Nmap Development mailing list archives
[NSE] SMTP Open Relay Script
From: Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar>
Date: Wed, 23 Aug 2006 11:52:31 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Attached is a simple, yet functional, and probably enhanceable, NSE script that tests an SMTP server to see if it allows relaying. Seems to work here :P - -- Arturo "Buanzo" Busleiman - VPN Mail Project - http://vpnmail.buanzo.com.ar Consultor en Seguridad Informatica - http://www.buanzo.com.ar http://www.vivamoslavida.com.ar - Portal no-comercial del buen vivir! for f in www blog linux-consulting vpnmail; do firefox http://$f.buanzo.com.ar ; done -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE7GuvAlpOsGhXcE0RAlENAJ4rxuzEdI81oAdT47pjp9iXEn/vlwCffVkJ kSbBypaTjaOMHRQrC0HQAHw= =iP6P -----END PGP SIGNATURE-----
-- Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar
-- See Nmap'ss COPYING file for licence details
id="Open Relay SMTP"
description="Checks to see if a SMTP server is an open relay"
tags = {"intrusive"}
portrule = function(host, port)
if (port.number == 25
or port.service == "smtp")
and port.protocol == "tcp"
then
return true
else
return false
end
end
action = function(host, port)
local socket = nmap.new_socket()
local result
local status = true
local mailservername
local tor = {}
local i
socket:connect(host.ip, port.number, port.protocol)
status, result = socket:receive_lines(1)
if (result == "TIMEOUT") then
socket:close()
return
end
-- Introduce ourselves...
socket:send("HELO www.insecure.org\n")
status, result = socket:receive_lines(1)
-- close socket and return if there's an smtp status code != 250
if not string.match(result, "^250") then
socket:close()
return
end
mailservername = string.sub(result, string.find(result, '([.%w]+)',4))
-- read the rest of the response, if any
while true do
status, result = socket:receive_lines(1)
if status == false then
break
end
end
-- Now that we have the mailservername, fill in the tor table
tor[0] = {f = "MAIL FROM:<spamtest () insecure org>",t="RCPT TO:<relaytest () insecure org>"}
tor[1] = {f = "MAIL FROM:<>",t="RCPT TO:<relaytest () insecure org>"}
tor[2] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest () insecure org>"}
tor[3] = {f = "MAIL FROM:<spamtest@" .. mailservername .. ">",t="RCPT TO:<relaytest () insecure org>"}
tor[4] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest%insecure.org@[" .. host.ip ..
"]>"}
tor[5] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest%insecure.org@" .. mailservername
.. ">"}
tor[6] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest () insecure org\">"}
tor[7] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest%insecure.org\">"}
tor[8] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest () insecure org@[" .. host.ip ..
"]>"}
tor[9] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest () insecure org\"@[" ..
host.ip .. "]>"}
tor[10] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest () insecure org@" ..
mailservername .. ">"}
tor[11] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<@[" .. host.ip .. "]:relaytest ()
insecure org>"}
tor[12] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<@" .. mailservername .. ":relaytest ()
insecure org>"}
tor[13] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<insecure.org!relaytest>"}
tor[14] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<insecure.org!relaytest@[" .. host.ip ..
"]>"}
tor[15] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<insecure.org!relaytest@" ..
mailservername .. ">"}
i = -1
while true do
i = i+1
if i > table.getn(tor) then break end
-- for debugging, uncomment next line
-- print (tor[i]["f"] .. " -> " .. tor[i]["t"])
-- first, issue a RSET
socket:send("RSET\n")
status, result = socket:receive_lines(1)
if not string.match(result, "^250") then
socket:close()
return
end
-- send MAIL FROM....
socket:send(tor[i]["f"].."\n")
status, result = socket:receive_lines(1)
if string.match(result, "^250") then
-- if we get a 250, then continue with RCPT TO:
socket:send(tor[i]["t"].."\n")
status, result = socket:receive_lines(1)
if string.match(result, "^250") then
socket:close()
return "OPEN RELAY found"
end
end
end
socket:close()
return
end
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] SMTP Open Relay Script Arturo 'Buanzo' Busleiman (Aug 23)
- Re: [NSE] SMTP Open Relay Script Diman Todorov (Sep 09)
- Re: [NSE] SMTP Open Relay Script Arturo 'Buanzo' Busleiman (Sep 09)
- Re: [NSE] SMTP Open Relay Script Arturo 'Buanzo' Busleiman (Sep 09)
- [NSE] I'm working on...... Arturo 'Buanzo' Busleiman (Sep 10)
- Re: [NSE] SMTP Open Relay Script Diman Todorov (Sep 09)