This file is indexed.

/usr/share/nmap/scripts/smtp-open-relay.nse is in nmap 5.21-1.1ubuntu1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
description = [[
Checks if an SMTP server is an open relay.
]]

-- Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> / www.buanzo.com.ar / linux-consulting.buanzo.com.ar
-- Same as Nmap--See http://nmap.org/book/man-legal.html file for licence details
-- This is version 20070516.
-- Changelog: 
--   * I changed it to the "demo" category until we figure out what
--     to do about using real hostnames. -Fyodor
--   + Added some strings to return in different places.
--   * Changed "HELO www.[ourdomain]" to "EHLO [ourdomain]".
--   * Fixed some API differences
--   * The "ourdomain" variable's contents are used instead of hardcoded "insecure.org". Settable by the user.
--   * Fixed tags -> categories (reported by Jason DePriest to nmap-dev)

categories = {"demo"}

require "shortport"
require "comm"

ourdomain="scanme.org"

portrule = shortport.port_or_service({25, 465, 587}, {"smtp", "smtps"})

action = function(host, port)
	local socket = nmap.new_socket()
	local result
	local status = true

	local mailservername
	local tor = {}
	local i

	opt = {timeout=10000, recv_before=true}
	socket, result = comm.tryssl(host, port, "EHLO " ..ourdomain.."\r\n", opt)
	if not socket then
		return "Unable to establish connection"
	end

	if (result == "TIMEOUT") then
		socket:close()
		return "Timeout. Try incresing settimeout, or enhance this."
	end

-- close socket and return if there's an smtp status code != 250
	if not string.match(result, "^250") then
		socket:close()
		return "EHLO with errors or timeout. Enable --script-trace to see what is happening."
	end

	mailservername = string.sub(result, string.find(result, '([.%w]+)',4))

-- read the rest of the response, if any

	while true do
		status, result = socket:receive_lines(1)
		if not status  then
			break
		end
	end

-- Now that we have the mailservername, fill in the tor table
	tor[0] = {f = "MAIL FROM:<spamtest@"..ourdomain..">",t="RCPT TO:<relaytest@"..ourdomain..">"}
	tor[1] = {f = "MAIL FROM:<>",t="RCPT TO:<relaytest@"..ourdomain..">"}
	tor[2] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest@"..ourdomain..">"}
	tor[3] = {f = "MAIL FROM:<spamtest@" .. mailservername .. ">",t="RCPT TO:<relaytest@"..ourdomain..">"}
	tor[4] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest%"..ourdomain.."@[" .. host.ip .. "]>"}
	tor[5] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest%"..ourdomain.."@" .. mailservername .. ">"}
	tor[6] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest@"..ourdomain.."\">"}
	tor[7] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest%"..ourdomain.."\">"}
	tor[8] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest@"..ourdomain.."@[" .. host.ip .. "]>"}
	tor[9] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<\"relaytest@"..ourdomain.."\"@[" .. host.ip .. "]>"}
	tor[10] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<relaytest@"..ourdomain.."@" .. mailservername .. ">"}
	tor[11] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<@[" .. host.ip .. "]:relaytest@"..ourdomain..">"}
	tor[12] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<@" .. mailservername .. ":relaytest@"..ourdomain..">"}
	tor[13] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<"..ourdomain.."!relaytest>"}
	tor[14] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<"..ourdomain.."!relaytest@[" .. host.ip .. "]>"}
	tor[15] = {f = "MAIL FROM:<spamtest@[" .. host.ip .. "]>",t="RCPT TO:<"..ourdomain.."!relaytest@" .. mailservername .. ">"}
	

	i = -1
	while true do
		i = i+1
		if i > table.getn(tor) then break end

-- for debugging, uncomment next line
--		print (tor[i]["f"] .. " -> " .. tor[i]["t"])

-- first, issue a RSET
		socket:send("RSET\r\n")
		status, result = socket:receive_lines(1)
		if not string.match(result, "^250") then
			socket:close()
			return
		end

-- send MAIL FROM....
		socket:send(tor[i]["f"].."\r\n")
		status, result = socket:receive_lines(1)
		if string.match(result, "^250") then
-- if we get a 250, then continue with RCPT TO:
			socket:send(tor[i]["t"].."\r\n")
			status, result = socket:receive_lines(1)
			if string.match(result, "^250") then
				socket:close()
				return "OPEN RELAY found."
			end
		end
	end

	socket:close()
	return
end