10263 giving false matches on FTP server
Jason Haar
Jason.Haar at trimble.co.nz
Thu Jan 13 19:08:07 EST 2005
Hi there
10263 (SMTP Server type and version) is claiming a vsFTP server of ours
is a SMTP server running on port 21 :-)
The report says:
Remote SMTP server banner :
220 Trimble IS Access ONLY
Nessus ID : 10263 <http://cgi.nessus.org/nessus_id.php3?id=10263>
smtpscan was not able to reliably identify this server. It might be:
Microsoft ESMTP MAIL Service, Version 6.0.3718.0 (Exchange 2003)
Microsoft ESMTP MAIL Service, Version 6.0.3718.0
Microsoft ESMTP MAIL Service, Version 6.0.3790.0
Microsoft ESMTP MAIL Service, Version 6.0.3718.0
CommuniGate Pro 3.5.3,3.5.9
CommuniGate Pro 4.0.5
CommuniGate Pro 4.0
The fingerprint differs from these known signatures on 14 point(s)
Nessus also does detect it as a FTP server BTW.
It looks to me that smtpserver_detect.nasl is incomplete. It goes
looking for responses to EHLO, RSET and HELP - but doesn't seem to do
anything initially with the results - instead it just looks at the
banner for the "220" and thinks it's found a SMTP server?
BTW: "HELO" should also be looked for if "EHLO" doesn't work. Mail
servers aren't required to be ESMTP servers. All mail servers *must*
respond to either HELO or EHLO - so why not make a positive response to
either of them a requirement to continue?
e.g (in pseudo code)
send(socket:soctcp25, data:string("HELO ",this_host(),"\r\n"));
helotxt = smtp_recv_line(socket:soctcp25);
if (!("250" >< helotxt || "250" >< ehlotext)) exit;
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Nessus
mailing list