PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-12 02:39:03 +00:00
Code Issues Projects Releases Wiki Activity

o [NSE] Updated the SMTP scripts to use the new SMTP Lua library.

Browse Source
This commit is contained in:
djalal
2011-06-13 13:19:26 +00:00
parent e7c6bf55f0
commit caadf952e3
4 changed files with 574 additions and 860 deletions
Download Patch File Download Diff File Expand all files Collapse all files

147
scripts/smtp-commands.nse
View File

@@ -13,7 +13,7 @@ SMTP server.
-- | smtp-commands: SMTP.domain.com Hello [172.x.x.x], TURN, SIZE, ETRN, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, X-EXPS GSSAPI NTLM LOGIN, X-EXPS=LOGIN, AUTH GSSAPI NTLM LOGIN, AUTH=LOGIN, X-LINK2STATE, XEXCH50, OK -- | smtp-commands: SMTP.domain.com Hello [172.x.x.x], TURN, SIZE, ETRN, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, X-EXPS GSSAPI NTLM LOGIN, X-EXPS=LOGIN, AUTH GSSAPI NTLM LOGIN, AUTH=LOGIN, X-LINK2STATE, XEXCH50, OK
-- |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN BDAT VRFY -- |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN BDAT VRFY
-- --
-- @args smtp-commands.domain Define the domain to be used in the SMTP commands. -- @args smtp.domain or smtp-commands.domain Define the domain to be used in the SMTP commands.
-- changelog -- changelog
-- 1.1.0.0 - 2007-10-12 -- 1.1.0.0 - 2007-10-12
@@ -53,6 +53,8 @@ SMTP server.
-- Busleiman's SMTP open relay detector script and Duarte Silva's SMTP -- Busleiman's SMTP open relay detector script and Duarte Silva's SMTP
-- user enumeration script. -- user enumeration script.
-- Props to them for doing what they do and letting me ride on their coattails. -- Props to them for doing what they do and letting me ride on their coattails.
-- 2.1.0.0 - 2011-06-01
-- + Rewrite the script to use the smtp.lua library.
author = "Jason DePriest" author = "Jason DePriest"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
@@ -60,150 +62,51 @@ categories = {"default", "discovery", "safe"}
require "shortport" require "shortport"
require "stdnse" require "stdnse"
require "comm" require "smtp"
portrule = shortport.port_or_service({ 25, 465, 587 }, { "smtp", "smtps", "submission" }) portrule = shortport.port_or_service({ 25, 465, 587 },
{ "smtp", "smtps", "submission" })
ERROR_MESSAGES = {
["EOF"] = "connection closed",
["TIMEOUT"] = "connection timeout",
["ERROR"] = "failed to receive data"
}
STATUS_CODES = {
ERROR = 1,
NOTPERMITED = 2,
VALID = 3,
INVALID = 4
}
---Send a command and read the response (this function does exception handling, and if an
-- exception occurs, it will close the socket).
--
--@param socket Socket used to send the command
--@param request Command to be sent
--@return False in case of failure
--@return True and the response in case of success
function do_request(socket, request)
-- Exception handler.
local catch = function()
socket:close()
end
local try = nmap.new_try(catch)
-- Lets send the command.
try(socket:send(request))
-- Receive server response.
local status, response = socket:receive_lines(1)
if not status then
-- Close the socket (the call to receive_lines doesn't use try).
socket:close()
return false, (ERROR_MESSAGES[response] or "unspecified error")
end
return true, response
end
---Get a domain to be used in the SMTP commands that need it. If the user specified one
-- through a script argument this function will return it. Otherwise it will try to find
-- the domain from the typed hostname and from the rDNS name. If it still can't find one
-- it will use the nmap.scanme.org by default.
--
-- @param host Current scanned host
-- @return The hostname to be used
function get_domain(host)
local result = "nmap.scanme.org"
-- Use the user provided options.
if (nmap.registry.args["smtp-commands.domain"] ~= nil) then
result = nmap.registry.args["smtp-commands.domain"]
elseif type(host) == "table" then
if host.targetname then
result = host.targetname
elseif (host.name ~= "" and host.name) then
result = host.name
end
end
return result
end
function go(host, port) function go(host, port)
local socket = nmap.new_socket()
local options = { local options = {
timeout = 10000, timeout = 10000,
recv_before = true recv_before = true,
ssl = true,
} }
socket:set_timeout(5000) local domain = stdnse.get_script_args('smtp-commands.domain') or
smtp.get_domain(host)
-- Be polite and when everything works out send the QUIT message.
local quit = function()
do_request(socket, "QUIT\r\n")
socket:close()
end
local domain = get_domain(host)
local result, status = {}
-- Try to connect to server. -- Try to connect to server.
