Nmap Development mailing list archives
[NSE] SMTP Open Relay Script
From: Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar>
Date: Wed, 23 Aug 2006 11:52:31 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Attached is a simple, yet functional, and probably enhanceable, NSE script that tests an SMTP server to see if it allows relaying. Seems to work here :P - -- Arturo "Buanzo" Busleiman - VPN Mail Project - http://vpnmail.buanzo.com.ar Consultor en Seguridad Informatica - http://www.buanzo.com.ar http://www.vivamoslavida.com.ar - Portal no-comercial del buen vivir! for f in www blog linux-consulting vpnmail; do firefox http://$f.buanzo.com.ar ; done -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE7GuvAlpOsGhXcE0RAlENAJ4rxuzEdI81oAdT47pjp9iXEn/vlwCffVkJ kSbBypaTjaOMHRQrC0HQAHw= =iP6P -----END PGP SIGNATURE-----
-- Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar -- See Nmap'ss COPYING file for licence details id="Open Relay SMTP" description="Checks to see if a SMTP server is an open relay" tags = {"intrusive"} portrule = function(host, port) if (port.number == 25 or port.service == "smtp") and port.protocol == "tcp" then return true else return false end end action = function(host, port) local socket = nmap.new_socket() local result local status = true local mailservername local tor = {} local i socket:connect(host.ip, port.number, port.protocol) status, result = socket:receive_lines(1) if (result == "TIMEOUT") then socket:close() return end -- Introduce ourselves... socket:send("HELO www.insecure.org\n") status, result = socket:receive_lines(1) -- close socket and return if there's an smtp status code != 250 if not string.match(result, "^250") then socket:close() return end mailservername = string.sub(result, string.find(result, '([.%w]+)',4)) -- read the rest of the response, if any while true do status, result = socket:receive_lines(1) if status == false then break end end -- Now that we have the mailservername, fill in the tor table tor[0] = {f = "MAIL FROM:<spamtest () insecure org>",t="RCPT TO:<relaytest () insecure org>"} tor[1] = {f = "MAIL FROM:<>",t="RCPT TO:<relaytest () insecure org>"} tor[2] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest () insecure org>"} tor[3] = {f = "MAIL FROM:<spamtest@" .. mailservername .. ">",t="RCPT TO:<relaytest () insecure org>"} tor[4] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest%insecure.org@[" .. host.ip .. "]>"} tor[5] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest%insecure.org@" .. mailservername .. ">"} tor[6] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest () insecure org\">"} tor[7] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest%insecure.org\">"} tor[8] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest () insecure org@[" .. host.ip .. "]>"} tor[9] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest () insecure org\"@[" .. host.ip .. "]>"} tor[10] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest () insecure org@" .. mailservername .. ">"} tor[11] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<@[" .. host.ip .. "]:relaytest () insecure org>"} tor[12] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<@" .. mailservername .. ":relaytest () insecure org>"} tor[13] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<insecure.org!relaytest>"} tor[14] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<insecure.org!relaytest@[" .. host.ip .. "]>"} tor[15] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<insecure.org!relaytest@" .. mailservername .. ">"} i = -1 while true do i = i+1 if i > table.getn(tor) then break end -- for debugging, uncomment next line -- print (tor[i]["f"] .. " -> " .. tor[i]["t"]) -- first, issue a RSET socket:send("RSET\n") status, result = socket:receive_lines(1) if not string.match(result, "^250") then socket:close() return end -- send MAIL FROM.... socket:send(tor[i]["f"].."\n") status, result = socket:receive_lines(1) if string.match(result, "^250") then -- if we get a 250, then continue with RCPT TO: socket:send(tor[i]["t"].."\n") status, result = socket:receive_lines(1) if string.match(result, "^250") then socket:close() return "OPEN RELAY found" end end end socket:close() return end
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] SMTP Open Relay Script Arturo 'Buanzo' Busleiman (Aug 23)
- Re: [NSE] SMTP Open Relay Script Diman Todorov (Sep 09)
- Re: [NSE] SMTP Open Relay Script Arturo 'Buanzo' Busleiman (Sep 09)
- Re: [NSE] SMTP Open Relay Script Arturo 'Buanzo' Busleiman (Sep 09)
- [NSE] I'm working on...... Arturo 'Buanzo' Busleiman (Sep 10)
- Re: [NSE] SMTP Open Relay Script Diman Todorov (Sep 09)