[NSE][BUG] smtp-enum-users fails against e.g. Metasploitable 2

[Daniel Miller <bonsaiviking () gmail com>]

List,

This bug was reported via IRC by LeeRock. It seems that when given a 
target specification of an IP address, smtp-enum-users chooses the 
domain "nmap.scanme.org" (via smtp.get_domain()) to enumerate via RCPT 
TO method, resulting in a failure ("Relay access denied" from postfix on 
Metasploitable 2). LeeRock pointed out that Metasploit's own 
auxiliary/scanner/smtp/smtp_enum module correctly enumerates the users. 
It does this by enumerating bare usernames (e.g. "RCPT TO: root") 
instead of RFC 2821-required Forward-Path (e.g. "RCPT 
TO:<username () domain com>"). I see 2 possible bugs to fix:

1. smtp.get_domain() should offer as a second fallback (after script-arg 
smtp.domain and before host.targetname) parsing the domain from the 
responses to various commands (the 220 banner, the 250 responses to 
EHLO, etc).

2. smtp-enum-users should use the most likely way of enumerating users. 
I do not necessarily think this is the way Metasploit does it, since it 
does not seem to be RFC-compliant, and I know it is rejected by at least 
one real mail server I tried. Perhaps a better failure heuristic could 
be applied to use the most likely approach? Further complicating the 
situation, the host "mail.example.com" may relay mail for 
mail.example.com, example.com, or simply "mail". Metasploitable reports 
its domain as "metasploitable.localdomain", and accepts mail for 
"metasploitable.localdomain" and "localhost", but not "metasploitable" 
or "localdomain".

Whatever approach is taken, it should be tested against a variety of 
mail servers and configurations.

Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/