local response local socket, response = smtp.connect(host, port, options)
socket, response = comm.tryssl(host, port, string.format("EHLO %s\r\n", domain), options)
if not socket then if not socket then
return false, string.format("Couldn't establish connection on port %i", port.number) return false, string.format("Couldn't establish connection on port %i",
port.number)
end end
local result = {} status, response = smtp.ehlo(socket, domain)
local index if not status then
local status return status, response
local failure = function(message)
if #result > 0 then
table.insert(result, message)
return true, result
else
return false, message
end
end end
if not string.match(response, "^250") then response = string.gsub(response, "250[%-%s]+", "") -- 250 or 250-
quit()
return false
end
response = string.gsub(response, "250%-", "") -- 250-
response = string.gsub(response, "250 ", "") -- 250
response = string.gsub(response, "\r\n", "\n") -- normalize CR LF response = string.gsub(response, "\r\n", "\n") -- normalize CR LF
response = string.gsub(response, "\n\r", "\n") -- normalize LF CR response = string.gsub(response, "\n\r", "\n") -- normalize LF CR
response = string.gsub(response, "^\n+", "") -- no initial LF response = string.gsub(response, "^\n+(.-)\n+$", "%1")
response = string.gsub(response, "\n+$", "") -- no final LF
response = string.gsub(response, "\n", ", ") -- LF to comma response = string.gsub(response, "\n", ", ") -- LF to comma
response = string.gsub(response, "%s+", " ") -- get rid of extra spaces response = string.gsub(response, "%s+", " ") -- get rid of extra spaces
table.insert(result,response) table.insert(result,response)
status, response = do_request(socket, "HELP\r\n") status, response = smtp.help(socket)
if status then
if not status then response = string.gsub(response, "214[%-%s]+", "") -- 214
return failure(string.format("Failed to issue HELP command (%s)", response)) response = string.gsub(response, "^%s+(.-)%s+$", "%1")
end
if not string.match(response, "^214") then
quit()
return false
end
response = string.gsub(response, "214%-", "") -- 214-
response = string.gsub(response, "214 ", "") -- 214
response = string.gsub(response, "^%s+", "") -- no initial space
response = string.gsub(response, "%s+$", "") -- no final space
response = string.gsub(response, "%s+", " ") -- get rid of extra spaces response = string.gsub(response, "%s+", " ") -- get rid of extra spaces
table.insert(result,response) table.insert(result,response)
smtp.quit(socket)
end
quit()
return true, result return true, result
end end

216
scripts/smtp-enum-users.nse
View File

@@ -24,7 +24,7 @@ An example of how to specify the methods to use and the order is the following:
-- | smtp-enum-users: -- | smtp-enum-users:
-- |_ RCPT, root -- |_ RCPT, root
-- --
-- @args smtp-enum-users.domain Define the domain to be used in the SMTP commands -- @args smtp.domain or smtp-enum-users.domain Define the domain to be used in the SMTP commands
-- @args smtp-enum-users.methods Define the methods and order to be used by the script (EXPN, VRFY, RCPT) -- @args smtp-enum-users.methods Define the methods and order to be used by the script (EXPN, VRFY, RCPT)
-- changelog -- changelog
@@ -36,6 +36,8 @@ An example of how to specify the methods to use and the order is the following:
-- + Script now handles 252 and 550 SMTP status codes -- + Script now handles 252 and 550 SMTP status codes
-- + Added the method that was used by the script to discover the users if verbosity is -- + Added the method that was used by the script to discover the users if verbosity is
-- enabled -- enabled
-- 2011-06-03
-- * Rewrite the script to use the smtp.lua library.
----------------------------------------------------------------------- -----------------------------------------------------------------------
author = "Duarte Silva <duarte.silva@myf00.net>" author = "Duarte Silva <duarte.silva@myf00.net>"
@@ -43,16 +45,12 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery","external","intrusive"} categories = {"discovery","external","intrusive"}
require "shortport" require "shortport"
require "comm" require "stdnse"
require "smtp"
require "unpwdb" require "unpwdb"
portrule = shortport.port_or_service({ 25, 465, 587 }, { "smtp", "smtps", "submission" }) portrule = shortport.port_or_service({ 25, 465, 587 },
{ "smtp", "smtps", "submission" })
ERROR_MESSAGES = {
["EOF"] = "connection closed",
["TIMEOUT"] = "connection timeout",
["ERROR"] = "failed to receive data"
}
STATUS_CODES = { STATUS_CODES = {
ERROR = 1, ERROR = 1,
@@ -62,8 +60,8 @@ STATUS_CODES = {
UNKNOWN = 5 UNKNOWN = 5
} }
---Counts the number of occurrences in a table. Helper function from LUA documentation ---Counts the number of occurrences in a table. Helper function
-- http://lua-users.org/wiki/TableUtils. -- from LUA documentation http://lua-users.org/wiki/TableUtils.
-- --
-- @param from Source table -- @param from Source table
-- @param what What element to count -- @param what What element to count
@@ -76,12 +74,11 @@ function table_count(from, what)
result = result + 1 result = result + 1
end end
end end
return result return result
end end
---Creates a new table from a source without the duplicates. Helper function from LUA ---Creates a new table from a source without the duplicates. Helper
-- documentation http://lua-users.org/wiki/TableUtils. -- function from LUA documentation http://lua-users.org/wiki/TableUtils.
-- --
-- @param from Source table -- @param from Source table
-- @return New table without the duplicates -- @return New table without the duplicates
@@ -97,92 +94,28 @@ function table_unique(from)
return result return result
end end
---Send a command and read the response (this function does exception handling, and if an ---Get the method or methods to be used. If the user didn't specify any
-- exception occurs, it will close the socket). -- methods, the default order is RCPT, VRFY and then EXPN.
--
-- @param socket Socket used to send the command
-- @param request Command to be sent
-- @return False in case of failure, true and the response in case of success
function do_request(socket, request)
-- Exception handler.
local catch = function()
socket:close()
end
local try = nmap.new_try(catch)
-- Lets send the command.
try(socket:send(request))
-- Receive server response.
local status, response = socket:receive_lines(1)
if not status then
-- Close the socket (the call to receive_lines doesn't use try)
socket:close()
return false, (ERROR_MESSAGES[response] or "unspecified error")
end
return true, response
end
---Send a SMTP quit command before closing the socket.
--
-- @param socket Socket used to send the command
function quit(socket)
do_request(socket, "QUIT\r\n")
socket:close()
end
---Get a domain to be used in the SMTP commands that need it. If the user specified one
-- through a script argument this function will return it. Otherwise it will try to find
-- the domain from the typed hostname and from the rDNS name. If it still can't find one
-- it will use the nmap.scanme.org by default.
--
-- @param host Current scanned host
-- @return The hostname to be used
function get_domain(host)
local result = "nmap.scanme.org"
-- Use the user provided options.
if (nmap.registry.args["smtp-enum-users.domain"] ~= nil) then
result = nmap.registry.args["smtp-enum-users.domain"]
elseif type(host) == "table" then
if host.targetname then
result = host.targetname
elseif (host.name ~= "" and host.name) then
result = host.name
end
end
return result
end
---Get the method or methods to be used. If the user didn't specify any methods, the default
-- order is RCPT, VRFY and then EXPN.
-- --
-- @return A table containing the methods to try -- @return A table containing the methods to try
function get_method() function get_method()
local result = {} local result = {}
if (nmap.registry.args["smtp-enum-users.methods"] ~= nil) then local methods = stdnse.get_script_args('smtp-enum-users.methods')
local methods = nmap.registry.args["smtp-enum-users.methods"] if methods and type(methods) == "table" then
if type(methods) == "table" then
-- For each method specified. -- For each method specified.
for index, method in ipairs(methods) do for _, method in ipairs(methods) do
-- Are the elements of the argument valid methods. -- Are the elements of the argument valid methods.
local upper = string.upper(method) local upper = string.upper(method)
if (upper == "RCPT") or (upper == "EXPN") or (upper == "VRFY") then if (upper == "RCPT") or (upper == "EXPN") or
(upper == "VRFY") then
table.insert(result, upper) table.insert(result, upper)
else else
return false, method return false, method
end end
end end
end end
end
-- The methods weren't specified. -- The methods weren't specified.
if #result == 0 then if #result == 0 then
@@ -209,23 +142,30 @@ function do_gnrc(socket, command, username, domain)
for index, combination in ipairs(combinations) do for index, combination in ipairs(combinations) do
-- Lets try to issue the command. -- Lets try to issue the command.
local status, response = do_request(socket, string.format("%s %s\r\n", command, combination)) local status, response = smtp.query(socket, command, combination)
-- If this command fails to be sent, then something went wrong with the connection. -- If this command fails to be sent, then something
-- went wrong with the connection.
if not status then if not status then
return STATUS_CODES.ERROR, string.format("Failed to issue %s %s command (%s)\n", command, combination, response) return STATUS_CODES.ERROR,
string.format("Failed to issue %s %s command (%s)\n",
command, combination, response)
end end
if string.match(response, "^530") then if string.match(response, "^530") then
-- If the command failed, check if authentication is needed because all the other attempts will fail. -- If the command failed, check if authentication is
-- needed because all the other attempts will fail.
return STATUS_CODES.AUTHENTICATION return STATUS_CODES.AUTHENTICATION
elseif string.match(response, "^502") or string.match(response, "^252") or string.match(response, "^550") then elseif string.match(response, "^502") or
string.match(response, "^252") or
string.match(response, "^550") then
-- The server doesn't implement the command or it is disallowed. -- The server doesn't implement the command or it is disallowed.
return STATUS_CODES.NOTPERMITTED return STATUS_CODES.NOTPERMITTED
elseif string.match(response, "^250") then elseif smtp.check_reply(command, response) then
-- User accepted. -- User accepted.
if nmap.verbosity() > 1 then if nmap.verbosity() > 1 then
return STATUS_CODES.VALID, string.format("%s, %s", command, username) return STATUS_CODES.VALID,
string.format("%s, %s", command, username)
else else
return STATUS_CODES.VALID, username return STATUS_CODES.VALID, username
end end
@@ -259,10 +199,11 @@ end
issued_from = false issued_from = false
---Verify if a username is valid using the RCPT method. It will only issue the MAIL FROM --- Verify if a username is valid using the RCPT method. It will only issue
-- command if the issued_from flag is false. The MAIL FROM command does not need to -- the MAIL FROM command if the issued_from flag is false. The MAIL FROM
-- be issued each time an RCPT TO is used. Otherwise it should also be issued a RSET -- command does not need to be issued each time an RCPT TO is used. Otherwise
-- command, and if there are many RSET commands the server might disconnect. -- it should also be issued a RSET command, and if there are many RSET
-- commands the server might disconnect.
-- --
-- @param socket Socket used to send the command -- @param socket Socket used to send the command
-- @param username User name to test -- @param username User name to test
@@ -271,24 +212,34 @@ issued_from = false
function do_rcpt(socket, username, domain) function do_rcpt(socket, username, domain)
if not issued_from then if not issued_from then
-- Lets try to issue MAIL FROM command. -- Lets try to issue MAIL FROM command.
status, response = do_request(socket, string.format("MAIL FROM:<usertest@%s>\r\n", domain)) status, response = smtp.query(socket, "MAIL",
string.format("FROM:<usertest@%s>", domain))
if not status then if not status then
-- If this command fails to be sent, then something went wrong with the connection. -- If this command fails to be sent, then something went wrong
return STATUS_CODES.ERROR, string.format("Failed to issue MAIL FROM:<usertest@%s> command (%s)", domain, response) -- with the connection.
return STATUS_CODES.ERROR,
string.format("Failed to issue MAIL FROM:<usertest@%s> command (%s)",
domain, response)
elseif string.match(response, "^530") then elseif string.match(response, "^530") then
-- If the command failed, check if authentication is needed because all the other attempts will fail. -- If the command failed, check if authentication is needed
return STATUS_CODES.ERROR, "Couldn't perform user enumeration, authentication needed" -- because all the other attempts will fail.
elseif not string.match(response, "^250") then return STATUS_CODES.ERROR,
"Couldn't perform user enumeration, authentication needed"
elseif not smtp.check_reply("MAIL", response) then
-- Only accept 250 code as success. -- Only accept 250 code as success.
