SMTPSCAN(1)SMTPSCAN(1)NAMEsmtpscan 0.5
SYNOPSISsmtpscan [OPTIONS...] hostname(s)smtpscan [OPTIONS...] -D DOMAINNAME
DESCRIPTIONsmtpscan is a remote SMTP server version detector. It can be used to
guess which mail software is used on a remote server, that may hide its
SMTP banner.
smtpscan works by testing the remote SMTP server reaction, thanks to
tests defined in the tests (/usr/local/share/smtpscan/tests) file.
Almost all of those tests consists in weird SMTP request, whose answer
is not precisly defined in the corresponding RFCs. Some other times,
they check whether the remote SMTP server is simply RFC compliant.
After each test, remote server returns a SMTP Error Message. Finger‐
prints are made of SMTP Error Messages corresponding to the tests.
Due to the fact that server reaction may be modified by its configura‐
tion, smtpscan tries to detect the nearest fingerprint if there is no
exact match, that is it finds the fingerprint(s) that have the fewer
different Error Messages.
Currently, 15 tests are used to guess the remote server version. Some
other may be added in the future.
OPTIONS-h, --help Print help message
-V Print smtpscan current version and exits
-v Verbose mode
-d Debug mode
-f=PATH Fingerprint file location
-t=PATH Test file location
-p=PORT Remote port
-i=TIMEOUT Connection timeout (in seconds)
-c
Connect only once. Some servers don't accept too many consecu‐
tive connections from a host. You may use this option to be able
to scan some servers. smtpscan then uses the SMTP 'RSET' command
to be able to restart negociation. Beware: some SMTP servers
don't accept too many RSET either...
-D
Specify a Domain name instead of a server. smtpscan then
retrieve the corresponding mail exchanger and scan it
-n=NUMBER
Scan the Nth mail exchanger instead of the first (ordered by
preference)
-a
Scan all the Mail Exchangers of the specified domain (see -D
switch), that is scan every IP address returned by a MX DNS
request (beware of 'virtual IPs' or load balancing...)
EXAMPLES
Here is some smtpscan use examples :
smtpscan smtp.test.com
Scans remote host smtp.test.com to guess its smtp software ver‐
sion
smtpscan smtp1.test.com smtp2.test.com
Scans remote hosts smtp1 et smtp2
smtpscan-D yahoo.com
Scans the yahoo.com first Mail Exchanger (may be different
servers while trying several times, because of DNS CNAME)
smtpscan-D yahoo.com -n 2
Scans the yahoo.com secondary Mail Exchanger
smtpscan-D yahoo.com -a -c -i 15
Scans all the yahoo.com Mail Exchangers found, uses the RSET
smtp keyword so that only one connexion is opened per SMTP
server and sets the timeout at 15 seconds
FILES
/usr/local/share/smtpscan/fingerprints - fingerprints file
/usr/local/share/smtpscan/tests - tests file
AUTHOR
Julien Bordet (<zejames>) <zejames@greyhats.org>
HOW TO HELPsmtpscan fingerprint file is a growing database : any mail sent to
zejames@greyhats.org with fingerprint and SMTP server version would be
very appreciated :=)
AVAILABILITY
http://www.greyhats.org/outils/smtpscan/
smtpscan 0.5 20020821 SMTPSCAN(1)