diff --git a/scripts/SMTP_openrelay_test.nse b/scripts/SMTP_openrelay_test.nse index a70f3ef5c..1b5493fc5 100644 --- a/scripts/SMTP_openrelay_test.nse +++ b/scripts/SMTP_openrelay_test.nse @@ -1,17 +1,21 @@ -- Arturo 'Buanzo' Busleiman / www.buanzo.com.ar / linux-consulting.buanzo.com.ar --- See Nmap'ss COPYING file for licence details --- This is version 20060927. +-- See Nmap's COPYING file for licence details +-- This is version 20070516. -- Changelog: + Added some strings to return in different places. -- * Changed "HELO www.insecure.org" to "EHLO insecure.org". +-- * Fixed some API differences +-- * The "ourdomain" variable's contents are used instead of hardcoded "insecure.org". Settable by the user. +-- * Fixed tags -> categories (reported by Jason DePriest to nmap-dev) id="Open Relay SMTP" description="Checks to see if a SMTP server is an open relay" -tags = {"intrusive"} +categories = {"intrusive"} + +ourdomain="insecure.org" portrule = function(host, port) if (port.number == 25 or port.service == "smtp") - and port.state == "open" and port.protocol == "tcp" then return true @@ -29,19 +33,19 @@ action = function(host, port) local tor = {} local i - local catch = function() + socket:set_timeout(10000); + socket:connect(host.ip, port.number, port.protocol) + + status, result = socket:receive_lines(1) + + if (result == "TIMEOUT") then socket:close() + return "Timeout. Try incresing settimeout, or enhance this." end - local try = nmap.new_try(catch) - - try(socket:connect(host.ip, port.number, port.protocol)) - - result = try(socket:receive_lines(1)) - -- Introduce ourselves... - try(socket:send("EHLO insecure.org\n")) - result = try(socket:receive_lines(1)) + socket:send("EHLO "..ourdomain.."\r\n") + status, result = socket:receive_lines(1) -- close socket and return if there's an smtp status code != 250 if not string.match(result, "^250") then @@ -61,22 +65,22 @@ action = function(host, port) end -- Now that we have the mailservername, fill in the tor table - tor[0] = {f = "MAIL FROM:",t="RCPT TO:"} - tor[1] = {f = "MAIL FROM:<>",t="RCPT TO:"} - tor[2] = {f = "MAIL FROM:",t="RCPT TO:"} - tor[3] = {f = "MAIL FROM:",t="RCPT TO:"} - tor[4] = {f = "MAIL FROM:",t="RCPT TO:"} - tor[5] = {f = "MAIL FROM:",t="RCPT TO:"} - tor[6] = {f = "MAIL FROM:",t="RCPT TO:<\"relaytest@insecure.org\">"} - tor[7] = {f = "MAIL FROM:",t="RCPT TO:<\"relaytest%insecure.org\">"} - tor[8] = {f = "MAIL FROM:",t="RCPT TO:"} - tor[9] = {f = "MAIL FROM:",t="RCPT TO:<\"relaytest@insecure.org\"@[" .. host.ip .. "]>"} - tor[10] = {f = "MAIL FROM:",t="RCPT TO:"} - tor[11] = {f = "MAIL FROM:",t="RCPT TO:<@[" .. host.ip .. "]:relaytest@insecure.org>"} - tor[12] = {f = "MAIL FROM:",t="RCPT TO:<@" .. mailservername .. ":relaytest@insecure.org>"} - tor[13] = {f = "MAIL FROM:",t="RCPT TO:"} - tor[14] = {f = "MAIL FROM:",t="RCPT TO:"} - tor[15] = {f = "MAIL FROM:",t="RCPT TO:"} + tor[0] = {f = "MAIL FROM:",t="RCPT TO:"} + tor[1] = {f = "MAIL FROM:<>",t="RCPT TO:"} + tor[2] = {f = "MAIL FROM:",t="RCPT TO:"} + tor[3] = {f = "MAIL FROM:",t="RCPT TO:"} + tor[4] = {f = "MAIL FROM:",t="RCPT TO:"} + tor[5] = {f = "MAIL FROM:",t="RCPT TO:"} + tor[6] = {f = "MAIL FROM:",t="RCPT TO:<\"relaytest@"..ourdomain.."\">"} + tor[7] = {f = "MAIL FROM:",t="RCPT TO:<\"relaytest%"..ourdomain.."\">"} + tor[8] = {f = "MAIL FROM:",t="RCPT TO:"} + tor[9] = {f = "MAIL FROM:",t="RCPT TO:<\"relaytest@"..ourdomain.."\"@[" .. host.ip .. "]>"} + tor[10] = {f = "MAIL FROM:",t="RCPT TO:"} + tor[11] = {f = "MAIL FROM:",t="RCPT TO:<@[" .. host.ip .. "]:relaytest@"..ourdomain..">"} + tor[12] = {f = "MAIL FROM:",t="RCPT TO:<@" .. mailservername .. ":relaytest@"..ourdomain..">"} + tor[13] = {f = "MAIL FROM:",t="RCPT TO:<"..ourdomain.."!relaytest>"} + tor[14] = {f = "MAIL FROM:",t="RCPT TO:<"..ourdomain.."!relaytest@[" .. host.ip .. "]>"} + tor[15] = {f = "MAIL FROM:",t="RCPT TO:<"..ourdomain.."!relaytest@" .. mailservername .. ">"} i = -1 @@ -88,20 +92,20 @@ action = function(host, port) -- print (tor[i]["f"] .. " -> " .. tor[i]["t"]) -- first, issue a RSET - try(socket:send("RSET\n")) - result = try(socket:receive_lines(1)) + socket:send("RSET\r\n") + status, result = socket:receive_lines(1) if not string.match(result, "^250") then socket:close() - return "RSET with errors. Enable --script-trace to see what is happening." + return end -- send MAIL FROM.... - try(socket:send(tor[i]["f"].."\n")) - result = try(socket:receive_lines(1)) + socket:send(tor[i]["f"].."\r\n") + status, result = socket:receive_lines(1) if string.match(result, "^250") then -- if we get a 250, then continue with RCPT TO: - try(socket:send(tor[i]["t"].."\n")) - result = try(socket:receive_lines(1)) + socket:send(tor[i]["t"].."\r\n") + status, result = socket:receive_lines(1) if string.match(result, "^250") then socket:close() return "OPEN RELAY found." @@ -110,5 +114,5 @@ action = function(host, port) end socket:close() - return "Relaying denied." + return end