Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Last call for smtp-open-relay.nse - help needed

From: Ron <ron () skullsecurity net>
Date: Wed, 3 Mar 2010 13:32:04 -0600
D'oh:
502 5.5.1 VRFY command is disabled

I guess I can't test for you anymore -- the company finally took my advice and disabled VRFY :) 

But yeah, the response to HELO/EHLO wouldn't have worked because it's zimbra.xxx.mb.ca, whereas the host is @xxx.mb.ca. 
I don't really know if there's a good way to do it, though -- unless you tried a bunch of variations. A lot of times, 
domains are mail.domain.tld, whereas the email addresses are @domain.tld. 

The site, from my tests before they disabled VRFY, didn't allow just the username -- it required the full domain. 

On Wed, 3 Mar 2010 16:21:33 +0000 Duarte Silva
<duartejcsilva () gmail com> wrote:

Hmm, I thought you always had to use the domain. I know on that
one you do.


In the article the qmail author wrote http://cr.yp.to/smtp/vrfy.html
it seems it isn't obligatory to use the domain.

Taking your ideas and mashing them a bit, I think I will give the user
the possibility to choose a domain to test the users with, and a
domain for the EHLO command (as what happened to smtp-open-relay).

If the user does not provide one the script will figure it out using
the rDNS/provided hostname.
If in the end we still got an IP address, there is also the
possibility to use the domain from the EHLO command reply.
What do you thing about that?

On Wed, Mar 3, 2010 at 12:56 AM, David Fifield
<david () bamsoftware com> wrote:

On Tue, Mar 02, 2010 at 06:45:46PM -0600, Ron wrote:

On Tue, 2 Mar 2010 22:23:47 +0000 Duarte Silva
<duartejcsilva () gmail com> wrote:

VRFY test () xxx mb ca
550 5.1.1 <test () xxx mb ca>: Recipient address rejected:
xxx.mb.ca VRFY yyy () xxx mb ca
252 2.0.0 yyy () xxx mb ca


Hmm this is interesting. I should add a domain argument so that
the script can perform tests like the ones mentioned above. The
script currently doesn't take that into account because I didn't
knew that it was possible to use the actual e-mail.


Hmm, I thought you always had to use the domain. I know on that
one you do.

You can access the hostname through the 'nmap' object, so it might
be enough to append @hostname to the names. That naturally assumes
that the user running it typed in the hostname and not an ip
range, though maybe the rDNS name would be enough?


Yeah, maybe something like the http library does:

--- Get a suitable hostname string from the argument, which may be
either a
-- string or a host table.
local function get_hostname(host)
 if type(host) == "table" then
   return host.targetname or ( host.name ~= '' and host.name ) or
host.ip else
   return host
 end
end

host.targetname is the name the user typed in, and host.name is the
reverse DNS name.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: