PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-12 02:39:03 +00:00
Code Issues Projects Releases Wiki Activity

o [NSE] Updated the SMTP scripts to use the new SMTP Lua library.

Browse Source
This commit is contained in:
djalal
2011-06-13 13:19:26 +00:00
parent e7c6bf55f0
commit caadf952e3
4 changed files with 574 additions and 860 deletions
Download Patch File Download Diff File Expand all files Collapse all files

203
scripts/smtp-commands.nse
View File

@@ -13,7 +13,7 @@ SMTP server.
-- | smtp-commands: SMTP.domain.com Hello [172.x.x.x], TURN, SIZE, ETRN, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, X-EXPS GSSAPI NTLM LOGIN, X-EXPS=LOGIN, AUTH GSSAPI NTLM LOGIN, AUTH=LOGIN, X-LINK2STATE, XEXCH50, OK -- | smtp-commands: SMTP.domain.com Hello [172.x.x.x], TURN, SIZE, ETRN, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, X-EXPS GSSAPI NTLM LOGIN, X-EXPS=LOGIN, AUTH GSSAPI NTLM LOGIN, AUTH=LOGIN, X-LINK2STATE, XEXCH50, OK
-- |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN BDAT VRFY -- |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN BDAT VRFY
-- --
-- @args smtp-commands.domain Define the domain to be used in the SMTP commands. -- @args smtp.domain or smtp-commands.domain Define the domain to be used in the SMTP commands.
-- changelog -- changelog
-- 1.1.0.0 - 2007-10-12 -- 1.1.0.0 - 2007-10-12
@@ -53,6 +53,8 @@ SMTP server.
-- Busleiman's SMTP open relay detector script and Duarte Silva's SMTP -- Busleiman's SMTP open relay detector script and Duarte Silva's SMTP
-- user enumeration script. -- user enumeration script.
-- Props to them for doing what they do and letting me ride on their coattails. -- Props to them for doing what they do and letting me ride on their coattails.
-- 2.1.0.0 - 2011-06-01
-- + Rewrite the script to use the smtp.lua library.
author = "Jason DePriest" author = "Jason DePriest"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
@@ -60,166 +62,67 @@ categories = {"default", "discovery", "safe"}
require "shortport" require "shortport"
require "stdnse" require "stdnse"
require "comm" require "smtp"
portrule = shortport.port_or_service({ 25, 465, 587 }, { "smtp", "smtps", "submission" }) portrule = shortport.port_or_service({ 25, 465, 587 },
{ "smtp", "smtps", "submission" })
ERROR_MESSAGES = {
["EOF"] = "connection closed",
["TIMEOUT"] = "connection timeout",
["ERROR"] = "failed to receive data"
}
STATUS_CODES = {
ERROR = 1,
NOTPERMITED = 2,
VALID = 3,
INVALID = 4
}
---Send a command and read the response (this function does exception handling, and if an
-- exception occurs, it will close the socket).
--
--@param socket Socket used to send the command
--@param request Command to be sent
--@return False in case of failure
--@return True and the response in case of success
function do_request(socket, request)
-- Exception handler.
local catch = function()
socket:close()
end
local try = nmap.new_try(catch)
-- Lets send the command.
try(socket:send(request))
-- Receive server response.
local status, response = socket:receive_lines(1)
if not status then
-- Close the socket (the call to receive_lines doesn't use try).
socket:close()
return false, (ERROR_MESSAGES[response] or "unspecified error")
end
return true, response
end
---Get a domain to be used in the SMTP commands that need it. If the user specified one
-- through a script argument this function will return it. Otherwise it will try to find
-- the domain from the typed hostname and from the rDNS name. If it still can't find one
-- it will use the nmap.scanme.org by default.
--
-- @param host Current scanned host
-- @return The hostname to be used
function get_domain(host)
local result = "nmap.scanme.org"
-- Use the user provided options.
if (nmap.registry.args["smtp-commands.domain"] ~= nil) then
result = nmap.registry.args["smtp-commands.domain"]
elseif type(host) == "table" then
if host.targetname then
result = host.targetname
elseif (host.name ~= "" and host.name) then
result = host.name
end
end
return result
end
function go(host, port) function go(host, port)
local socket = nmap.new_socket() local options = {
local options = { timeout = 10000,
timeout = 10000, recv_before = true,
recv_before = true ssl = true,
} }
socket:set_timeout(5000) local domain = stdnse.get_script_args('smtp-commands.domain') or
smtp.get_domain(host)
-- Be polite and when everything works out send the QUIT message. local result, status = {}
local quit = function() -- Try to connect to server.
do_request(socket, "QUIT\r\n") local socket, response = smtp.connect(host, port, options)
socket:close() if not socket then
end return false, string.format("Couldn't establish connection on port %i",
port.number)
local domain = get_domain(host) end
-- Try to connect to server. status, response = smtp.ehlo(socket, domain)
local response if not status then
return status, response
end
socket, response = comm.tryssl(host, port, string.format("EHLO %s\r\n", domain), options) response = string.gsub(response, "250[%-%s]+", "") -- 250 or 250-
response = string.gsub(response, "\r\n", "\n") -- normalize CR LF
response = string.gsub(response, "\n\r", "\n") -- normalize LF CR
response = string.gsub(response, "^\n+(.-)\n+$", "%1")
response = string.gsub(response, "\n", ", ") -- LF to comma
response = string.gsub(response, "%s+", " ") -- get rid of extra spaces
table.insert(result,response)
if not socket then status, response = smtp.help(socket)
return false, string.format("Couldn't establish connection on port %i", port.number) if status then
end response = string.gsub(response, "214[%-%s]+", "") -- 214
response = string.gsub(response, "^%s+(.-)%s+$", "%1")
local result = {} response = string.gsub(response, "%s+", " ") -- get rid of extra spaces
local index table.insert(result,response)
local status smtp.quit(socket)
end
local failure = function(message) return true, result
if #result > 0 then
table.insert(result, message)
return true, result
else
return false, message
end
end
if not string.match(response, "^250") then
quit()
return false
end
response = string.gsub(response, "250%-", "") -- 250-
response = string.gsub(response, "250 ", "") -- 250
response = string.gsub(response, "\r\n", "\n") -- normalize CR LF
response = string.gsub(response, "\n\r", "\n") -- normalize LF CR
response = string.gsub(response, "^\n+", "") -- no initial LF
response = string.gsub(response, "\n+$", "") -- no final LF
response = string.gsub(response, "\n", ", ") -- LF to comma
response = string.gsub(response, "%s+", " ") -- get rid of extra spaces
table.insert(result,response)
status, response = do_request(socket, "HELP\r\n")
if not status then
return failure(string.format("Failed to issue HELP command (%s)", response))
end
if not string.match(response, "^214") then
quit()
return false
end
response = string.gsub(response, "214%-", "") -- 214-
response = string.gsub(response, "214 ", "") -- 214
response = string.gsub(response, "^%s+", "") -- no initial space
response = string.gsub(response, "%s+$", "") -- no final space
response = string.gsub(response, "%s+", " ") -- get rid of extra spaces
table.insert(result,response)
quit()
return true, result
end end
action = function(host, port) action = function(host, port)
local status, result = go(host, port) local status, result = go(host, port)
-- The go function returned false, this means that the result is a simple error message. -- The go function returned false, this means that the result is a simple error message.