return STATUS_CODES.NOTPERMITTED, "Server did not accept the MAIL FROM command" return STATUS_CODES.NOTPERMITTED,
"Server did not accept the MAIL FROM command"
end end
end end
status, response = do_request(socket, string.format("RCPT TO:<%s@%s>\r\n", username, domain)) status, response = smtp.query(socket, "RCPT",
string.format("TO:<%s@%s>", username, domain))
if not status then if not status then
return STATUS_CODES.ERROR, string.format("Failed to issue RCPT TO:<%s@%s> command (%s)", username, domain, response) return STATUS_CODES.ERROR,
string.format("Failed to issue RCPT TO:<%s@%s> command (%s)",
username, domain, response)
elseif string.match(response, "^550") then elseif string.match(response, "^550") then
-- 550 User Unknown -- 550 User Unknown
return STATUS_CODES.UNKNOWN return STATUS_CODES.UNKNOWN
@@ -296,9 +247,10 @@ function do_rcpt(socket, username, domain)
-- 553 Relaying Denied -- 553 Relaying Denied
return STATUS_CODES.NOTPERMITTED return STATUS_CODES.NOTPERMITTED
elseif string.match(response, "^530") then elseif string.match(response, "^530") then
-- If the command failed, check if authentication is needed because all the other attempts will fail. -- If the command failed, check if authentication is needed because
-- all the other attempts will fail.
return STATUS_CODES.AUTHENTICATION return STATUS_CODES.AUTHENTICATION
elseif string.match(response, "^250") then elseif smtp.check_reply("RCPT", response) then
issued_from = true issued_from = true
-- User is valid. -- User is valid.
if nmap.verbosity() > 1 then if nmap.verbosity() > 1 then
@@ -309,7 +261,6 @@ function do_rcpt(socket, username, domain)
end end
issued_from = true issued_from = true
return STATUS_CODES.INVALID return STATUS_CODES.INVALID
end end
@@ -326,46 +277,42 @@ function go(host, port)
return false, "Failed to read the user names database" return false, "Failed to read the user names database"
end end
local socket = nmap.new_socket()
socket:set_timeout(5000)
local options = { local options = {
timeout = 10000, timeout = 10000,
recv_before = true recv_before = true,
ssl = true,
} }
local domain = get_domain(host) local domain = stdnse.get_script_args('smtp-enum-users.domain') or
local methods smtp.get_domain(host)
local methods
status, methods = get_method() status, methods = get_method()
if not status then if not status then
return false, string.format("Invalid method found, %s", methods) return false, string.format("Invalid method found, %s", methods)
end end
-- Try to connect to server. local socket, response = smtp.connect(host, port, options)
local response
socket, response = comm.tryssl(host, port, string.format("EHLO %s\r\n", domain), options)
-- Failed connection attempt. -- Failed connection attempt.
if not socket then if not socket then
return false, string.format("Couldn't establish connection on port %i", port.number) return false, string.format("Couldn't establish connection on port %i",
port.number)
end end
-- Close socket and return if EHLO command failed. status, response = smtp.ehlo(socket, domain)
if not string.match(response, "^250") then if not status then
quit(socket) return status, response
return false, "Failed to issue EHLO command"
end end
local result = {} local result = {}
-- This function is used when something goes wrong with the connection. It makes sure that -- This function is used when something goes wrong with
-- if it found users before the error occurred, they will be returned. -- the connection. It makes sure that if it found users before
-- the error occurred, they will be returned.
local failure = function(message) local failure = function(message)
if #result > 0 then if #result > 0 then
table.insert(result, message) table.insert(result, message)
return true, result return true, result
else else
return false, message return false, message
@@ -386,7 +333,8 @@ function go(host, port)
end end
if status == STATUS_CODES.NOTPERMITTED then if status == STATUS_CODES.NOTPERMITTED then
-- Invalid method. Don't test anymore users with the current method. -- Invalid method. Don't test anymore users with
-- the current method.
break break
elseif status == STATUS_CODES.VALID then elseif status == STATUS_CODES.VALID then
-- User found, lets save it. -- User found, lets save it.
@@ -395,30 +343,32 @@ function go(host, port)
-- An error occurred with the connection. -- An error occurred with the connection.
return failure(response) return failure(response)
elseif status == STATUS_CODES.AUTHENTICATION then elseif status == STATUS_CODES.AUTHENTICATION then
quit(socket) smtp.quit(socket)
return false, "Couldn't perform user enumeration, authentication needed" return false, "Couldn't perform user enumeration, authentication needed"
elseif status == STATUS_CODES.INVALID then elseif status == STATUS_CODES.INVALID then
table.insert(result, string.format("Method %s returned a unhandled status code.", method)) table.insert(result,
string.format("Method %s returned a unhandled status code.",
method))
break break
end end
username = nextuser() username = nextuser()
end end
if username == nil then
-- No more users to test, don't test with other methods. -- No more users to test, don't test with other methods.
if username == nil then
break break
end end
end end
quit(socket) smtp.quit(socket)
return true, result return true, result
end end
action = function(host, port) action = function(host, port)
local status, result = go(host, port) local status, result = go(host, port)
-- The go function returned true, lets check if it didn't found any accounts. -- The go function returned true, lets check if it
-- didn't found any accounts.
if status and #result == 0 then if status and #result == 0 then
return stdnse.format_output(true, "Couldn't find any accounts") return stdnse.format_output(true, "Couldn't find any accounts")
end end

265
scripts/smtp-open-relay.nse
View File

@@ -24,7 +24,7 @@ printed with the list of any combinations that were found prior to the error.
-- | smtp-open-relay: Server is an open relay (1/16 tests) -- | smtp-open-relay: Server is an open relay (1/16 tests)
-- |_MAIL FROM:<antispam@insecure.org> -> RCPT TO:<relaytest@insecure.org> -- |_MAIL FROM:<antispam@insecure.org> -> RCPT TO:<relaytest@insecure.org>
-- --
-- @args smtp-open-relay.domain Define the domain to be used in the anti-spam tests and EHLO command (default -- @args smtp.domain or smtp-open-relay.domain Define the domain to be used in the anti-spam tests and EHLO command (default
-- is nmap.scanme.org) -- is nmap.scanme.org)
-- @args smtp-open-relay.ip Use this to change the IP address to be used (default is the target IP address) -- @args smtp-open-relay.ip Use this to change the IP address to be used (default is the target IP address)
-- @args smtp-open-relay.from Define the source email address to be used (without the domain, default is -- @args smtp-open-relay.from Define the source email address to be used (without the domain, default is
@@ -63,146 +63,142 @@ printed with the list of any combinations that were found prior to the error.
