diff options
Diffstat (limited to '')
-rw-r--r-- | nselib/smtp.lua | 655 |
1 files changed, 655 insertions, 0 deletions
diff --git a/nselib/smtp.lua b/nselib/smtp.lua new file mode 100644 index 0000000..f0d3fba --- /dev/null +++ b/nselib/smtp.lua @@ -0,0 +1,655 @@ +--- +-- Simple Mail Transfer Protocol (SMTP) operations. +-- +-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html +-- @args smtp.domain The domain to be returned by get_domain, overriding the +-- target's own domain name. + +local base64 = require "base64" +local comm = require "comm" +local sasl = require "sasl" +local stdnse = require "stdnse" +local string = require "string" +local stringaux = require "stringaux" +local table = require "table" +_ENV = stdnse.module("smtp", stdnse.seeall) + +local ERROR_MESSAGES = { + ["EOF"] = "connection closed", + ["TIMEOUT"] = "connection timeout", + ["ERROR"] = "failed to receive data" +} + +local SMTP_CMD = { + ["EHLO"] = { + cmd = "EHLO", + success = { + [250] = "Requested mail action okay, completed", + }, + errors = { + [421] = "<domain> Service not available, closing transmission channel", + [500] = "Syntax error, command unrecognised", + [501] = "Syntax error in parameters or arguments", + [504] = "Command parameter not implemented", + [550] = "Not implemented", + }, + }, + ["HELP"] = { + cmd = "HELP", + success = { + [211] = "System status, or system help reply", + [214] = "Help message", + }, + errors = { + [500] = "Syntax error, command unrecognised", + [501] = "Syntax error in parameters or arguments", + [502] = "Command not implemented", + [504] = "Command parameter not implemented", + [421] = "<domain> Service not available, closing transmission channel", + }, + }, + ["AUTH"] = { + cmd = "AUTH", + success = {[334] = ""}, + errors = { + [501] = "Authentication aborted", + }, + }, + ["MAIL"] = { + cmd = "MAIL", + success = { + [250] = "Requested mail action okay, completed", + }, + errors = { + [451] = "Requested action aborted: local error in processing", + [452] = "Requested action not taken: insufficient system storage", + [500] = "Syntax error, command unrecognised", + [501] = "Syntax error in parameters or arguments", + [421] = "<domain> Service not available, closing transmission channel", + [552] = "Requested mail action aborted: exceeded storage allocation", + }, + }, + ["RCPT"] = { + cmd = "RCPT", + success = { + [250] = "Requested mail action okay, completed", + [251] = "User not local; will forward to <forward-path>", + }, + errors = { + [450] = "Requested mail action not taken: mailbox unavailable", + [451] = "Requested action aborted: local error in processing", + [452] = "Requested action not taken: insufficient system storage", + [500] = "Syntax error, command unrecognised", + [501] = "Syntax error in parameters or arguments", + [503] = "Bad sequence of commands", + [521] = "<domain> does not accept mail [rfc1846]", + [421] = "<domain> Service not available, closing transmission channel", + }, + }, + ["DATA"] = { + cmd = "DATA", + success = { + [250] = "Requested mail action okay, completed", + [354] = "Start mail input; end with <CRLF>.<CRLF>", + }, + errors = { + [451] = "Requested action aborted: local error in processing", + [554] = "Transaction failed", + [500] = "Syntax error, command unrecognised", + [501] = "Syntax error in parameters or arguments", + [503] = "Bad sequence of commands", + [421] = "<domain> Service not available, closing transmission channel", + [552] = "Requested mail action aborted: exceeded storage allocation", + [554] = "Transaction failed", + [451] = "Requested action aborted: local error in processing", + [452] = "Requested action not taken: insufficient system storage", + }, + }, + ["STARTTLS"] = { + cmd = "STARTTLS", + success = { + [220] = "Ready to start TLS" + }, + errors = { + [501] = "Syntax error (no parameters allowed)", + [454] = "TLS not available due to temporary reason", + }, + }, + ["RSET"] = { + cmd = "RSET", + success = { + [200] = "nonstandard success response, see rfc876)", + [250] = "Requested mail action okay, completed", + }, + errors = { + [500] = "Syntax error, command unrecognised", + [501] = "Syntax error in parameters or arguments", + [504] = "Command parameter not implemented", + [421] = "<domain> Service not available, closing transmission channel", + }, + }, + ["VRFY"] = { + cmd = "VRFY", + success = { + [250] = "Requested mail action okay, completed", + [251] = "User not local; will forward to <forward-path>", + }, + errors = { + [500] = "Syntax error, command unrecognised", + [501] = "Syntax error in parameters or arguments", + [502] = "Command not implemented", + [504] = "Command parameter not implemented", + [550] = "Requested action not taken: mailbox unavailable", + [551] = "User not local; please try <forward-path>", + [553] = "Requested action not taken: mailbox name not allowed", + [421] = "<domain> Service not available, closing transmission channel", + }, + }, + ["EXPN"] = { + cmd = "EXPN", + success = { + [250] = "Requested mail action okay, completed", + }, + errors = { + [550] = "Requested action not taken: mailbox unavailable", + [500] = "Syntax error, command unrecognised", + [501] = "Syntax error in parameters or arguments", + [502] = "Command not implemented", + [504] = "Command parameter not implemented", + [421] = "<domain> Service not available, closing transmission channel", + }, + }, +} +--- +-- Returns a domain to be used in the SMTP commands that need it. +-- +-- If the user specified one through the script argument +-- <code>smtp.domain</code> this function will return it. Otherwise it will try +-- to find the domain from the typed hostname and from the rDNS name. If it +-- still can't find one it will return the nmap.scanme.org by default. +-- +-- @param host The host table +-- @return The hostname to be used by the different SMTP commands. +get_domain = function(host) + local nmap_domain = "nmap.scanme.org" + + -- Use the user provided options. + local result = stdnse.get_script_args("smtp.domain") + if not result then + if type(host) == "table" then + if host.targetname then + result = host.targetname + elseif (host.name and #host.name ~= 0) then + result = host.name + end + end + end + + return result or nmap_domain +end + +--- Gets the authentication mechanisms that are listed in the response +-- of the client's EHLO command. +-- +-- @param response The response of the client's EHLO command. +-- @return An array of authentication mechanisms on success, or nil +-- when it can't find authentication. +get_auth_mech = function(response) + local list = {} + + for _, line in pairs(stringaux.strsplit("\r?\n", response)) do + local authstr = line:match("%d+%-AUTH%s(.*)$") + if authstr then + for mech in authstr:gmatch("[^%s]+") do + table.insert(list, mech) + end + return list + end + end + + return nil +end + +--- Checks the SMTP server reply to see if it supports the previously +-- sent SMTP command. +-- +-- @param cmd The SMTP command that was sent to the server +-- @param reply The SMTP server reply +-- @return true if the reply indicates that the SMTP command was +-- processed by the server correctly, or false on failures. +-- @return message The reply returned by the server on success, or an +-- error message on failures. +check_reply = function(cmd, reply) + local code, msg = string.match(reply, "^([0-9]+)%s*") + if code then + cmd = cmd:upper() + code = tonumber(code) + if SMTP_CMD[cmd] then + if SMTP_CMD[cmd].success[code] then + return true, reply + end + else + stdnse.debug3( + "SMTP: check_smtp_reply failed: %s not supported", cmd) + return false, string.format("SMTP: %s %s", cmd, reply) + end + end + stdnse.debug3( + "SMTP: check_smtp_reply failed: %s %s", cmd, reply) + return false, string.format("SMTP: %s %s", cmd, reply) +end + + +--- Queries the SMTP server for a specific service. +-- +-- This is a low level function that can be used to have more control +-- over the data exchanged. On network errors the socket will be closed. +-- This function automatically adds <code>CRLF<code> at the end. +-- +-- @param socket connected to the server +-- @param cmd The SMTP cmd to send to the server +-- @param data The data to send to the server +-- @param lines The minimum number of lines to receive, default value: 1. +-- @return true on success, or nil on failures. +-- @return response The returned response from the server on success, or +-- an error message on failures. +query = function(socket, cmd, data, lines) + if data then + cmd = cmd.." "..data + end + + local st, ret = socket:send(string.format("%s\r\n", cmd)) + if not st then + socket:close() + stdnse.debug3("SMTP: failed to send %s request.", cmd) + return st, string.format("SMTP failed to send %s request.", cmd) + end + + st, ret = socket:receive_lines(lines or 1) + if not st then + socket:close() + stdnse.debug3("SMTP %s: failed to receive data: %s.", + cmd, (ERROR_MESSAGES[ret] or 'unspecified error')) + return st, string.format("SMTP %s: failed to receive data: %s", + cmd, (ERROR_MESSAGES[ret] or 'unspecified error')) + end + + return st, ret +end + +--- Connects to the SMTP server based on the provided options. +-- +-- @param host The host table +-- @param port The port table +-- @param opts The connection option table, possible options: +-- ssl: try to connect using TLS +-- timeout: generic timeout value +-- recv_before: receive data before returning +-- lines: a minimum number of lines to receive +-- @return socket The socket descriptor, or nil on errors +-- @return response The response received on success and when +-- the recv_before is set, or the error message on failures. +connect = function(host, port, opts) + local socket, _, ret + if opts.ssl then + socket, _, _, ret = comm.tryssl(host, port, '', opts) + else + socket, _, ret = comm.opencon(host, port, nil, opts) + end + if not socket then + return socket, (ERROR_MESSAGES[ret] or 'unspecified