Nmap Development mailing list archives

smtp-enum-users.nse

From: David Fifield <david () bamsoftware com>
Date: Fri, 12 Mar 2010 21:06:26 -0700

On Sun, Mar 07, 2010 at 06:43:39PM +0000, Duarte Silva wrote:

I also finished the smtp-enum-users.nse script (for more info read the
description in the script). Patches in the attachments as usual.


I think this is a good script and it's gotten good feedback so far. I've
committed it. Here are some ideas I have to improve it. What do you
think?

Here is how the method selection works:

if type(method) == "string" then
        if string.find(method, "^VRFY$", 0) then
                ignore_vrfy, ignore_expn, ignore_rcpt = false, true, true
        elseif string.find(method, "^EXPN$", 0) then
                ignore_vrfy, ignore_expn, ignore_rcpt = true, false, true
        elseif string.find(method, "^RCPT$", 0) then
                ignore_vrfy, ignore_expn, ignore_rcpt = true, true, false
        end
end

Instead of setting ignore_* variables with reverse logic, how about
having a variable methods = {"VRFY", "EXPN", "RCPT"}, and a
current_method variable? Then your script argument could actually be an
array of methods to try, and the rest of the logic would be easier to
understand. I think this structure is complicated:

while username do
        if ignore_vrfy and ignore_expn and (not ignore_rcpt) then
                -- Do RCPT.
        else
                if not ignore_vrfy then
                        -- Do VRFY. Set ignore_vrfy = false if not implemented.
                elseif not ignore_expn then
                        -- Do EXPN. Set ignore_expn = false if not implemented.
                else
                        break
                end
        end
end

It tries VRFY, EXPN, and RCPT in order, so the code should reflect that.
(But see below for a different proposed order.) Probably the code that
checks one username with each method should be broken out into
functions.

My mail server returns "252 Administrative prohibition" for VRFY. The
script doesn't detect this as VRFY not working, so it never moves on to
RCPT (which works). The script works if I use --script-args
smtp-enum-users.method=RCPT.

What do you think about making RCPT the first method tried? It seems to
be the most effective all around.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Last call for smtp-open-relay.nse - help needed, (continued)
- - - Re: Last call for smtp-open-relay.nse - help needed Duarte Silva (Mar 02)
    - Re: Last call for smtp-open-relay.nse - help needed David Fifield (Mar 02)
    - Re: Last call for smtp-open-relay.nse - help needed Ron (Mar 02)
    - Re: Last call for smtp-open-relay.nse - help needed Duarte Silva (Mar 02)
    - Re: Last call for smtp-open-relay.nse - help needed Ron (Mar 02)
    - Re: Last call for smtp-open-relay.nse - help needed David Fifield (Mar 02)
    - Re: Last call for smtp-open-relay.nse - help needed Duarte Silva (Mar 03)
    - Re: Last call for smtp-open-relay.nse - help needed Ron (Mar 03)
    - Re: Last call for smtp-open-relay.nse - help needed Fyodor (Mar 05)
    - Re: Last call for smtp-open-relay.nse - help needed Duarte Silva (Mar 07)
    - smtp-enum-users.nse David Fifield (Mar 12)
    - Re: smtp-enum-users.nse Duarte Silva (Mar 14)
    - Re: smtp-enum-users.nse David Fifield (Mar 16)
    - Re: smtp-enum-users.nse Duarte Silva (Mar 17)
    - Re: smtp-enum-users.nse David Fifield (Mar 17)