-- * Minor comments changes -- * Minor comments changes
-- 2010-03-14 Duarte Silva <duarte.silva@myf00.net> -- 2010-03-14 Duarte Silva <duarte.silva@myf00.net>
-- * Made the script a little more verbose -- * Made the script a little more verbose
-- 2011-06-03
-- * Rewrite the script to use the smtp.lua library.
author = "Arturo 'Buanzo' Busleiman" author = "Arturo 'Buanzo' Busleiman"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery","intrusive","external"} categories = {"discovery","intrusive","external"}
require "shortport" require "shortport"
require "comm" require "stdnse"
require "smtp"
portrule = shortport.port_or_service({ 25, 465, 587 }, { "smtp", "smtps", "submission" }) portrule = shortport.port_or_service({ 25, 465, 587 },
{ "smtp", "smtps", "submission" })
ERROR_MESSAGES = {
["EOF"] = "connection closed",
["TIMEOUT"] = "connection timeout",
["ERROR"] = "failed to receive data"
}
---Send a command and read the response (this function does exception handling, and if an
-- exception occurs, it will close the socket).
--
--@param socket Socket used to send the command
--@param request Command to be sent
--@return False in case of failure
--@return True and the response in case of success
function do_request(socket, request)
-- Exception handler.
local catch = function()
socket:close()
end
local try = nmap.new_try(catch)
-- Lets send the command.
try(socket:send(request))
-- Receive server response.
local status, response = socket:receive_lines(1)
if not status then
-- Close the socket (the call to receive_lines doesn't use try).
socket:close()
return false, (ERROR_MESSAGES[response] or "unspecified error")
end
return true, response
end
---Gets the user specified parameters to be used in the tests. ---Gets the user specified parameters to be used in the tests.
-- --
--@param host Target host (used for the ip parameter default value) --@param host Target host (used for the ip parameter default value)
--@return Domain, from, to and ip to be used in the tests --@return Domain, from, to and ip to be used in the tests
function get_parameters(host) function get_parameters(host)
local domain, from, to, ip = "nmap.scanme.org", "antispam", "relaytest", host.ip -- call smtp.get_domain() without the host table to use the
-- 'nmap.scanme.org' host name, we are scanning for open relays.
local domain = stdnse.get_script_args('smtp-open-relay.domain') or
smtp.get_domain()
-- Use the user provided options. local from = stdnse.get_script_args('smtp-open-relay.from') or "antispam"
if (nmap.registry.args["smtp-open-relay.domain"] ~= nil) then
domain = nmap.registry.args["smtp-open-relay.domain"]
end
if (nmap.registry.args["smtp-open-relay.ip"] ~= nil) then local to = stdnse.get_script_args('smtp-open-relay.to') or "relaytest"
ip = nmap.registry.args["smtp-open-relay.ip"]
end
if (nmap.registry.args["smtp-open-relay.to"] ~= nil) then local ip = stdnse.get_script_args('smtp-open-relay.ip') or host.ip
to = nmap.registry.args["smtp-open-relay.to"]
end
if (nmap.registry.args["smtp-open-relay.from"] ~= nil) then
from = nmap.registry.args["smtp-open-relay.from"]
end
return domain, from, to, ip return domain, from, to, ip
end end
function go(host, port) function go(host, port)
local socket = nmap.new_socket()
local options = { local options = {
timeout = 10000, timeout = 10000,
recv_before = true recv_before = true,
ssl = true,
} }
socket:set_timeout(5000) local result, status, index = {}
-- Be polite and when everything works out send the QUIT message.
local quit = function()
do_request(socket, "QUIT\r\n")
socket:close()
end
local domain, from, to, ip = get_parameters(host) local domain, from, to, ip = get_parameters(host)
-- Try to connect to server. local socket, response = smtp.connect(host, port, options)
local response
socket, response = comm.tryssl(host, port, string.format("EHLO %s\r\n", domain), options)
if not socket then if not socket then
return false, string.format("Couldn't establish connection on port %i", port.number) return false, string.format("Couldn't establish connection on port %i",
port.number)
end end
-- Close socket and return if EHLO command failed. local srvname = string.match(response, "%d+%s([%w]+[%w\.\-]*)")
if not string.match(response, "^250") then
quit() local status, response = smtp.ehlo(socket, domain)
return false, "Failed to issue EHLO command" if not status then
return status, response
end end
-- Find out server name. if not srvname then
local srvname = string.sub(response, string.find(response, '([.%w]+)', 4)) srvname = string.match(response, "%d+%-([%w]+[%w\.\-]*)")
end
-- Antispam tests. -- Antispam tests.