error') + end + return socket, ret +end + +--- Switches the plain text connection to be protected by the TLS protocol +-- by using the SMTP STARTTLS command. +-- +-- The socket will be reconnected by using SSL. On network errors or if the +-- SMTP command fails, the connection will be closed and the socket cleared. +-- +-- @param socket connected to server. +-- @return true on success, or nil on failures. +-- @return message On success this will contain the SMTP server response +-- to the client's STARTTLS command, or an error message on failures. +starttls = function(socket) + local st, reply, ret + + st, reply = query(socket, "STARTTLS") + if not st then + return st, reply + end + + st, ret = check_reply('STARTTLS', reply) + if not st then + quit(socket) + return st, ret + end + + st, ret = socket:reconnect_ssl() + if not st then + socket:close() + return st, ret + end + + return true, reply +end + +--- Sends the EHLO command to the SMTP server. +-- +-- On network errors or if the SMTP command fails, the connection +-- will be closed and the socket cleared. +-- +-- @param socket connected to server +-- @param domain to use in the EHLO command. +-- @return true on success, or false on failures. +-- @return response returned by the SMTP server on success, or an +-- error message on failures. +ehlo = function(socket, domain) + local st, ret, response + st, response = query(socket, "EHLO", domain) + if not st then + return st, response + end + + st, ret = check_reply("EHLO", response) + if not st then + quit(socket) + return st, ret + end + + return st, response +end + +--- Sends the HELP command to the SMTP server. +-- +-- On network errors or if the SMTP command fails, the connection +-- will be closed and the socket cleared. +-- +-- @param socket connected to server +-- @return true on success, or false on failures. +-- @return response returned by the SMTP server on success, or an +-- error message on failures. +help = function(socket) + local st, ret, response + st, response = query(socket, "HELP") + + if not st then + return st, response + end + + st, ret = check_reply("HELP", response) + if not st then + quit(socket) + return st, ret + end + + return st, response +end + +--- Sends the MAIL command to the SMTP server. +-- +-- On network errors or if the SMTP command fails, the connection +-- will be closed and the socket cleared. +-- +-- @param socket connected to server. +-- @param address of the sender. +-- @param esmtp_opts The additional ESMTP options table, possible values: +-- size: a decimal value to represent the message size in octets. +-- ret: include the message in the DSN, should be 'FULL' or 'HDRS'. +-- envid: envelope identifier, printable characters that would be +-- transmitted along with the message and included in the +-- failed DSN. +-- transid: a globally unique case-sensitive value that identifies +-- this particular transaction. +-- @return true on success, or false on failures. +-- @return response returned by the SMTP server on success, or an +-- error message on failures. +mail = function(socket, address, esmtp_opts) + local st, ret, response + + if esmtp_opts and next(esmtp_opts) then + local data = "" + -- we do not check for strange values, read the NSEDoc. + for k,v in pairs(esmtp_opts) do + k = k:upper() + data = string.format("%s %s=%s", data, k, v) + end + st, response = query(socket, "MAIL", + string.format("FROM:<%s>%s", + address, data)) + else + st, response = query(socket, "MAIL", + string.format("FROM:<%s>", address)) + end + + if not st then + return st, response + end + + st, ret = check_reply("MAIL", response) + if not st then + quit(socket) + return st, ret + end + + return st, response +end + +--- Sends the RCPT command to the SMTP server. +-- +-- On network errors or if the SMTP command fails, the connection +-- will be closed and the socket cleared. +-- +-- @param socket connected to server. +-- @param address of the recipient. +-- @return true on success, or false on failures. +-- @return response returned by the SMTP server on success, or an +-- error message on failures. +recipient = function(socket, address) + local st, ret, response + + st, response = query(socket, "RCPT", + string.format("TO:<%s>", address)) + + if not st then + return st, response + end + + st, ret = check_reply("RCPT", response) + if not st then + quit(socket) + return st, ret + end + + return st, response +end + +--- Sends data to the SMTP server. +-- +-- This function will automatically adds <code><CRLF>.<CRLF></code> at the +-- end. On network errors or if the SMTP command fails, the connection +-- will be closed and the socket cleared. +-- +-- @param socket connected to server. +-- @param data to be sent. +-- @return true on success, or false on failures. +-- @return response returned by the SMTP server on success, or an +-- error message on failures. +datasend = function(socket, data) + local st, ret, response + + st, response = query(socket, "DATA") + if not st then + return st, response + end + + st, ret = check_reply("DATA", response) + if not st then + quit(socket) + return st, ret + end + + if data then + st, response = query(socket, data.."