if not status then if not status then
return result return result
else else
if #result > 0 then if #result > 0 then
final = {} final = {}
for index, test in ipairs(result) do for index, test in ipairs(result) do
table.insert(final, test) table.insert(final, test)
end end
return stdnse.strjoin("\n ", final) return stdnse.strjoin("\n ", final)
end end
end end
end end

514
scripts/smtp-enum-users.nse
View File

@@ -24,7 +24,7 @@ An example of how to specify the methods to use and the order is the following:
-- | smtp-enum-users: -- | smtp-enum-users:
-- |_ RCPT, root -- |_ RCPT, root
-- --
-- @args smtp-enum-users.domain Define the domain to be used in the SMTP commands -- @args smtp.domain or smtp-enum-users.domain Define the domain to be used in the SMTP commands
-- @args smtp-enum-users.methods Define the methods and order to be used by the script (EXPN, VRFY, RCPT) -- @args smtp-enum-users.methods Define the methods and order to be used by the script (EXPN, VRFY, RCPT)
-- changelog -- changelog
@@ -36,6 +36,8 @@ An example of how to specify the methods to use and the order is the following:
-- + Script now handles 252 and 550 SMTP status codes -- + Script now handles 252 and 550 SMTP status codes
-- + Added the method that was used by the script to discover the users if verbosity is -- + Added the method that was used by the script to discover the users if verbosity is
-- enabled -- enabled
-- 2011-06-03
-- * Rewrite the script to use the smtp.lua library.
----------------------------------------------------------------------- -----------------------------------------------------------------------
author = "Duarte Silva <duarte.silva@myf00.net>" author = "Duarte Silva <duarte.silva@myf00.net>"
@@ -43,155 +45,86 @@ license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery","external","intrusive"} categories = {"discovery","external","intrusive"}
require "shortport" require "shortport"
require "comm" require "stdnse"
require "smtp"
require "unpwdb" require "unpwdb"
portrule = shortport.port_or_service({ 25, 465, 587 }, { "smtp", "smtps", "submission" }) portrule = shortport.port_or_service({ 25, 465, 587 },
{ "smtp", "smtps", "submission" })
ERROR_MESSAGES = {
["EOF"] = "connection closed",
["TIMEOUT"] = "connection timeout",
["ERROR"] = "failed to receive data"
}
STATUS_CODES = { STATUS_CODES = {
ERROR = 1, ERROR = 1,
NOTPERMITTED = 2, NOTPERMITTED = 2,
VALID = 3, VALID = 3,
INVALID = 4, INVALID = 4,
UNKNOWN = 5 UNKNOWN = 5
} }
---Counts the number of occurrences in a table. Helper function from LUA documentation ---Counts the number of occurrences in a table. Helper function
-- http://lua-users.org/wiki/TableUtils. -- from LUA documentation http://lua-users.org/wiki/TableUtils.
-- --
-- @param from Source table -- @param from Source table
-- @param what What element to count -- @param what What element to count
-- @return Number of occurrences -- @return Number of occurrences
function table_count(from, what) function table_count(from, what)
local result = 0 local result = 0
for index, item in ipairs(from) do for index, item in ipairs(from) do
if item == what then if item == what then
result = result + 1 result = result + 1
end end
end end
return result
return result
end end
---Creates a new table from a source without the duplicates. Helper function from LUA ---Creates a new table from a source without the duplicates. Helper
-- documentation http://lua-users.org/wiki/TableUtils. -- function from LUA documentation http://lua-users.org/wiki/TableUtils.
-- --
-- @param from Source table -- @param from Source table
-- @return New table without the duplicates -- @return New table without the duplicates
function table_unique(from) function table_unique(from)
local result = {} local result = {}
for index, item in ipairs(from) do for index, item in ipairs(from) do
if (table_count(result, item) == 0) then if (table_count(result, item) == 0) then
result[#result + 1] = item result[#result + 1] = item
end end
end end
return result return result
end end
---Send a command and read the response (this function does exception handling, and if an ---Get the method or methods to be used. If the user didn't specify any
-- exception occurs, it will close the socket). -- methods, the default order is RCPT, VRFY and then EXPN.
--
-- @param socket Socket used to send the command
-- @param request Command to be sent
-- @return False in case of failure, true and the response in case of success
function do_request(socket, request)
-- Exception handler.
local catch = function()
socket:close()
end
local try = nmap.new_try(catch)
-- Lets send the command.
try(socket:send(request))
-- Receive server response.
local status, response = socket:receive_lines(1)
if not status then
-- Close the socket (the call to receive_lines doesn't use try)
socket:close()
return false, (ERROR_MESSAGES[response] or "unspecified error")
end
return true, response
end
---Send a SMTP quit command before closing the socket.
--
-- @param socket Socket used to send the command
function quit(socket)
do_request(socket, "QUIT\r\n")
socket:close()
end
---Get a domain to be used in the SMTP commands that need it. If the user specified one
-- through a script argument this function will return it. Otherwise it will try to find
-- the domain from the typed hostname and from the rDNS name. If it still can't find one
-- it will use the nmap.scanme.org by default.
--
-- @param host Current scanned host
-- @return The hostname to be used
function get_domain(host)
local result = "nmap.scanme.org"
-- Use the user provided options.
if (nmap.registry.args["smtp-enum-users.domain"] ~= nil) then
result = nmap.registry.args["smtp-enum-users.domain"]
elseif type(host) == "table" then
if host.targetname then
result = host.targetname
elseif (host.name ~= "" and host.name) then
result = host.name
end
end
return result
end
---Get the method or methods to be used. If the user didn't specify any methods, the default
-- order is RCPT, VRFY and then EXPN.
-- --
-- @return A table containing the methods to try -- @return A table containing the methods to try
function get_method() function get_method()
local result = {} local result = {}
if (nmap.registry.args["smtp-enum-users.methods"] ~= nil) then local methods = stdnse.get_script_args('smtp-enum-users.methods')
local methods = nmap.registry.args["smtp-enum-users.methods"] if methods and type(methods) == "table" then
-- For each method specified.
for _, method in ipairs(methods) do
-- Are the elements of the argument valid methods.
local upper = string.upper(method)
if (upper == "RCPT") or (upper == "EXPN") or
(upper == "VRFY") then
table.insert(result, upper)
else
return false, method
end
end
end
if type(methods) == "table" then -- The methods weren't specified.
-- For each method specified. if #result == 0 then
for index, method in ipairs(methods) do result = { "RCPT", "VRFY", "EXPN" }
-- Are the elements of the argument valid methods. else
local upper = string.upper(method) result = table_unique(result)
end
if (upper == "RCPT") or (upper == "EXPN") or (upper == "VRFY") then
table.insert(result, upper)
else
return false, method
end
end
end
end
-- The methods weren't specified. return true, result
if #result == 0 then
result = { "RCPT", "VRFY", "EXPN" }
else
result = table_unique(result)
end
return true, result
end end
---Generic function to perform user discovery. ---Generic function to perform user discovery.
@@ -202,37 +135,44 @@ end
-- @param domain Domain to use in the command -- @param domain Domain to use in the command
-- @return Status and depending on the code, a error message -- @return Status and depending on the code, a error message
function do_gnrc(socket, command, username, domain) function do_gnrc(socket, command, username, domain)
local combinations = { local combinations = {
string.format("%s", username), string.format("%s", username),
string.format("%s@%s", username, domain) string.format("%s@%s", username, domain)
} }
for index, combination in ipairs(combinations) do for index, combination in ipairs(combinations) do
-- Lets try to issue the command. -- Lets try to issue the command.
local status, response = do_request(socket, string.format("%s %s\r\n", command, combination)) local status, response = smtp.query(socket, command, combination)
-- If this command fails to be sent, then something went wrong with the connection. -- If this command fails to be sent, then something
if not status then -- went wrong with the connection.
return STATUS_CODES.ERROR, string.format("Failed to issue %s %s command (%s)\n", command, combination, response) if not status then
end return STATUS_CODES.ERROR,
string.format("Failed to issue %s %s command (%s)\n",
command, combination, response)
end
if string.match(response, "^530") then if string.match(response, "^530") then
-- If the command failed, check if authentication is needed because all the other attempts will fail. -- If the command failed, check if authentication is
return STATUS_CODES.AUTHENTICATION -- needed because all the other attempts will fail.
elseif string.match(response, "^502") or string.match(response, "^252") or string.match(response, "^550") then return STATUS_CODES.AUTHENTICATION
-- The server doesn't implement the command or it is disallowed. elseif string.match(response, "^502") or
return STATUS_CODES.NOTPERMITTED string.match(response, "^252") or
elseif string.match(response, "^250") then string.match(response, "^550") then
-- User accepted. -- The server doesn't implement the command or it is disallowed.
if nmap.verbosity() > 1 then return STATUS_CODES.NOTPERMITTED
return STATUS_CODES.VALID, string.format("%s, %s", command, username) elseif smtp.check_reply(command, response) then
else -- User accepted.
return STATUS_CODES.VALID, username if nmap.verbosity() > 1 then
end return STATUS_CODES.VALID,
end string.format("%s, %s", command, username)
end else
return STATUS_CODES.VALID, username
end
end
end
return STATUS_CODES.INVALID return STATUS_CODES.INVALID
end end
---Verify if a username is valid using the EXPN command (wrapper ---Verify if a username is valid using the EXPN command (wrapper
@@ -243,7 +183,7 @@ end
-- @param domain Domain to use in the command -- @param domain Domain to use in the command
-- @return Status and depending on the code, a error message -- @return Status and depending on the code, a error message
function do_expn(socket, username, domain) function do_expn(socket, username, domain)
return do_gnrc(socket, "EXPN", username, domain) return do_gnrc(socket, "EXPN", username, domain)
end end
---Verify if a username is valid using the VRFY command (wrapper ---Verify if a username is valid using the VRFY command (wrapper
@@ -254,63 +194,74 @@ end
-- @param domain Domain to use in the command -- @param domain Domain to use in the command
-- @return Status and depending on the code, a error message -- @return Status and depending on the code, a error message
function do_vrfy(socket, username, domain) function do_vrfy(socket, username, domain)
return do_gnrc(socket, "VRFY", username, domain) return do_gnrc(socket, "VRFY", username, domain)
end end
issued_from = false issued_from = false
---Verify if a username is valid using the RCPT method. It will only issue the MAIL FROM --- Verify if a username is valid using the RCPT method. It will only issue
-- command if the issued_from flag is false. The MAIL FROM command does not need to -- the MAIL FROM command if the issued_from flag is false. The MAIL FROM
-- be issued each time an RCPT TO is used. Otherwise it should also be issued a RSET -- command does not need to be issued each time an RCPT TO is used. Otherwise
-- command, and if there are many RSET commands the server might disconnect. -- it should also be issued a RSET command, and if there are many RSET
-- commands the server might disconnect.
-- --
-- @param socket Socket used to send the command -- @param socket Socket used to send the command
-- @param username User name to test -- @param username User name to test
-- @param domain Domain to use in the command -- @param domain Domain to use in the command
-- @return Status and depending on the code, a error message -- @return Status and depending on the code, a error message
function do_rcpt(socket, username, domain) function do_rcpt(socket, username, domain)
if not issued_from then if not issued_from then
-- Lets try to issue MAIL FROM command. -- Lets try to issue MAIL FROM command.
status, response = do_request(socket, string.format("MAIL FROM:<usertest@%s>\r\n", domain)) status, response = smtp.query(socket, "MAIL",
string.format("FROM:<usertest@%s>", domain))
if not status then if not status then
-- If this command fails to be sent, then something went wrong with the connection. -- If this command fails to be sent, then something went wrong
return STATUS_CODES.ERROR, string.format("Failed to issue MAIL FROM:<usertest@%s> command (%s)", domain, response) -- with the connection.
elseif string.match(response, "^530") then return STATUS_CODES.ERROR,
-- If the command failed, check if authentication is needed because all the other attempts will fail. string.format("Failed to issue MAIL FROM:<usertest@%s> command (%s)",
return STATUS_CODES.ERROR, "Couldn't perform user enumeration, authentication needed" domain, response)
elseif not string.match(response, "^250") then elseif string.match(response, "^530") then
-- Only accept 250 code as success. -- If the command failed, check if authentication is needed
return STATUS_CODES.NOTPERMITTED, "Server did not accept the MAIL FROM command" -- because all the other attempts will fail.
end return STATUS_CODES.ERROR,
end "Couldn't perform user enumeration, authentication needed"
elseif not smtp.check_reply("MAIL", response) then
-- Only accept 250 code as success.
return STATUS_CODES.NOTPERMITTED,
"Server did not accept the MAIL FROM command"
end
end
status, response = do_request(socket, string.format("RCPT TO:<%s@%s>\r\n", username, domain)) status, response = smtp.query(socket, "RCPT",
string.format("TO:<%s@%s>", username, domain))
if not status then if not status then
return STATUS_CODES.ERROR, string.format("Failed to issue RCPT TO:<%s@%s> command (%s)", username, domain, response) return STATUS_CODES.ERROR,
elseif string.match(response, "^550") then string.format("Failed to issue RCPT TO:<%s@%s> command (%s)",
-- 550 User Unknown username, domain, response)
return STATUS_CODES.UNKNOWN elseif string.match(response, "^550") then
elseif string.match(response, "^553") then -- 550 User Unknown
-- 553 Relaying Denied return STATUS_CODES.UNKNOWN
return STATUS_CODES.NOTPERMITTED elseif string.match(response, "^553") then
elseif string.match(response, "^530") then -- 553 Relaying Denied
-- If the command failed, check if authentication is needed because all the other attempts will fail. return STATUS_CODES.NOTPERMITTED
return STATUS_CODES.AUTHENTICATION elseif string.match(response, "^530") then
elseif string.match(response, "^250") then -- If the command failed, check if authentication is needed because
issued_from = true -- all the other attempts will fail.
-- User is valid. return STATUS_CODES.AUTHENTICATION
if nmap.verbosity() > 1 then elseif smtp.check_reply("RCPT", response) then
return STATUS_CODES.VALID, string.format("RCPT, %s", username) issued_from = true
else -- User is valid.
return STATUS_CODES.VALID, username if nmap.verbosity() > 1 then
end return STATUS_CODES.VALID, string.format("RCPT, %s", username)
end else
return STATUS_CODES.VALID, username
end
end
issued_from = true issued_from = true
return STATUS_CODES.INVALID
return STATUS_CODES.INVALID
end end
---Script function that does all the work. ---Script function that does all the work.
@@ -319,109 +270,108 @@ end
-- @param port Target port -- @param port Target port
-- @return The user accounts or a error message. -- @return The user accounts or a error message.
function go(host, port) function go(host, port)
-- Get the current usernames list from the file. -- Get the current usernames list from the file.
local status, nextuser = unpwdb.usernames() local status, nextuser = unpwdb.usernames()
if not status then if not status then
return false, "Failed to read the user names database" return false, "Failed to read the user names database"
end end
local socket = nmap.new_socket() local options = {
socket:set_timeout(5000) timeout = 10000,
recv_before = true,
ssl = true,
}
local domain = stdnse.get_script_args('smtp-enum-users.domain') or
smtp.get_domain(host)
local methods
status, methods = get_method()
if not status then
return false, string.format("Invalid method found, %s", methods)
end
local options = { local socket, response = smtp.connect(host, port, options)
timeout = 10000,
recv_before = true
}
local domain = get_domain(host)
local methods
status, methods = get_method() -- Failed connection attempt.
if not socket then
if not status then return false, string.format("Couldn't establish connection on port %i",
return false, string.format("Invalid method found, %s", methods) port.number)
end end
-- Try to connect to server. status, response = smtp.ehlo(socket, domain)
local response if not status then
return status, response
end
socket, response = comm.tryssl(host, port, string.format("EHLO %s\r\n", domain), options) local result = {}
-- Failed connection attempt. -- This function is used when something goes wrong with
if not socket then -- the connection. It makes sure that if it found users before
return false, string.format("Couldn't establish connection on port %i", port.number) -- the error occurred, they will be returned.
end local failure = function(message)
if #result > 0 then
table.insert(result, message)
return true, result
else
return false, message
end
end
-- Close socket and return if EHLO command failed. -- Get the first user to be tested.
if not string.match(response, "^250") then local username = nextuser()
quit(socket)
return false, "Failed to issue EHLO command"
end
local result = {} for index, method in ipairs(methods) do
while username do
if method == "RCPT" then
status, response = do_rcpt(socket, username, domain)
elseif method == "VRFY" then
status, response = do_vrfy(socket, username, domain)
elseif method == "EXPN" then
status, response = do_expn(socket, username, domain)
end
-- This function is used when something goes wrong with the connection. It makes sure that if status == STATUS_CODES.NOTPERMITTED then
-- if it found users before the error occurred, they will be returned. -- Invalid method. Don't test anymore users with
local failure = function(message) -- the current method.
if #result > 0 then break
table.insert(result, message) elseif status == STATUS_CODES.VALID then
-- User found, lets save it.
table.insert(result, response)
elseif status == STATUS_CODES.ERROR then
-- An error occurred with the connection.
return failure(response)
elseif status == STATUS_CODES.AUTHENTICATION then
smtp.quit(socket)
return false, "Couldn't perform user enumeration, authentication needed"
elseif status == STATUS_CODES.INVALID then
table.insert(result,
string.format("Method %s returned a unhandled status code.",
method))
break
end
username = nextuser()
end
-- No more users to test, don't test with other methods.
if username == nil then
break
end
end
return true, result smtp.quit(socket)
else return true, result
return false, message
end
end
-- Get the first user to be tested.
local username = nextuser()
for index, method in ipairs(methods) do
while username do
if method == "RCPT" then
status, response = do_rcpt(socket, username, domain)
elseif method == "VRFY" then
status, response = do_vrfy(socket, username, domain)
elseif method == "EXPN" then
status, response = do_expn(socket, username, domain)
end
if status == STATUS_CODES.NOTPERMITTED then
-- Invalid method. Don't test anymore users with the current method.
break
elseif status == STATUS_CODES.VALID then
-- User found, lets save it.
table.insert(result, response)
elseif status == STATUS_CODES.ERROR then
-- An error occurred with the connection.
return failure(response)
elseif status == STATUS_CODES.AUTHENTICATION then
quit(socket)
return false, "Couldn't perform user enumeration, authentication needed"
elseif status == STATUS_CODES.INVALID then
table.insert(result, string.format("Method %s returned a unhandled status code.", method))
break
end
username = nextuser()
end
if username == nil then
-- No more users to test, don't test with other methods.
break
end
end
quit(socket)
return true, result
end end
action = function(host, port) action = function(host, port)
local status, result = go(host, port) local status, result = go(host, port)
-- The go function returned true, lets check if it didn't found any accounts. -- The go function returned true, lets check if it
if status and #result == 0 then -- didn't found any accounts.
return stdnse.format_output(true, "Couldn't find any accounts") if status and #result == 0 then
end return stdnse.format_output(true, "Couldn't find any accounts")
end
return stdnse.format_output(true, result) return stdnse.format_output(true, result)
end end

377
scripts/smtp-open-relay.nse
View File

@@ -24,7 +24,7 @@ printed with the list of any combinations that were found prior to the error.
