Nmap Development mailing list archives
nse script to gather Extended SMTP commands from EHLO request
From: "DePriest, Jason R." <jrdepriest () gmail com>
Date: Tue, 12 Jun 2007 16:41:25 -0500
It's useful to me, hopefully someone else will be able to use it. Results look like this: Host host.domain.com (xx.xx.xx.xx) appears to be up ... good. Interesting ports on host.domain.com (xx.xx.xx.xx): PORT STATE SERVICE VERSION 25/tcp open smtp Microsoft ESMTP 6.0.3790.1830 | SMTP: Responded to EHLO command | host.domain.com Hello [xx.xx.xx.xx] | TURN | SIZE | ETRN | PIPELINING | DSN | ENHANCEDSTATUSCODES | 8bitmime | BINARYMIME | CHUNKING | VRFY | X-EXPS GSSAPI NTLM LOGIN | X-EXPS=LOGIN | AUTH GSSAPI NTLM LOGIN | AUTH=LOGIN | X-LINK2STATE |_ XEXCH50 Service Info: OS: Windows Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 0.343 seconds Raw packets sent: 3 (112B) | Rcvd: 2 (92B) [code] -- SMTP supported commands gathering script -- Version History -- 1.0.0.0 - 2007-06-12 -- Cribbed heavily from Thomas Buchanan's SQL version detection -- script and from Arturo 'Buanzo' Busleiman's SMTP open relay -- detector script. id = "SMTP" description = "Attempts to use EHLO to gather the Extended commands an SMTP server supports." author = "Jason DePriest <jrdepriest () gmail com>" license = "See nmaps COPYING for licence" categories = {"discovery", "intrusive"} portrule = function(host, port) if (port.number == 25 or port.number == 587 or port.number == 465 or port.service == "smtp") and port.state == "open" and port.protocol == "tcp" then return true else return false end end action = function(host, port) local socket = nmap.new_socket() socket:set_timeout(5000) local result local commands local mailservername local status = true local catch = function() socket:close() end local try = nmap.new_try(catch) try(socket:connect(host.ip, port.number, port.protocol)) result = try(socket:receive_lines(1)) -- ASCII for "EHLO example.org\n" -- for some reason it wouldn't reply unless I did it like this local query = "\069\072\076\079\032\101\120\097" query = query .. "\109\112\108\101\046\111\114\103" query = query .. "\013\010" try(socket:send(query)) result = try(socket:receive_lines(1)) if not string.match(result, "^250") then socket.close() return "EHLO with errors or timeout. Enable --script-trace to see what is happening." end result = string.gsub(result, "\050\053\048\032\079\075\013\010", "") -- 250 OK (needed to have the \r\n in there) result = string.gsub(result, "250%-", "") -- 250- result = "Responded to EHLO command\n" .. result return result end [/code] It's also attached. -Jason -- NOTICE: This email is being sent in clear-text across the public Internet. Therefore, any attempts to include unenforceable legalese restrictions are ridiculous and pointless. If you can read this, consider yourself authorized (whether I like it or not).
Attachment:
SMTPcommands.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- nse script to gather Extended SMTP commands from EHLO request DePriest, Jason R. (Jun 12)
- Re: nse script to gather Extended SMTP commands from EHLO request Diman Todorov (Jun 12)
- Re: nse script to gather Extended SMTP commands from EHLO request DePriest, Jason R. (Jun 12)
- Re: nse script to gather Extended SMTP commands from EHLO request Diman Todorov (Jun 12)