local tests = { local tests = {
{ from = "MAIL FROM:<>", to = string.format("RCPT TO:<%s@%s>", to, domain) }, {
{ from = string.format("MAIL FROM:<%s@%s>", from, domain), to = string.format("RCPT TO:<%s@%s>", to, domain) }, from = "",
{ from = string.format("MAIL FROM:<%s@%s>", from, srvname), to = string.format("RCPT TO:<%s@%s>", to, domain) }, to = string.format("%s@%s", to, domain)
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s@%s>", to, domain) }, },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s%%%s@[%s]>", to, domain, ip) }, {
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s%%%s@%s>", to, domain, srvname) }, from = string.format("%s@%s", from, domain),
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<\"%s@%s\">", to, domain) }, to = string.format("%s@%s", to, domain)
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<\"%s%%%s\">", to, domain) }, },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s@%s@[%s]>", to, domain, ip) }, {
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<\"%s@%s\"@[%s]>", to, domain, ip) }, from = string.format("%s@%s", from, srvname),
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s@%s@%s>", to, domain, srvname) }, to = string.format("%s@%s", to, domain)
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<@[%s]:%s@%s>", ip, to, domain) }, },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<@%s:%s@%s>", srvname, to, domain) }, {
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s!%s>", domain, to) }, from = string.format("%s@[%s]", from, ip),
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s!%s@[%s]>", domain, to, ip) }, to = string.format("%s@%s", to, domain)
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s!%s@%s>", domain, to, srvname) }, },
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s%%%s@[%s]", to, domain, ip)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s%%%s@%s", to, domain, srvname)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("\"%s@%s\"", to, domain)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("\"%s%%%s\"", to, domain)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s@%s@[%s]", to, domain, ip)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("\"%s@%s\"@[%s]", to, domain, ip)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s@%s@%s", to, domain, srvname)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("@[%s]:%s@%s", ip, to, domain)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("@%s:%s@%s", srvname, to, domain)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s!%s", domain, to)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s!%s@[%s]", domain, to, ip)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s!%s@%s", domain, to, srvname)
},
} }
local result = {} -- This function is used when something goes wrong with the connection.
local index -- It makes sure that if it found working combinations before the error
local status -- occurred, they will be returned. If the debug flag is enabled the
-- error message will be appended to the combinations list.
-- This function is used when something goes wrong with the connection. It makes sure that
-- if it found working combinations before the error occurred, they will be returned. If the
-- debug flag is enabled the error message will be appended to the combinations list.
local failure = function(message) local failure = function(message)
if #result > 0 then if #result > 0 then
table.insert(result, message) table.insert(result, message)
return true, result return true, result
else else
return false, message return false, message
@@ -210,72 +206,69 @@ function go(host, port)
end end
for index = 1, #tests do for index = 1, #tests do
status, response = do_request(socket, "RSET\r\n") status, response = smtp.reset(socket)
if not status then if not status then
return failure(string.format("Failed to issue RSET command (%s)", response)) if string.match(response, "530") then
end
-- If reset the envelope, doesn't work for one, wont work for others (critical command).
if not string.match(response, "^250") then
quit()
if string.match(response, "^530") then
return false, "Server isn't an open relay, authentication needed" return false, "Server isn't an open relay, authentication needed"
else
return false, "Unable to clear server envelope, testing stoped"
end end
return failure(response)
end end
-- Lets try to issue MAIL FROM command. status, response = smtp.query(socket, "MAIL",
status, response = do_request(socket, string.format("%s\r\n", tests[index]["from"])) string.format("FROM:<%s>",
tests[index]["from"]))
-- If this command fails to be sent, then something went wrong with the connection. -- If this command fails to be sent, then something went
-- wrong with the connection.
if not status then if not status then
return failure(string.format("Failed to issue %s command (%s)", tests[index]["from"], response)) return failure(string.format("Failed to issue %s command (%s)",
tests[index]["from"], response))
end end
-- If MAIL FROM failed, check if authentication is needed because all the other attempts will fail if string.match(response, "530") then
-- and server may disconnect because of too many commands issued without authentication. smtp.quit(socket)
if string.match(response, "^530") then
quit()
return false, "Server isn't an open relay, authentication needed" return false, "Server isn't an open relay, authentication needed"
-- The command was accepted (otherwise, the script will step to the next test). elseif smtp.check_reply("MAIL", response) then
elseif string.match(response, "^250") then
-- Lets try to actually relay. -- Lets try to actually relay.
status, response = do_request(socket, string.format("%s\r\n", tests[index]["to"])) status, response = smtp.query(socket, "RCPT",
string.format("TO:<%s>",
tests[index]["to"]))
if not status then if not status then
return failure(string.format("Failed to issue %s command (%s)", tests[index]["to"], response)) return failure(string.format("Failed to issue %s command (%s)",
tests[index]["to"], response))
end end
if string.match(response, "^530") then if string.match(response, "530") then
quit() smtp.quit(socket)
return false, "Server isn't an open relay, authentication needed" return false, "Server isn't an open relay, authentication needed"
elseif string.match(response, "^250") then elseif smtp.check_reply("RCPT", response) then
-- Save the working from and to combination. -- Save the working from and to combination.
table.insert(result, string.format("%s -> %s", tests[index]["from"], tests[index]["to"])) table.insert(result,
string.format("MAIL FROM:<%s> -> RCPT TO:<%s>",
tests[index]["from"], tests[index]["to"]))
end end
end end
end end
quit() smtp.quit(socket)
return true, result return true, result
end end
action = function(host, port) action = function(host, port)
local status, result = go(host, port) local status, result = go(host, port)
-- The go function returned false, this means that the result is a simple error message. -- The go function returned false, this means that the result is
-- a simple error message.
if not status then if not status then
return result return result
else else
-- Combinations were found. If verbosity is active, the script will print all -- Combinations were found. If verbosity is active, the script
-- the successful tests. Otherwise it will only print the conclusion. -- will print all the successful tests. Otherwise it will only
-- print the conclusion.
if #result > 0 then if #result > 0 then
final = {} final = {}
table.insert(final,
table.insert(final, string.format("Server is an open relay (%i/16 tests)", (#result))) string.format("Server is an open relay (%i/16 tests)",
(#result)))
if nmap.verbosity() > 1 then if nmap.verbosity() > 1 then
for index, test in ipairs(result) do for index, test in ipairs(result) do

314
scripts/smtp-vuln-cve2011-1720.nse
View File

@@ -1,9 +1,9 @@
description = [[ description = [[
Checks for SMTP, SMTPS and Submission vulnerabilities: Checks for a Memory corruption in the Postfix SMTP server when it uses
Cyrus SASL library authentication mechanisms (CVE-2011-1720).