-- | smtp-open-relay: Server is an open relay (1/16 tests) -- | smtp-open-relay: Server is an open relay (1/16 tests)
-- |_MAIL FROM:<antispam@insecure.org> -> RCPT TO:<relaytest@insecure.org> -- |_MAIL FROM:<antispam@insecure.org> -> RCPT TO:<relaytest@insecure.org>
-- --
-- @args smtp-open-relay.domain Define the domain to be used in the anti-spam tests and EHLO command (default -- @args smtp.domain or smtp-open-relay.domain Define the domain to be used in the anti-spam tests and EHLO command (default
-- is nmap.scanme.org) -- is nmap.scanme.org)
-- @args smtp-open-relay.ip Use this to change the IP address to be used (default is the target IP address) -- @args smtp-open-relay.ip Use this to change the IP address to be used (default is the target IP address)
-- @args smtp-open-relay.from Define the source email address to be used (without the domain, default is -- @args smtp-open-relay.from Define the source email address to be used (without the domain, default is
@@ -63,229 +63,222 @@ printed with the list of any combinations that were found prior to the error.
-- * Minor comments changes -- * Minor comments changes
-- 2010-03-14 Duarte Silva <duarte.silva@myf00.net> -- 2010-03-14 Duarte Silva <duarte.silva@myf00.net>
-- * Made the script a little more verbose -- * Made the script a little more verbose
-- 2011-06-03
-- * Rewrite the script to use the smtp.lua library.
author = "Arturo 'Buanzo' Busleiman" author = "Arturo 'Buanzo' Busleiman"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery","intrusive","external"} categories = {"discovery","intrusive","external"}
require "shortport" require "shortport"
require "comm" require "stdnse"
require "smtp"
portrule = shortport.port_or_service({ 25, 465, 587 }, { "smtp", "smtps", "submission" }) portrule = shortport.port_or_service({ 25, 465, 587 },
{ "smtp", "smtps", "submission" })
ERROR_MESSAGES = {
["EOF"] = "connection closed",
["TIMEOUT"] = "connection timeout",
["ERROR"] = "failed to receive data"
}
---Send a command and read the response (this function does exception handling, and if an
-- exception occurs, it will close the socket).
--
--@param socket Socket used to send the command
--@param request Command to be sent
--@return False in case of failure
--@return True and the response in case of success
function do_request(socket, request)
-- Exception handler.
local catch = function()
socket:close()
end
local try = nmap.new_try(catch)
-- Lets send the command.
try(socket:send(request))
-- Receive server response.
local status, response = socket:receive_lines(1)
if not status then
-- Close the socket (the call to receive_lines doesn't use try).
socket:close()
return false, (ERROR_MESSAGES[response] or "unspecified error")
end
return true, response
end
---Gets the user specified parameters to be used in the tests. ---Gets the user specified parameters to be used in the tests.
-- --
--@param host Target host (used for the ip parameter default value) --@param host Target host (used for the ip parameter default value)
--@return Domain, from, to and ip to be used in the tests --@return Domain, from, to and ip to be used in the tests
function get_parameters(host) function get_parameters(host)
local domain, from, to, ip = "nmap.scanme.org", "antispam", "relaytest", host.ip -- call smtp.get_domain() without the host table to use the
-- 'nmap.scanme.org' host name, we are scanning for open relays.
local domain = stdnse.get_script_args('smtp-open-relay.domain') or
smtp.get_domain()
-- Use the user provided options. local from = stdnse.get_script_args('smtp-open-relay.from') or "antispam"
if (nmap.registry.args["smtp-open-relay.domain"] ~= nil) then
domain = nmap.registry.args["smtp-open-relay.domain"] local to = stdnse.get_script_args('smtp-open-relay.to') or "relaytest"
end
local ip = stdnse.get_script_args('smtp-open-relay.ip') or host.ip
if (nmap.registry.args["smtp-open-relay.ip"] ~= nil) then
ip = nmap.registry.args["smtp-open-relay.ip"] return domain, from, to, ip
end
if (nmap.registry.args["smtp-open-relay.to"] ~= nil) then
to = nmap.registry.args["smtp-open-relay.to"]
end
if (nmap.registry.args["smtp-open-relay.from"] ~= nil) then
from = nmap.registry.args["smtp-open-relay.from"]
end
return domain, from, to, ip
end end
function go(host, port) function go(host, port)
local socket = nmap.new_socket() local options = {
local options = { timeout = 10000,
timeout = 10000, recv_before = true,
recv_before = true ssl = true,
} }
socket:set_timeout(5000) local result, status, index = {}
-- Be polite and when everything works out send the QUIT message. local domain, from, to, ip = get_parameters(host)
local quit = function()
do_request(socket, "QUIT\r\n")
socket:close()
end
local domain, from, to, ip = get_parameters(host)
-- Try to connect to server. local socket, response = smtp.connect(host, port, options)
local response if not socket then
return false, string.format("Couldn't establish connection on port %i",
port.number)
end
socket, response = comm.tryssl(host, port, string.format("EHLO %s\r\n", domain), options) local srvname = string.match(response, "%d+%s([%w]+[%w\.\-]*)")
if not socket then local status, response = smtp.ehlo(socket, domain)
return false, string.format("Couldn't establish connection on port %i", port.number) if not status then
end return status, response
end
if not srvname then
srvname = string.match(response, "%d+%-([%w]+[%w\.\-]*)")
end
-- Close socket and return if EHLO command failed. -- Antispam tests.
if not string.match(response, "^250") then local tests = {
quit() {
return false, "Failed to issue EHLO command" from = "",
end to = string.format("%s@%s", to, domain)
},
{
from = string.format("%s@%s", from, domain),
to = string.format("%s@%s", to, domain)
},
{
from = string.format("%s@%s", from, srvname),
to = string.format("%s@%s", to, domain)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s@%s", to, domain)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s%%%s@[%s]", to, domain, ip)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s%%%s@%s", to, domain, srvname)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("\"%s@%s\"", to, domain)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("\"%s%%%s\"", to, domain)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s@%s@[%s]", to, domain, ip)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("\"%s@%s\"@[%s]", to, domain, ip)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s@%s@%s", to, domain, srvname)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("@[%s]:%s@%s", ip, to, domain)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("@%s:%s@%s", srvname, to, domain)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s!%s", domain, to)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s!%s@[%s]", domain, to, ip)
},
{
from = string.format("%s@[%s]", from, ip),
to = string.format("%s!%s@%s", domain, to, srvname)
},
}
-- This function is used when something goes wrong with the connection.
