Nmap Development mailing list archives

Re: smtp-enum-users.nse

From: Duarte Silva <duartejcsilva () gmail com>
Date: Sun, 14 Mar 2010 11:15:23 +0000

The script had to change a bit. I think it will need some more testing
but from my tests the functionality of the script isn't affected. The
user can now specify a list of methods to try.

--script-args smtp-enum-users.method={RCPT,EXPN}

On Sat, Mar 13, 2010 at 4:06 AM, David Fifield <david () bamsoftware com> wrote:

On Sun, Mar 07, 2010 at 06:43:39PM +0000, Duarte Silva wrote:

I also finished the smtp-enum-users.nse script (for more info read the
description in the script). Patches in the attachments as usual.


I think this is a good script and it's gotten good feedback so far. I've
committed it. Here are some ideas I have to improve it. What do you
think?

Here is how the method selection works:

if type(method) == "string" then
       if string.find(method, "^VRFY$", 0) then
               ignore_vrfy, ignore_expn, ignore_rcpt = false, true, true
       elseif string.find(method, "^EXPN$", 0) then
               ignore_vrfy, ignore_expn, ignore_rcpt = true, false, true
       elseif string.find(method, "^RCPT$", 0) then
               ignore_vrfy, ignore_expn, ignore_rcpt = true, true, false
       end
end

Instead of setting ignore_* variables with reverse logic, how about
having a variable methods = {"VRFY", "EXPN", "RCPT"}, and a
current_method variable? Then your script argument could actually be an
array of methods to try, and the rest of the logic would be easier to
understand. I think this structure is complicated:

while username do
       if ignore_vrfy and ignore_expn and (not ignore_rcpt) then
               -- Do RCPT.
       else
               if not ignore_vrfy then
                       -- Do VRFY. Set ignore_vrfy = false if not implemented.
               elseif not ignore_expn then
                       -- Do EXPN. Set ignore_expn = false if not implemented.
               else
                       break
               end
       end
end

It tries VRFY, EXPN, and RCPT in order, so the code should reflect that.
(But see below for a different proposed order.) Probably the code that
checks one username with each method should be broken out into
functions.

My mail server returns "252 Administrative prohibition" for VRFY. The
script doesn't detect this as VRFY not working, so it never moves on to
RCPT (which works). The script works if I use --script-args
smtp-enum-users.method=RCPT.

What do you think about making RCPT the first method tried? It seems to
be the most effective all around.

David Fifield

Attachment: smtp-enum-users.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Last call for smtp-open-relay.nse - help needed, (continued)
- - - Re: Last call for smtp-open-relay.nse - help needed David Fifield (Mar 02)
    - Re: Last call for smtp-open-relay.nse - help needed Ron (Mar 02)
    - Re: Last call for smtp-open-relay.nse - help needed Duarte Silva (Mar 02)
    - Re: Last call for smtp-open-relay.nse - help needed Ron (Mar 02)
    - Re: Last call for smtp-open-relay.nse - help needed David Fifield (Mar 02)
    - Re: Last call for smtp-open-relay.nse - help needed Duarte Silva (Mar 03)
    - Re: Last call for smtp-open-relay.nse - help needed Ron (Mar 03)
    - Re: Last call for smtp-open-relay.nse - help needed Fyodor (Mar 05)
    - Re: Last call for smtp-open-relay.nse - help needed Duarte Silva (Mar 07)
    - smtp-enum-users.nse David Fifield (Mar 12)
    - Re: smtp-enum-users.nse Duarte Silva (Mar 14)
    - Re: smtp-enum-users.nse David Fifield (Mar 16)
    - Re: smtp-enum-users.nse Duarte Silva (Mar 17)
    - Re: smtp-enum-users.nse David Fifield (Mar 17)