* Memory corruption in Postfix SMTP server Cyrus SASL support Reference:
(CVE-2011-1720) * http://www.postfix.org/CVE-2011-1720.html
http://www.postfix.org/CVE-2011-1720.html
]] ]]
--- ---
@@ -19,142 +19,20 @@ Checks for SMTP, SMTPS and Submission vulnerabilities:
-- | AUTH tests: CRAM-MD5 -- | AUTH tests: CRAM-MD5
-- |_ Postfix Cyrus SASL authentication: VULNERABLE (CRAM-MD5 => DIGEST-MD5) -- |_ Postfix Cyrus SASL authentication: VULNERABLE (CRAM-MD5 => DIGEST-MD5)
-- --
-- @args -- @args smtp.domain Define the domain to be used in the SMTP EHLO command.
-- smtp.domain Define the domain to be used in the SMTP EHLO command.
author = "Djalal Harouni" author = "Djalal Harouni"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"intrusive", "vuln"} categories = {"intrusive", "vuln"}
require "shortport" require "shortport"
require "smtp"
require "stdnse" require "stdnse"
portrule = shortport.port_or_service({25, 465, 587}, portrule = shortport.port_or_service({25, 465, 587},
{"smtp", "smtps", "submission"}) {"smtp", "smtps", "submission"})
local ERROR_MESSAGES = { local AUTH_VULN = {
["EOF"] = "connection closed",
["TIMEOUT"] = "connection timeout",
["ERROR"] = "failed to receive data"
}
local SMTP_CMD = {
["EHLO"] = {
cmd = "EHLO",
success = {
[250] = "Requested mail action okay, completed",
},
errors = {
[421] = "<domain> Service not available, closing transmission channel",
[500] = "Syntax error, command unrecognised",
[501] = "Syntax error in parameters or arguments",
[504] = "Command parameter not implemented",
[550] = "Not implemented",
},
},
["AUTH"] = {
cmd = "AUTH",
success = {[334] = ""},
errors = {
[501] = "Authentication aborted",
}
},
["STARTTLS"] = {
cmd = "STARTTLS",
success = {
[220] = "Ready to start TLS"
},
errors = {
[501] = "Syntax error (no parameters allowed)",
[454] = "TLS not available due to temporary reason",
}
}
}
-- Get a domain to be used in the SMTP commands that need it. If the
-- user specified one through a script argument this function will return
-- it. Otherwise it will try to find the domain from the typed hostname
-- and from the rDNS name. If it still can't find one it will use the
-- nmap.scanme.org by default.
--
-- @param host Current scanned host
-- @return The hostname to be used
function get_domain(host)
local nmap_domain = "nmap.scanme.org"
-- Use the user provided options.
local result = stdnse.get_script_args("smtp.domain") or
stdnse.get_script_args("smtp-vuln-cve2011-1720.domain")
if not result then
if type(host) == "table" then
if host.targetname then
result = host.targetname
elseif (host.name ~= "" and host.name) then
result = host.name
end
end
end
return result or nmap_domain
end
local function smtp_finish(socket, status, msg)
if socket then
socket:send("QUIT\r\n")
socket:close()
end
return status, msg
end
function smtp_send(socket, request)
local status, response = socket:send(request)
if not status then
return status, string.format("failed to send request: %s",
request)
end
return true, response
end
function smtp_request(socket, cmd, data)
local packet = cmd
if data then
packet = cmd.." "..data
end
local status, ret = smtp_send(socket, packet)
if not status then
return smtp_finish(nil, status, ret)
end
status, ret = socket:receive_lines(1)
if not status then
return smtp_finish(nil, status,
(ERROR_MESSAGES[ret] or "unspecified error"))
end
return status, ret
end
function check_smtp_reply(cmd, response)
local code, msg = string.match(response, "^([0-9]+)%s*")
if code then
code = tonumber(code)
if SMTP_CMD[cmd] and SMTP_CMD[cmd].success[code] then
return true, SMTP_CMD[cmd].success[code]
end
end
return false, string.format("%s failed: %s", cmd, response)
end
-- Checks if the SMTP server is vulnerable to CVE-2011-1720
-- Postfix Cyrus SASL authentication memory corruption
-- http://www.postfix.org/CVE-2011-1720.html
function check_cve_2011_1720(smtp)
local postfix_vuln = "Postfix Cyrus SASL authentication"
local AUTH_VULN = {
-- AUTH MECHANISM -- AUTH MECHANISM
-- killby: a table of mechanisms that can corrupt and -- killby: a table of mechanisms that can corrupt and
-- overwrite the AUTH MECHANISM data structure. -- overwrite the AUTH MECHANISM data structure.
@@ -186,103 +64,122 @@ function check_cve_2011_1720(smtp)
["SRP"] = { ["SRP"] = {
killby = {} killby = {}
}, },
} }
local socket = nmap.new_socket() -- parse and check the authentication mechanisms.
local status, ret = socket:connect(smtp.host, smtp.port, "tcp") -- This function will save the vulnerable auth mechanisms in
-- the auth_mlist table, and returns all the available auth
-- mechanisms as a string.
local function chk_auth_mechanisms(ehlo_res, auth_mlist)
local mlist, mstr = smtp.get_auth_mech(ehlo_res), ""
if not status then if mlist then
return false, "Couldn't connect to remote host" for _, mech in ipairs(mlist) do
mstr = mstr.." "..mech
if AUTH_VULN[mech] then
auth_mlist[mech] = mech
end end
local i, response = 0, nil
-- just a small loop
repeat
status, response = socket:receive_lines(1)
i = i + 1
until response or i == 3
if not status then
return smtp_finish(nil, status,
(ERROR_MESSAGES[response] or "unspecified error"))
end end
end
return mstr
end
status, response = smtp_request(socket, "EHLO", -- Close any remaining connection
string.format("%s\r\n",smtp.domain)) local function smtp_finish(socket, status, msg)
if socket then
smtp.quit(socket)
end
return status, msg
end
-- Tries to kill the smtpd server
-- Returns true, true if the smtpd was killed
local function kill_smtpd(socket, mech, mkill)
local killed, ret = false
local status, response = smtp.query(socket, "AUTH",
string.format("%s", mech))
if not status then if not status then
return status, response return status, response
end end
status, ret = check_smtp_reply("EHLO", response) status, ret = smtp.check_reply("AUTH", response)
if not status then if not status then
return smtp_finish(socket, status, ret) return smtp_finish(socket, status, ret)
end end
local starttls = false -- abort authentication
local function chk_starttls(line) smtp.query(socket, "*")
return line:match("STARTTLS")
status, response = smtp.query(socket, "AUTH",
string.format("%s", mkill))
if status then
-- abort the last AUTH command.
