run it against microsoft.com .

telnet microsoft.com 25

Trying 104.43.195.251...

It will stay like this for a while, doing nothing. Hit Ctrl+C to close the connection. Because this is wrong. Mail servers are normally hosted on a subdomain, or another completely different address. A lot of companies don’t even have their own mail servers; they subscribe to mail providers such as GMail, Outlook365, Zoho, Yandex, etc.

So how do we find out Microsoft’s mail server? It’s simple. Microsoft, like every other website makes it known publicly. Each website has their own address-book called the DNS that lists their relevant addresses and ports. Their mail servers are listed in the DNS as well.

To find it, we’ll need to use another command called DIG. Think of this command as an address-book lookup. On Windows, DIG is not installed by default, you can either install it yourself, or use the NSLOOKUP command.

Mail servers are categorized into records called MX records. MX stands for Mail Exchanger. So let’s see how we can use the DIG and NSLOOKUP commands to find Microsoft’s MX records, and hence the mail server.

DIG’s syntax:

dig [CATEGORY] HOST

Our CATEGORY here is MX , while our HOST is microsoft.com . The CATEGORY is optional, you can leave it out and get all listed DNS records. We’ll run it with MX though.

dig mx microsoft.com

; <<>> DiG 9.9.5–3ubuntu0.15-Ubuntu <<>> mx microsoft.com

;; global options: +cmd ;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23550

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION:

;microsoft.com. IN MX ;; ANSWER SECTION:

microsoft.com. 60 IN MX 10 microsoft-com.mail.protection.outlook.com. ;; Query time: 13 msec

;; SERVER: 172.31.0.2#53(172.31.0.2)

;; WHEN: Wed Nov 01 14:59:20 UTC 2017

;; MSG SIZE rcvd: 96

That’s a lot of weird codes and numbers. Don’t worry, we’re just interested in the ANSWER SECTION for now. That’s where the mail server is listed.

Most websites normally have more than one mail server, just in case one goes down or is inaccessible for some reason. So don’t be surprised to find multiple entries in there. You can just pick the first one on the list for our purpose.

We can add some options to the DIG command to get just the answer section, and no other mumbo jumbo.

dig +noall +answer mx microsoft.com

microsoft.com. 60 IN MX 10 microsoft-com.mail.protection.outlook.com.

Now, we just have our answer. But it doesn’t look like a valid address. That’s because it provides more than just our address. Only the last part microsoft-com.mail.protection.outlook.com is our mail server address (trailing dot not included).

If you don’t have DIG, you can use the NSLOOKUP command instead:

nslookup -q=mx microsoft.com

Server: 172.31.0.2

Address: 172.31.0.2#53 Non-authoritative answer:

microsoft.com mail exchanger = 10 microsoft-com.mail.protection.outlook.com. Authoritative answers can be found from:

Again, only the last part of the answer without the trailing dot is our mail server — microsoft-com.mail.protection.outlook.com

Alright, so we have our target mail server now. Let’s test out that TELNET command we failed at earlier. Only this time, we use the mail server as HOST instead of the website address.

telnet microsoft-com.mail.protection.outlook.com 25

Trying 23.103.156.42…

Connected to microsoft-com.mail.protection.outlook.com.

Escape character is ‘^]’.

220 BL2NAM06FT016.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 1 Nov 2017 15:13:16 +0000

It works!

We see… some gibberish. But we can see that it s connected and it’s waiting for us to write something. The mail server picked up our phone. It is ready to talk to us. But what do we say? Remember… mail servers understand the SMTP language. Let’s greet them in SMTP. Say HELO .

HELO

250 BL2NAM06FT016.mail.protection.outlook.com Hello [54.149.XXX.XXX]

It says Hello . It likes us… so far.

Time to get mean! Let’s pretend to send an email via the mail server. See if it can tell us Bill Gates’ email address. First, we need to give it our own email address. Which is what will be the from email address if we actually want to go through sending the email. To specify the from email address, you need to use this syntax:

MAIL FROM: <EMAIL@DOMAIN>

Mail servers don’t read the news. They don’t know that Steve Jobs has passed away. So we can just be Steve Jobs right now.

MAIL FROM: <stevejobs@apple.com>

250 2.1.0 Sender OK 250 2.1.0 Sender OK

Sender OK. See, it doesn’t know. Now, we can finally begin guessing…

Here’s the syntax for describing the recipient address:

RCPT TO: <EMAIL@DOMAIN>

We’ll test out a variety of addresses, based on the list of most common email patterns (listed above).

RCPT TO: <billgates@microsoft.com>

550 5.4.1 [ 550 5.4.1 [ billgates@microsoft.com ]: Recipient address rejected: Access denied [BL2NAM06FT016.Eop-nam06.prod.protection.outlook.com]

Recipient address rejected. Looks like that’s not Bill Gates’ email address. Let’s try a few more…

RCPT TO: <bill.gates@microsoft.com>

550 5.4.1 [

RCPT TO: <bill_gates@microsoft.com>

550 5.4.1 [

RCPT TO: <bill-gates@microsoft.com>

550 5.4.1 [

RCPT TO: <bill-gates@microsoft.com>

550 5.4.1 [

RCPT TO: <billg@microsoft.com>

250 2.1.5 Recipient OK 550 5.4.1 [ bill.gates@microsoft.com ]: Recipient address rejected: Access denied [DM3NAM06FT009.Eop-nam06.prod.protection.outlook.com]550 5.4.1 [ bill_gates@microsoft.com ]: Recipient address rejected: Access denied [DM3NAM06FT009.Eop-nam06.prod.protection.outlook.com]550 5.4.1 [ bill-gates@microsoft.com ]: Recipient address rejected: Access denied [DM3NAM06FT009.Eop-nam06.prod.protection.outlook.com]550 5.4.1 [ bill-gates@microsoft.com ]: Recipient address rejected: Access denied [DM3NAM06FT009.Eop-nam06.prod.protection.outlook.com]250 2.1.5 Recipient OK

It’s a Bingo! We found Bill Gates’ email address at Microsoft: billg@microsoft.com.