\r\n.") + if not st then + return st, response + end + + st, ret = check_reply("DATA", response) + if not st then + quit(socket) + return st, ret + end + end + + return st, response +end + +--- Sends the RSET command to the SMTP server. +-- +-- On network errors or if the SMTP command fails, the connection +-- will be closed and the socket cleared. +-- +-- @param socket connected to server. +-- @return true on success, or false on failures. +-- @return response returned by the SMTP server on success, or an +-- error message on failures. +reset = function(socket) + local st, ret, response + st, response = query(socket, "RSET") + + if not st then + return st, response + end + + st, ret = check_reply("RSET", response) + if not st then + quit(socket) + return st, ret + end + + return st, response +end + +--- Sends the VRFY command to verify the validity of a mailbox. +-- +-- On network errors or if the SMTP command fails, the connection +-- will be closed and the socket cleared. +-- +-- @param socket connected to server. +-- @param mailbox to verify. +-- @return true on success, or false on failures. +-- @return response returned by the SMTP server on success, or an +-- error message on failures. +verify = function(socket, mailbox) + local st, ret, response + st, response = query(socket, "VRFY", mailbox) + + st, ret = check_reply("VRFY", response) + if not st then + quit(socket) + return st, ret + end + + return st, response +end + +--- Sends the QUIT command to the SMTP server, and closes the socket. +-- +-- @param socket connected to server. +quit = function(socket) + stdnse.debug3("SMTP: sending 'QUIT'.") + socket:send("QUIT\r\n") + socket:close() +end + +--- Attempts to authenticate with the SMTP server. The supported authentication +-- mechanisms are: LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 and NTLM. +-- +-- @param socket connected to server. +-- @param username SMTP username. +-- @param password SMTP password. +-- @param mech Authentication mechanism. +-- @return true on success, or false on failures. +-- @return response returned by the SMTP server on success, or an +-- error message on failures. + +login = function(socket, username, password, mech) + assert(mech == "LOGIN" or mech == "PLAIN" or mech == "CRAM-MD5" + or mech == "DIGEST-MD5" or mech == "NTLM", + ("Unsupported authentication mechanism (%s)"):format(mech or "nil")) + local status, response = query(socket, "AUTH", mech) + if ( not(status) ) then + return false, "ERROR: Failed to send AUTH to server" + end + + if ( mech == "LOGIN" ) then + local tmp = response:match("334 (.*)") + if ( not(tmp) ) then + return false, "ERROR: Failed to decode LOGIN response" + end + tmp = base64.dec(tmp):lower() + if ( not(tmp:match("^username")) ) then + return false, ("ERROR: Expected \"Username\", but received (%s)"):format(tmp) + end + status, response = query(socket, base64.enc(username)) + if ( not(status) ) then + return false, "ERROR: Failed to read LOGIN response" + end + tmp = response:match("334 (.*)") + if ( not(tmp) ) then + return false, "ERROR: Failed to decode LOGIN response" + end + tmp = base64.dec(tmp):lower() + if ( not(tmp:match("^password")) ) then + return false, ("ERROR: Expected \"password\", but received (%s)"):format(tmp) + end + status, response = query(socket, base64.enc(password)) + if ( not(status) ) then + return false, "ERROR: Failed to read LOGIN response" + end + if ( response:match("^235") ) then + return true, "Login success" + end + return false, response + end + + + if ( mech == "NTLM" ) then + -- sniffed of the wire, seems to always be the same + -- decodes to some NTLMSSP blob greatness + status, response = query(socket, "TlRMTVNTUAABAAAAB7IIogYABgA3AAAADwAPACgAAAAFASgKAAAAD0FCVVNFLUFJUi5MT0NBTERPTUFJTg==") + if ( not(status) ) then return false, "ERROR: Failed to receive NTLM challenge" end + end + + + local chall = response:match("^334 (.*)") + chall = (chall and base64.dec(chall)) + if (not(chall)) then return false, "ERROR: Failed to retrieve challenge" end + + -- All mechanisms expect username and pass + -- add the otheronce for those who need them + local mech_params = { username, password, chall, "smtp" } + local auth_data = sasl.Helper:new(mech):encode(table.unpack(mech_params)) + auth_data = base64.enc(auth_data) + + status, response = query(socket, auth_data) + if ( not(status) ) then + return false, ("ERROR: Failed to authenticate using SASL %s"):format(mech) + end + + if ( mech == "DIGEST-MD5" ) then + local rspauth = response:match("^334 (.*)") + if ( rspauth ) then + rspauth = base64.dec(rspauth) + status, response = query(socket,"") + end + end + + if ( response:match("^235") ) then return true, "Login success" end + + return false, response +end + +return _ENV; |