status, response = smtp.query(socket, "*")
end end
local auth_mech_list, auth_mech_str, chk_vuln = {}, "", false if not status then
-- parse and check the authentication mechanisms if string.match(response, "connection closed") then
local function chk_auth_mechanisms(line) killed = true
local authstr = line:match("%d+\-AUTH%s(.*)$") else
if authstr then return status, response
auth_mech_str = authstr
for mech in authstr:gmatch("[^%s]+") do
if AUTH_VULN[mech] then
auth_mech_list[mech] = mech
if not chk_vuln then
chk_vuln = true
end
end end
end end
return true, killed
end
-- Checks if the SMTP server is vulnerable to CVE-2011-1720
-- Postfix Cyrus SASL authentication memory corruption
-- http://www.postfix.org/CVE-2011-1720.html
local function check_smtpd(smtp_opts)
local postfix_vuln = "Postfix Cyrus SASL authentication"
local socket, ret = smtp.connect(smtp_opts.host,
smtp_opts.port,
{ssl = false,
recv_before = true,
lines = 1})
if not socket then
return socket, ret
end end
local status, response = smtp.ehlo(socket, smtp_opts.domain)
if not status then
return status, response
end end
local starttls = false
local auth_mech_list, auth_mech_str = {}, ""
-- parse server response -- parse server response
for _, line in pairs(stdnse.strsplit("\r?\n", response)) do for _, line in pairs(stdnse.strsplit("\r?\n", response)) do
if not next(auth_mech_list) then if not next(auth_mech_list) then
chk_auth_mechanisms(line) auth_mech_str = chk_auth_mechanisms(line, auth_mech_list)
end end
if not starttls then if not starttls then
starttls = chk_starttls(line) starttls = line:match("STARTTLS")
end end
end end
-- fallback to STARTTLS to get the auth mechanisms -- fallback to STARTTLS to get the auth mechanisms
if not next(auth_mech_list) and smtp.port.number ~= 25 and if not next(auth_mech_list) and smtp_opts.port.number ~= 25 and
starttls then starttls then
status, response = smtp_request(socket,"STARTTLS\r\n")
status, response = smtp.starttls(socket)
if not status then if not status then
return status, response return status, response
end end
status, ret = check_smtp_reply("STARTTLS", response) status, response = smtp.ehlo(socket, smtp_opts.domain)
if not status then
return smtp_finish(socket, status, ret)
end
status, ret = socket:reconnect_ssl()
if not status then
return smtp_finish(nil, status, ret)
end
status, response = smtp_request(socket, "EHLO",
string.format("%s\r\n",smtp.domain))
if not status then if not status then
return status, response return status, response
end end
status, ret = check_smtp_reply("EHLO", response)
if not status then
return smtp_finish(socket, status, ret)
end
for _, line in pairs(stdnse.strsplit("\r?\n", response)) do for _, line in pairs(stdnse.strsplit("\r?\n", response)) do
if not next(auth_mech_list) then if not next(auth_mech_list) then
chk_auth_mechanisms(line) auth_mech_str = chk_auth_mechanisms(line, auth_mech_list)
end end
end end
end end
@@ -293,42 +190,9 @@ function check_cve_2011_1720(smtp)
table.insert(output, string.format("AUTH MECHANISMS: %s", auth_mech_str)) table.insert(output, string.format("AUTH MECHANISMS: %s", auth_mech_str))
-- maybe vulnerable -- maybe vulnerable
if next(auth_mech_list) and chk_vuln then if next(auth_mech_list) then
-- Kill the Postfix smtpd
-- Returns true, true if the smtpd was killed
local function kill_smtpd(socket, mech, mkill)
local killed = false
status, response = smtp_request(socket, "AUTH",
string.format("%s\r\n", mech))
if not status then
return status, ret
end
status, ret = check_smtp_reply("AUTH", response)
if not status then
return smtp_finish(socket, status, ret)
end
-- abort authentication
smtp_request(socket, "*\r\n")
status, response = smtp_request(socket, "AUTH",
string.format("%s\r\n", mkill))
if not status then
if response ~= ERROR_MESSAGES["EOF"] then
return status, ret
else
killed = true
end
else
-- if not killed then abort the last authentication
smtp_request(socket, "*\r\n")
end
return true, killed
end
local auth_tests = "" local auth_tests = ""
for mech in pairs(auth_mech_list) do for mech in pairs(auth_mech_list) do
for mkill in pairs(AUTH_VULN[mech].killby) do for mkill in pairs(AUTH_VULN[mech].killby) do
@@ -370,9 +234,13 @@ function check_cve_2011_1720(smtp)
end end
action = function(host, port) action = function(host, port)
local smtp_opts = { host = host, port = port } local smtp_opts = {
smtp_opts.domain = get_domain(host) host = host,
local status, output = check_cve_2011_1720(smtp_opts) port = port,
domain = stdnse.get_script_args('smtp-vuln-cve2011-1720.domain') or
smtp.get_domain(host),
}
local status, output = check_smtpd(smtp_opts)
if not status then if not status then
stdnse.print_debug(1, "%s: %s", SCRIPT_NAME, output) stdnse.print_debug(1, "%s: %s", SCRIPT_NAME, output)
return nil return nil