-- It makes sure that if it found working combinations before the error
-- occurred, they will be returned. If the debug flag is enabled the
-- error message will be appended to the combinations list.
local failure = function(message)
if #result > 0 then
table.insert(result, message)
return true, result
else
return false, message
end
end
-- Find out server name. for index = 1, #tests do
local srvname = string.sub(response, string.find(response, '([.%w]+)', 4)) status, response = smtp.reset(socket)
if not status then
-- Antispam tests. if string.match(response, "530") then
local tests = { return false, "Server isn't an open relay, authentication needed"
{ from = "MAIL FROM:<>", to = string.format("RCPT TO:<%s@%s>", to, domain) }, end
{ from = string.format("MAIL FROM:<%s@%s>", from, domain), to = string.format("RCPT TO:<%s@%s>", to, domain) }, return failure(response)
{ from = string.format("MAIL FROM:<%s@%s>", from, srvname), to = string.format("RCPT TO:<%s@%s>", to, domain) }, end
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s@%s>", to, domain) },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s%%%s@[%s]>", to, domain, ip) },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s%%%s@%s>", to, domain, srvname) },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<\"%s@%s\">", to, domain) },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<\"%s%%%s\">", to, domain) },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s@%s@[%s]>", to, domain, ip) },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<\"%s@%s\"@[%s]>", to, domain, ip) },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s@%s@%s>", to, domain, srvname) },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<@[%s]:%s@%s>", ip, to, domain) },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<@%s:%s@%s>", srvname, to, domain) },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s!%s>", domain, to) },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s!%s@[%s]>", domain, to, ip) },
{ from = string.format("MAIL FROM:<%s@[%s]>", from, ip), to = string.format("RCPT TO:<%s!%s@%s>", domain, to, srvname) },
}
local result = {}
local index
local status
-- This function is used when something goes wrong with the connection. It makes sure that
-- if it found working combinations before the error occurred, they will be returned. If the
-- debug flag is enabled the error message will be appended to the combinations list.
local failure = function(message)
if #result > 0 then
table.insert(result, message)
return true, result status, response = smtp.query(socket, "MAIL",
else string.format("FROM:<%s>",
return false, message tests[index]["from"]))
end -- If this command fails to be sent, then something went
end -- wrong with the connection.
if not status then
for index = 1, #tests do return failure(string.format("Failed to issue %s command (%s)",
status, response = do_request(socket, "RSET\r\n") tests[index]["from"], response))
end
if string.match(response, "530") then
smtp.quit(socket)
return false, "Server isn't an open relay, authentication needed"
elseif smtp.check_reply("MAIL", response) then
-- Lets try to actually relay.
status, response = smtp.query(socket, "RCPT",
string.format("TO:<%s>",
tests[index]["to"]))
if not status then
return failure(string.format("Failed to issue %s command (%s)",
tests[index]["to"], response))
end
if not status then if string.match(response, "530") then
return failure(string.format("Failed to issue RSET command (%s)", response)) smtp.quit(socket)
end return false, "Server isn't an open relay, authentication needed"
elseif smtp.check_reply("RCPT", response) then
-- Save the working from and to combination.
table.insert(result,
string.format("MAIL FROM:<%s> -> RCPT TO:<%s>",
tests[index]["from"], tests[index]["to"]))
end
end
end
-- If reset the envelope, doesn't work for one, wont work for others (critical command). smtp.quit(socket)
if not string.match(response, "^250") then return true, result
quit()
if string.match(response, "^530") then
return false, "Server isn't an open relay, authentication needed"
else
return false, "Unable to clear server envelope, testing stoped"
end
end
-- Lets try to issue MAIL FROM command.
status, response = do_request(socket, string.format("%s\r\n", tests[index]["from"]))
-- If this command fails to be sent, then something went wrong with the connection.
if not status then
return failure(string.format("Failed to issue %s command (%s)", tests[index]["from"], response))
end
-- If MAIL FROM failed, check if authentication is needed because all the other attempts will fail
-- and server may disconnect because of too many commands issued without authentication.
if string.match(response, "^530") then
quit()
return false, "Server isn't an open relay, authentication needed"
-- The command was accepted (otherwise, the script will step to the next test).
elseif string.match(response, "^250") then
-- Lets try to actually relay.
status, response = do_request(socket, string.format("%s\r\n", tests[index]["to"]))
if not status then
return failure(string.format("Failed to issue %s command (%s)", tests[index]["to"], response))
end
if string.match(response, "^530") then
quit()
return false, "Server isn't an open relay, authentication needed"
elseif string.match(response, "^250") then
-- Save the working from and to combination.
table.insert(result, string.format("%s -> %s", tests[index]["from"], tests[index]["to"]))
end
end
end
quit()
return true, result
end end
action = function(host, port) action = function(host, port)
local status, result = go(host, port) local status, result = go(host, port)
-- The go function returned false, this means that the result is a simple error message. -- The go function returned false, this means that the result is
if not status then -- a simple error message.
return result if not status then
else return result
-- Combinations were found. If verbosity is active, the script will print all else
-- the successful tests. Otherwise it will only print the conclusion. -- Combinations were found. If verbosity is active, the script
if #result > 0 then -- will print all the successful tests. Otherwise it will only
final = {} -- print the conclusion.
if #result > 0 then
final = {}
table.insert(final,
string.format("Server is an open relay (%i/16 tests)",
(#result)))
table.insert(final, string.format("Server is an open relay (%i/16 tests)", (#result))) if nmap.verbosity() > 1 then
for index, test in ipairs(result) do
table.insert(final, test)
end
end
if nmap.verbosity() > 1 then return stdnse.strjoin("\n ", final)
for index, test in ipairs(result) do end
table.insert(final, test)
end
end
return stdnse.strjoin("\n ", final) return "Server doesn't seem to be an open relay, all tests failed"
end end
return "Server doesn't seem to be an open relay, all tests failed"
end
end end

340
scripts/smtp-vuln-cve2011-1720.nse
View File

@@ -1,9 +1,9 @@
description = [[ description = [[
Checks for SMTP, SMTPS and Submission vulnerabilities: Checks for a Memory corruption in the Postfix SMTP server when it uses
Cyrus SASL library authentication mechanisms (CVE-2011-1720).
