1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
# This script was written by Michel Arboi <mikhail@nessus.org>
#
# GPL...
#
if(description)
{
script_id(18528);
script_version ("$Revision: 1.7 $");
script_name(english:"SMTP server accepts us");
script_description(english:
"This script does not perform any security test.
It verifies that Nessus that connect to the remote SMTP
server and that it can send a HELO request.");
script_summary(english: "Checks that the SMTP server accepts our HELO");
script_category(ACT_GATHER_INFO);
script_family(english:"SMTP problems");
script_copyright(english:"This script is Copyright (C) 2005 Michel Arboi");
script_dependencie("find_service_3digits.nasl", "doublecheck_std_services.nasl");
script_require_ports("Services/smtp", 25);
exit(0);
}
#
include('global_settings.inc');
include('misc_func.inc');
include('smtp_func.inc');
port = get_kb_item("Services/smtp");
if (! port) port = 25;
if (! get_port_state(port)) exit(0);
# Some broken servers return _two_ code lines for one query!
# Maybe this function should be put in smtp_func.inc?
function smtp_recv(socket, retry)
{
local_var r, r2, i, l;
for (i = 0; i < 6; i ++)
{
r = recv(socket: socket, length: 4096);
l = strlen(r);
if (l == 0 && retry -- <= 0) return r2;
r2 += r;
if (l >= 2 && substr(r, l-2) == '\r\n') return r2;
}
return r2;
}
s = open_sock_tcp(port);
if (! s)
{
debug_print('Cannot open connection to port ', port, '\n');
set_kb_item(name: 'smtp/'+port+'/broken', value: TRUE);
if (port == 25)
set_kb_item(name: 'SMTP/wrapped', value: TRUE);
exit(0);
}
r = smtp_recv(socket: s, retry: 3);
if (! r)
{
debug_print('No SMTP welcome banner on port ', port, '\n');
close(s);
set_kb_item(name: 'smtp/'+port+'/broken', value: TRUE);
if (port == 25)
set_kb_item(name: 'SMTP/wrapped', value: TRUE);
exit(0);
}
if (r =~ '^4[0-9][0-9][ -]')
{
debug_print('SMTP on port ', port, ' is temporarily closed: ', r);
security_note(port: port, data: strcat(
"The SMTP server on this port answered with a ", substr(r, 0, 2), " code.
This means that it is temporarily unavailable because it is
overloaded or any other reason.
** Nessus tests will be incomplete. You should fix your MTA and
** rerun Nessus, or disable this server if you don't use it.
"));
close(s);
set_kb_item('smtp/'+port+'/temp_denied', value: TRUE);
exit(0);
}
if (r =~ '^5[0-9][0-9][ -]')
{
debug_print('SMTP on port ', port, ' is permanently closed: ', r);
security_note(port: port, data: strcat(
"The SMTP server on this port answered with a ", substr(r, 0, 2), " code.
This means that it is permanently unavailable because the Nessus
server IP is not authorized, blacklisted or any other reason.
** Nessus tests will be incomplete. You may try to scan your MTA
** from an authorized IP or disable this server if you don't use it.
"));
set_kb_item(name: 'smtp/'+port+'/denied', value: TRUE);
close(s);
exit(0);
}
heloname = 'example.com';
send(socket: s, data: 'HELO '+heloname+'\r\n');
r = smtp_recv(socket: s, retry: 3);
if (r =~ '^[45][0-9][0-9][ -]')
{
debug_print('SMTP server on port ', port, ' answers to HELO(', heloname, '): ', r);
heloname = this_host_name();
if (! heloname) heloname = this_host();
send(socket: s, data: 'HELO '+heloname+'\r\n');
r = smtp_recv(socket: s, retry: 3);
if (strlen(r) == 0) # Broken connection ?
{
close(s);
sleep(1); # Try to avoid auto-blacklist
s = open_sock_tcp(port);
if (s)
{
send(socket: s, data: 'HELO '+heloname+'\r\n');
r = smtp_recv(socket: s, retry: 3);
}
}
debug_print('SMTP server on port ', port, ' answers to HELO(', heloname, '): ', r);
}
debug_print(level: 2, 'SMTP server on port ', port, ' answers to HELO: ', r);
send(socket: s, data: 'QUIT\r\n');
close(s);
if (r !~ '^2[0-9][0-9][ -]')
{
if (strlen(r) >= 3)
report = strcat(
"The SMTP server on this port answered with a ", substr(r, 0, 2), " code
to HELO requests.");
else
report = "The SMTP server on this port rejects our HELO requests.";
report += "
This means that it is unavailable because the Nessus server IP is not
authorized or blacklisted, or that the hostname is not consistent
with the IP.
** Nessus tests will be incomplete. You may try to scan your MTA
** from an authorized IP or fix the nessus hostname and rescan this server.
";
security_note(port: port, data: report);
set_kb_item(name: 'smtp/'+port+'/denied', value: TRUE);
}
else
{
if ( heloname ) set_kb_item(name: 'smtp/'+port+'/helo', value: heloname);
}
|
