## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Smtp include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report def initialize super( 'Name' => 'SMTP Open Relay Detection', 'Description' => %q{ This module tests if an SMTP server will accept (via a code 250) an e-mail from the provided FROM: address. If successful, a random e-mail message may be sent to the named RCPT: address. }, 'References' => [ ['URL', 'http://www.ietf.org/rfc/rfc2821.txt'], ], 'Author' => 'Campbell Murray', 'License' => MSF_LICENSE ) end def peer "#{rhost}:#{rport}" end def run_host(ip) begin connect rescue print_error("#{peer} - Unable to establish an SMTP session") return end banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s) print_status("#{peer} - SMTP #{banner_sanitized}") report_service(:host => rhost, :port => rport, :name => "smtp", :info => banner) do_test_relay end def do_test_relay res = raw_send_recv("EHLO X\r\n") vprint_status("#{peer} - #{res.inspect}") res = raw_send_recv("MAIL FROM: #{datastore['MAILFROM']}\r\n") vprint_status("#{peer} - #{res.inspect}") res = raw_send_recv("RCPT TO: #{datastore['MAILTO']}\r\n") vprint_status("#{peer} - #{res.inspect}") res = raw_send_recv("DATA\r\n") vprint_status("#{peer} - #{res.inspect}") res = raw_send_recv("#{Rex::Text.rand_text_alpha(rand(10)+5)}\r\n.\r\n") vprint_status("#{peer} - #{res.inspect}") if res =~ /250/ print_good("#{peer} - Potential open SMTP relay detected") else print_status "#{peer} - No relay detected" end end end