* Memory corruption in Postfix SMTP server Cyrus SASL support Reference:
(CVE-2011-1720) * http://www.postfix.org/CVE-2011-1720.html
http://www.postfix.org/CVE-2011-1720.html
]] ]]
--- ---
@@ -19,270 +19,167 @@ Checks for SMTP, SMTPS and Submission vulnerabilities:
-- | AUTH tests: CRAM-MD5 -- | AUTH tests: CRAM-MD5
-- |_ Postfix Cyrus SASL authentication: VULNERABLE (CRAM-MD5 => DIGEST-MD5) -- |_ Postfix Cyrus SASL authentication: VULNERABLE (CRAM-MD5 => DIGEST-MD5)
-- --
-- @args -- @args smtp.domain Define the domain to be used in the SMTP EHLO command.
-- smtp.domain Define the domain to be used in the SMTP EHLO command.
author = "Djalal Harouni" author = "Djalal Harouni"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html" license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"intrusive", "vuln"} categories = {"intrusive", "vuln"}
require "shortport" require "shortport"
require "smtp"
require "stdnse" require "stdnse"
portrule = shortport.port_or_service({25, 465, 587}, portrule = shortport.port_or_service({25, 465, 587},
{"smtp", "smtps", "submission"}) {"smtp", "smtps", "submission"})
local ERROR_MESSAGES = { local AUTH_VULN = {
["EOF"] = "connection closed", -- AUTH MECHANISM
["TIMEOUT"] = "connection timeout", -- killby: a table of mechanisms that can corrupt and
["ERROR"] = "failed to receive data" -- overwrite the AUTH MECHANISM data structure.
} -- probe: max number of probes for each test
["CRAM-MD5"] = {
local SMTP_CMD = { killby = {["DIGEST-MD5"] = {probe = 1}}
["EHLO"] = {
cmd = "EHLO",
success = {
[250] = "Requested mail action okay, completed",
},
errors = {
[421] = "<domain> Service not available, closing transmission channel",
[500] = "Syntax error, command unrecognised",
[501] = "Syntax error in parameters or arguments",
[504] = "Command parameter not implemented",
[550] = "Not implemented",
},
}, },
["AUTH"] = { ["DIGEST-MD5"] = {
cmd = "AUTH", killby = {}
success = {[334] = ""}, },
errors = { ["EXTERNAL"] = {
[501] = "Authentication aborted", killby = {}
} },
["GSSAPI"] = {
killby = {}
},
["KERBEROS_V4"] = {
killby = {}
},
["NTLM"] = {
killby = {["DIGEST-MD5"] = {probe = 2}}
},
["OTP"] = {
killby = {}
},
["PASSDSS-3DES-1"] = {
killby = {}
},
["SRP"] = {
killby = {}
}, },
["STARTTLS"] = {
cmd = "STARTTLS",
success = {
[220] = "Ready to start TLS"
},
errors = {
[501] = "Syntax error (no parameters allowed)",
[454] = "TLS not available due to temporary reason",
}
}
} }
-- parse and check the authentication mechanisms.
-- Get a domain to be used in the SMTP commands that need it. If the -- This function will save the vulnerable auth mechanisms in
-- user specified one through a script argument this function will return -- the auth_mlist table, and returns all the available auth
-- it. Otherwise it will try to find the domain from the typed hostname -- mechanisms as a string.
-- and from the rDNS name. If it still can't find one it will use the local function chk_auth_mechanisms(ehlo_res, auth_mlist)
-- nmap.scanme.org by default. local mlist, mstr = smtp.get_auth_mech(ehlo_res), ""
--
-- @param host Current scanned host if mlist then
-- @return The hostname to be used for _, mech in ipairs(mlist) do
function get_domain(host) mstr = mstr.." "..mech
local nmap_domain = "nmap.scanme.org" if AUTH_VULN[mech] then
auth_mlist[mech] = mech
-- Use the user provided options.
local result = stdnse.get_script_args("smtp.domain") or
stdnse.get_script_args("smtp-vuln-cve2011-1720.domain")
if not result then
if type(host) == "table" then
if host.targetname then
result = host.targetname
elseif (host.name ~= "" and host.name) then
result = host.name
end end
end end
end end
return mstr
return result or nmap_domain
end end
-- Close any remaining connection
local function smtp_finish(socket, status, msg) local function smtp_finish(socket, status, msg)
if socket then if socket then
socket:send("QUIT\r\n") smtp.quit(socket)
socket:close()
end end
return status, msg return status, msg
end end
function smtp_send(socket, request) -- Tries to kill the smtpd server
local status, response = socket:send(request) -- Returns true, true if the smtpd was killed
local function kill_smtpd(socket, mech, mkill)
local killed, ret = false
local status, response = smtp.query(socket, "AUTH",
string.format("%s", mech))
if not status then if not status then
return status, string.format("failed to send request: %s", return status, response
request)
end end
return true, response status, ret = smtp.check_reply("AUTH", response)
end
function smtp_request(socket, cmd, data)
local packet = cmd
if data then
packet = cmd.." "..data
end
local status, ret = smtp_send(socket, packet)
if not status then if not status then
return smtp_finish(nil, status, ret) return smtp_finish(socket, status, ret)
end
-- abort authentication
smtp.query(socket, "*")
status, response = smtp.query(socket, "AUTH",
string.format("%s", mkill))
if status then
-- abort the last AUTH command.
