Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: User Enumeration Bug in smtp-enum-users.nse

From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 20 Feb 2011 21:53:28 +0100

On Feb 20, 2011, at 07:21 , Josh Amishav-Zlatin wrote:


There is a bug in the smtp-enum-users.nse script that forces the
script to stop enumerating over usernames when the first unknown user
is queried via the RCPT TO method. This is due to the script not
looking for the 550 "User Unknown" response in RCPT TO queries plus
having a catch all "else" statement when examining the status codes.
The following patch fixes the bug:

61,62c61
<       INVALID = 4,
<       UNKNOWN = 5
---

     INVALID = 4

292,294d290
<       elseif string.match(response, "^550") then
<               -- 550 User Unknown
<               return STATUS_CODES.UNKNOWN
400c396
<                       elseif status == STATUS_CODES.INVALID then
---

                     else -- STATUS_CODES.INVALID


--
- Josh
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



Thanks for the patch Josh! I've tested it and applied it as r22314.
For reference, it's the same bug that was previously reported, but not yet addressed, by Yehuda Eisenstark:
http://seclists.org/nmap-dev/2011/q1/511

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: