Re: Bug in smtp-enum-users.nse

[Patrik Karlsson <patrik () cqure net>]

On Feb 10, 2011, at 21:44 , Yehuda Eisenstark wrote:

> I am a complete newbie at NSE, so this may be completely off but,
> the smtp-enum-users.nse script contains the following code:
>
>  elseif string.match(response, "^502") or string.match(response, "^252") or
> string.match(response, "^550") then
>                          -- The server doesn't implement the command or it
> is disallowed.
>                          return STATUS_CODES.NOTPERMITTED
>
> Many SMTP servers return a "550 User Unknown" in response to a "RCPT TO"
> request with an unknown user. The script starts enumerating users via "RCPT
> TO" but stops at the first "550 User Unknown" response and then tries using
> VRFY and EXPN for that user. The script never goes back to enumerating the
> rest of the users in the username file via "RCPT TO". If VRFY and EXPN don't
> work the script sends a QUIT and stops. Why is that?

I'm not sure, but it's most likely a bug as it shouldn't be a problem to enumerate users given that error message.
Also, I'm not sure why the script iterates over all available methods rather than sticking to one proven to work.
When I run it the script finds the root account using RCPT TO and the aborts on the next account (as it receives the 
550 error) after testing VRFY and EXPN to.

If you're up to submitting a patch for this I think it would be most welcome.

> Thanks,
> Y
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/


//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/