status, response = smtp.query(socket, "*")
end end
status, ret = socket:receive_lines(1)
if not status then if not status then
return smtp_finish(nil, status, if string.match(response, "connection closed") then
(ERROR_MESSAGES[ret] or "unspecified error")) killed = true
end else
return status, response
return status, ret
end
function check_smtp_reply(cmd, response)
local code, msg = string.match(response, "^([0-9]+)%s*")
if code then
code = tonumber(code)
if SMTP_CMD[cmd] and SMTP_CMD[cmd].success[code] then
return true, SMTP_CMD[cmd].success[code]
end end
end end
return false, string.format("%s failed: %s", cmd, response)
return true, killed
end end
-- Checks if the SMTP server is vulnerable to CVE-2011-1720 -- Checks if the SMTP server is vulnerable to CVE-2011-1720
-- Postfix Cyrus SASL authentication memory corruption -- Postfix Cyrus SASL authentication memory corruption
-- http://www.postfix.org/CVE-2011-1720.html -- http://www.postfix.org/CVE-2011-1720.html
function check_cve_2011_1720(smtp) local function check_smtpd(smtp_opts)
local postfix_vuln = "Postfix Cyrus SASL authentication" local postfix_vuln = "Postfix Cyrus SASL authentication"
local AUTH_VULN = { local socket, ret = smtp.connect(smtp_opts.host,
-- AUTH MECHANISM smtp_opts.port,
-- killby: a table of mechanisms that can corrupt and {ssl = false,
-- overwrite the AUTH MECHANISM data structure. recv_before = true,
-- probe: max number of probes for each test lines = 1})
["CRAM-MD5"] = {
killby = {["DIGEST-MD5"] = {probe = 1}}
},
["DIGEST-MD5"] = {
killby = {}
},
["EXTERNAL"] = {
killby = {}
},
["GSSAPI"] = {
killby = {}
},
["KERBEROS_V4"] = {
killby = {}
},
["NTLM"] = {
killby = {["DIGEST-MD5"] = {probe = 2}}
},
["OTP"] = {
killby = {}
},
["PASSDSS-3DES-1"] = {
killby = {}
},
["SRP"] = {
killby = {}
},
}
local socket = nmap.new_socket()
local status, ret = socket:connect(smtp.host, smtp.port, "tcp")
if not status then if not socket then
return false, "Couldn't connect to remote host" return socket, ret
end end
local i, response = 0, nil local status, response = smtp.ehlo(socket, smtp_opts.domain)
-- just a small loop
repeat
status, response = socket:receive_lines(1)
i = i + 1
until response or i == 3
if not status then
return smtp_finish(nil, status,
(ERROR_MESSAGES[response] or "unspecified error"))
end
status, response = smtp_request(socket, "EHLO",
string.format("%s\r\n",smtp.domain))
if not status then if not status then
return status, response return status, response
end end
status, ret = check_smtp_reply("EHLO", response)
if not status then
return smtp_finish(socket, status, ret)
end
local starttls = false local starttls = false
local function chk_starttls(line) local auth_mech_list, auth_mech_str = {}, ""
return line:match("STARTTLS")
end
local auth_mech_list, auth_mech_str, chk_vuln = {}, "", false
-- parse and check the authentication mechanisms
local function chk_auth_mechanisms(line)
local authstr = line:match("%d+\-AUTH%s(.*)$")
if authstr then
auth_mech_str = authstr
for mech in authstr:gmatch("[^%s]+") do
if AUTH_VULN[mech] then
auth_mech_list[mech] = mech
if not chk_vuln then
chk_vuln = true
end
end
end
end
end
-- parse server response -- parse server response
for _, line in pairs(stdnse.strsplit("\r?\n", response)) do for _, line in pairs(stdnse.strsplit("\r?\n", response)) do
if not next(auth_mech_list) then if not next(auth_mech_list) then
chk_auth_mechanisms(line) auth_mech_str = chk_auth_mechanisms(line, auth_mech_list)
end end
if not starttls then if not starttls then
starttls = chk_starttls(line) starttls = line:match("STARTTLS")
end end
end end
-- fallback to STARTTLS to get the auth mechanisms -- fallback to STARTTLS to get the auth mechanisms
if not next(auth_mech_list) and smtp.port.number ~= 25 and if not next(auth_mech_list) and smtp_opts.port.number ~= 25 and
starttls then starttls then
status, response = smtp_request(socket,"STARTTLS\r\n")
status, response = smtp.starttls(socket)
if not status then if not status then
return status, response return status, response
end end
status, ret = check_smtp_reply("STARTTLS", response) status, response = smtp.ehlo(socket, smtp_opts.domain)
if not status then
return smtp_finish(socket, status, ret)
end
status, ret = socket:reconnect_ssl()
if not status then
return smtp_finish(nil, status, ret)
end
status, response = smtp_request(socket, "EHLO",
string.format("%s\r\n",smtp.domain))
if not status then if not status then
return status, response return status, response
end end
status, ret = check_smtp_reply("EHLO", response)
if not status then
return smtp_finish(socket, status, ret)
end
for _, line in pairs(stdnse.strsplit("\r?\n", response)) do for _, line in pairs(stdnse.strsplit("\r?\n", response)) do
if not next(auth_mech_list) then if not next(auth_mech_list) then
chk_auth_mechanisms(line) auth_mech_str = chk_auth_mechanisms(line, auth_mech_list)
end end
end end
end end
@@ -293,42 +190,9 @@ function check_cve_2011_1720(smtp)
table.insert(output, string.format("AUTH MECHANISMS: %s", auth_mech_str)) table.insert(output, string.format("AUTH MECHANISMS: %s", auth_mech_str))
-- maybe vulnerable -- maybe vulnerable
if next(auth_mech_list) and chk_vuln then if next(auth_mech_list) then
-- Kill the Postfix smtpd
-- Returns true, true if the smtpd was killed
local function kill_smtpd(socket, mech, mkill)
local killed = false
status, response = smtp_request(socket, "AUTH",
string.format("%s\r\n", mech))
if not status then
return status, ret
end
status, ret = check_smtp_reply("AUTH", response)
if not status then
return smtp_finish(socket, status, ret)
end
-- abort authentication
smtp_request(socket, "*\r\n")
status, response = smtp_request(socket, "AUTH",
string.format("%s\r\n", mkill))
if not status then
if response ~= ERROR_MESSAGES["EOF"] then
return status, ret
else
killed = true
end
else
-- if not killed then abort the last authentication
smtp_request(socket, "*\r\n")
end
return true, killed
end
local auth_tests = "" local auth_tests = ""
for mech in pairs(auth_mech_list) do for mech in pairs(auth_mech_list) do
for mkill in pairs(AUTH_VULN[mech].killby) do for mkill in pairs(AUTH_VULN[mech].killby) do
@@ -370,9 +234,13 @@ function check_cve_2011_1720(smtp)
end end
action = function(host, port) action = function(host, port)
local smtp_opts = { host = host, port = port } local smtp_opts = {
smtp_opts.domain = get_domain(host) host = host,
local status, output = check_cve_2011_1720(smtp_opts) port = port,
domain = stdnse.get_script_args('smtp-vuln-cve2011-1720.domain') or
smtp.get_domain(host),
}
local status, output = check_smtpd(smtp_opts)
if not status then if not status then
stdnse.print_debug(1, "%s: %s", SCRIPT_NAME, output) stdnse.print_debug(1, "%s: %s", SCRIPT_NAME, output)
return nil return nil