PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-07 13:11:28 +00:00
Code Issues Projects Releases Wiki Activity
Files
2a5750baef91f5ebc837ea20c912341b3d46c44c
nmap/scripts/smtp-open-relay.nse
david 6fbc8868a9 Rename scripts (almost all of them) to make their names more consistent and 
make them look better in output. The full list of changes is
  anonFTP => ftp-anon
  ASN => asn-query
  brutePOP3 => pop3-brute
  bruteTelnet => telnet-brute
  daytimeTest => daytime
  dns-safe-recursion-port => dns-random-srcport
  dns-safe-recursion-txid => dns-random-txid
  dns-test-open-recursion => dns-recursion
  ftpbounce => ftp-bounce
  HTTPAuth => http-auth
  HTTP_open_proxy => http-open-proxy
  HTTPpasswd => http-passwd
  HTTPtrace => http-trace
  iax2Detect => iax2-version
  ircServerInfo => irc-info
  ircZombieTest => irc-zombie
  MSSQLm => ms-sql-info
  MySQLinfo => mysql-info
  popcapa => pop3-capabilities
  PPTPversion => pptp-version
  promiscuous => sniffer-detect
  RealVNC_auth_bypass => realvnc-auth-bypass
  robots => robots.txt
  showHTMLTitle => html-title
  showOwner => identd-owners
  skype_v2-version => skypev2-version
  smb-enumdomains => smb-enum-domains
  smb-enumsessions => smb-enum-sessions
  smb-enumshares => smb-enum-shares
  smb-enumusers => smb-enum-users
  smb-serverstats => smb-server-stats
  smb-systeminfo => smb-system-info
  SMTPcommands => smtp-commands
  SMTP_openrelay_test => smtp-open-relay
  SNMPcommunitybrute => snmp-brute
  SNMPsysdescr => snmp-sysdescr
  SQLInject => sql-injection
  SSH-hostkey => ssh-hostkey
  SSHv1-support => sshv1
  SSLv2-support => sslv2
  strangeSMTPport => smtp-strangeport
  UPnP-info => upnp-info
  xamppDefaultPass => xampp-default-auth
  zoneTrans => zone-transfer
2008-11-06 02:52:59 +00:00

117 lines
4.3 KiB
Lua
Raw Blame History

description = [[
Checks if an SMTP server is an open relay.
]]
-- Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar
-- Same as Nmap--See http://nmap.org/book/man-legal.html file for licence details
-- This is version 20070516.
-- Changelog:
-- * I changed it to the "demo" category until we figure out what
-- to do about using real hostnames. -Fyodor
-- + Added some strings to return in different places.
-- * Changed "HELO www.[ourdomain]" to "EHLO [ourdomain]".
-- * Fixed some API differences
-- * The "ourdomain" variable's contents are used instead of hardcoded "insecure.org". Settable by the user.
-- * Fixed tags -> categories (reported by Jason DePriest to nmap-dev)
categories = {"demo"}
require "shortport"
ourdomain="scanme.org"
portrule = shortport.port_or_service(25, "smtp")
action = function(host, port)
local socket = nmap.new_socket()
local result
local status = true
local mailservername
local tor = {}
local i
socket:set_timeout(10000);
socket:connect(host.ip, port.number, port.protocol)
status, result = socket:receive_lines(1)
if (result == "TIMEOUT") then
socket:close()
return "Timeout. Try incresing settimeout, or enhance this."
end
-- Introduce ourselves...
socket:send("EHLO "..ourdomain.."\r\n")
status, result = socket:receive_lines(1)
-- close socket and return if there's an smtp status code != 250
if not string.match(result, "^250") then
socket:close()
return "EHLO with errors or timeout. Enable --script-trace to see what is happening."
end
mailservername = string.sub(result, string.find(result, '([.%w]+)',4))
-- read the rest of the response, if any
while true do
status, result = socket:receive_lines(1)
if not status then
break
end
end
-- Now that we have the mailservername, fill in the tor table
tor[0] = {f = "MAIL FROM:<spamtest@"..ourdomain..">",t="RCPT TO:<relaytest@"..ourdomain..">"}
tor[1] = {f = "MAIL FROM:<>",t="RCPT TO:<relaytest@"..ourdomain..">"}
tor[2] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest@"..ourdomain..">"}
tor[3] = {f = "MAIL FROM:<spamtest@" .. mailservername .. ">",t="RCPT TO:<relaytest@"..ourdomain..">"}
tor[4] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest%"..ourdomain.."@[" .. host.ip .. "]>"}
tor[5] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest%"..ourdomain.."@" .. mailservername .. ">"}
tor[6] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest@"..ourdomain.."\">"}
tor[7] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest%"..ourdomain.."\">"}
tor[8] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest@"..ourdomain.."@[" .. host.ip .. "]>"}
tor[9] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest@"..ourdomain.."\"@[" .. host.ip .. "]>"}
tor[10] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest@"..ourdomain.."@" .. mailservername .. ">"}
tor[11] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<@[" .. host.ip .. "]:relaytest@"..ourdomain..">"}
tor[12] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<@" .. mailservername .. ":relaytest@"..ourdomain..">"}
tor[13] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<"..ourdomain.."!relaytest>"}
tor[14] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<"..ourdomain.."!relaytest@[" .. host.ip .. "]>"}
tor[15] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<"..ourdomain.."!relaytest@" .. mailservername .. ">"}
i = -1
while true do
i = i+1
if i > table.getn(tor) then break end
-- for debugging, uncomment next line
-- print (tor[i]["f"] .. " -> " .. tor[i]["t"])
-- first, issue a RSET
socket:send("RSET\r\n")
status, result = socket:receive_lines(1)
if not string.match(result, "^250") then
socket:close()
return
end
-- send MAIL FROM....
socket:send(tor[i]["f"].."\r\n")
status, result = socket:receive_lines(1)
if string.match(result, "^250") then
-- if we get a 250, then continue with RCPT TO:
socket:send(tor[i]["t"].."\r\n")
status, result = socket:receive_lines(1)
if string.match(result, "^250") then
socket:close()
return "OPEN RELAY found."
end
end
end
socket:close()
return
end
Reference in New Issue View Git Blame Copy Permalink