Added Extended SMTP Open Relay aux module

[xistence]

This auxiliary module will do more extended tests for an open SMTP relay. This is done by using configuration or old mailserver design flaws.
The existing "smtp_relay" auxiliary module only tests for a simple MAIL FROM: / MAIL TO: relay. This module will test for 16 different types of relaying.

The idea for the module is based on the NMAP smtp-open-relay NSE script which can be found on https://svn.nmap.org/nmap/scripts/smtp-open-relay.nse

msf > use auxiliary/scanner/smtp/smtp_relay_ext
msf auxiliary(smtp_relay_ext) > set RHOSTS 192.168.0.123
RHOSTS => 192.168.0.123
msf auxiliary(smtp_relay_ext) > run

[] 192.168.0.123:25 - SMTP 220 mail.mymailserver.com ESMTP\x0d\x0a
[] 192.168.0.123:25 - Test #1 - No relay detected
[] 192.168.0.123:25 - Test #2 - No relay detected
[] 192.168.0.123:25 - Test #3 - No relay detected
[+] 192.168.0.123:25 - Test #4 - Potential open SMTP relay detected: - MAIL FROM:<zombie@[192.168.0.123]> -> RCPT TO:<human@[192.168.0.123]>
[+] 192.168.0.123:25 - Test #5 - Potential open SMTP relay detected: - MAIL FROM:<zombie@[192.168.0.123]> -> RCPT TO:<human%ahhhzombies111.net@[192.168.0.123]>
[+] 192.168.0.123:25 - Test #6 - Potential open SMTP relay detected: - MAIL FROM:<zombie@[192.168.0.123]> -> RCPT TO:human%ahhhzombies111.net@mail.mymailserver.com
[] 192.168.0.123:25 - Test #7 - No relay detected
[+] 192.168.0.123:25 - Test #8 - Potential open SMTP relay detected: - MAIL FROM:<zombie@[192.168.0.123]> -> RCPT TO:<"human%ahhhzombies111.net">
[+] 192.168.0.123:25 - Test #9 - Potential open SMTP relay detected: - MAIL FROM:<zombie@[192.168.0.123]> -> RCPT TO:<human@ahhhzombies111.net@[192.168.0.123]>
[+] 192.168.0.123:25 - Test #10 - Potential open SMTP relay detected: - MAIL FROM:<zombie@[192.168.0.123]> -> RCPT TO:<"human@ahhhzombies111.net"@[192.168.0.123]>
[+] 192.168.0.123:25 - Test #11 - Potential open SMTP relay detected: - MAIL FROM:<zombie@[192.168.0.123]> -> RCPT TO:<human@ahhhzombies111.net@mail.mymailserver.com>
[] 192.168.0.123:25 - Test #12 - No relay detected
[] 192.168.0.123:25 - Test #13 - No relay detected
[+] 192.168.0.123:25 - Test #14 - Potential open SMTP relay detected: - MAIL FROM:<zombie@[192.168.0.123]> -> RCPT TO:<ahhhzombies111.net!human>
[+] 192.168.0.123:25 - Test #15 - Potential open SMTP relay detected: - MAIL FROM:<zombie@[192.168.0.123]> -> RCPT TO:<ahhhzombies111.net!human@[192.168.0.123]>
[+] 192.168.0.123:25 - Test #16 - Potential open SMTP relay detected: - MAIL FROM:<zombie@[192.168.0.123]> -> RCPT TO:ahhhzombies111.net!human@mail.mymailserver.com
[] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[jvazquez-r7]

On my side, this module looks very similar to the auxiliary/scanner/smtp/smtp_relay, but it's just adding several probes to test the relay (combinations of MAIL FROM, MAIL TO), if I'm not forgetting nothing.

So, I think the original auxiliary/scanner/smtp/smtp_relay should be modified, since it just looks like an improved version. Thoughts? @xistence you probably would like to wait until other's opinions before switching to modify the existent module vs adding a new one. Your feedback is also welcome, of course.

[wvu]

Reviewing today... Thanks, @jvazquez-r7.

[xistence]

@jvazquez-r7 I think it should be a separate module. There could be situations in a pentest that you would only want to do a simple relay check with a MAIL FROM -> MAIL TO and not bombard the mail servers with 16 checks :)
Although another option would be to modify smtp_relay and add an "EXTENDED" setting which would be false by default and only does a single check. If set to true it will do all the 16 checks.

[wvu]

I'm in favor of extending smtp_relay. While I understand the desire for a separate module, I think it'd be more practical to add the extended checks to the original module. JMHO.

[jvazquez-r7]

Although another option would be to modify smtp_relay and add an "EXTENDED" setting which would be false by default and only does a single check. If set to true it will do all the 16 checks

Sound good to me

[mcantoni]

If considered useful, I've added a function to generate a random email address: #2969

[xistence]

@jvazquez-r7 / @wvu-r7 Modified it now so that an EXTENDED option is availablle, which is set to false by default. This way the module will work the same as before, unless EXTENDED is set to true.

[wvu]

Thanks!

[wvu]

Already registered by Msf::Exploit::Remote::Smtp.

[xistence]

Removed the rport definition as stated by @wvu-r7

[wvu]

Unless you're Campbell Murray, I don't think it's fair to remove them as an author, even if you've rewritten the module.

[todb-r7]

Maybe the same guy, but Campbell Murray wrote:

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smtp/smtp_relay.rb

so I don't think so? Hard to tell, since I've never been able to find a twitter / github profile for @xistence with a government-issued-sounding name.

Assuming you're not actually Campbell, then author credits are additive.

[xistence]

Made some changes, to also give credit where credit is due of course :)

[wvu]

Thanks for getting back to this. :)