package smtp import ( "context" "fmt" "strings" "github.com/shadow1ng/fscan/common" "github.com/shadow1ng/fscan/common/i18n" "github.com/shadow1ng/fscan/plugins/base" ) // SMTPPlugin SMTP插件实现 type SMTPPlugin struct { *base.ServicePlugin exploiter *SMTPExploiter } // NewSMTPPlugin 创建SMTP插件 func NewSMTPPlugin() *SMTPPlugin { // 插件元数据 metadata := &base.PluginMetadata{ Name: "smtp", Version: "2.0.0", Author: "fscan-team", Description: "SMTP邮件服务扫描插件", Category: "service", Ports: []int{25, 465, 587}, // SMTP端口、SMTPS端口、MSA端口 Protocols: []string{"tcp"}, Tags: []string{"smtp", "email", "weak-password", "unauthorized-access"}, } // 创建连接器和服务插件 connector := NewSMTPConnector() servicePlugin := base.NewServicePlugin(metadata, connector) // 创建SMTP插件 plugin := &SMTPPlugin{ ServicePlugin: servicePlugin, exploiter: NewSMTPExploiter(), } // 设置能力 plugin.SetCapabilities([]base.Capability{ base.CapWeakPassword, base.CapUnauthorized, }) return plugin } // Scan 重写扫描方法,进行SMTP服务扫描 func (p *SMTPPlugin) Scan(ctx context.Context, info *common.HostInfo) (*base.ScanResult, error) { // 如果禁用了暴力破解,只进行服务识别 if common.DisableBrute { return p.performServiceIdentification(ctx, info) } target := fmt.Sprintf("%s:%s", info.Host, info.Ports) // 首先尝试匿名访问 anonymousCred := &base.Credential{Username: "", Password: ""} result, err := p.ScanCredential(ctx, info, anonymousCred) if err == nil && result.Success { // 匿名访问成功 common.LogSuccess(i18n.GetText("smtp_anonymous_success", target)) return &base.ScanResult{ Success: true, Service: "SMTP", Credentials: []*base.Credential{anonymousCred}, Banner: result.Banner, Extra: map[string]interface{}{ "service": "SMTP", "port": info.Ports, "type": "anonymous-access", }, }, nil } // 优先尝试默认凭据 defaultCredentials := []*base.Credential{ {Username: "admin", Password: "admin123"}, {Username: "test", Password: "123456"}, {Username: "root", Password: "root123"}, {Username: "mail", Password: "mail123"}, {Username: "postmaster", Password: "postmaster"}, } // 先测试默认凭据 for _, cred := range defaultCredentials { result, err := p.ScanCredential(ctx, info, cred) if err == nil && result.Success { // 认证成功 common.LogSuccess(i18n.GetText("smtp_weak_pwd_success", target, cred.Username, cred.Password)) return &base.ScanResult{ Success: true, Service: "SMTP", Credentials: []*base.Credential{cred}, Banner: result.Banner, Extra: map[string]interface{}{ "service": "SMTP", "port": info.Ports, "username": cred.Username, "password": cred.Password, "type": "default-credentials", }, }, nil } } // 生成其他凭据进行暴力破解 credentials := p.generateCredentials() // 遍历凭据进行测试 for _, cred := range credentials { result, err := p.ScanCredential(ctx, info, cred) if err == nil && result.Success { // 认证成功 common.LogSuccess(i18n.GetText("smtp_weak_pwd_success", target, cred.Username, cred.Password)) return &base.ScanResult{ Success: true, Service: "SMTP", Credentials: []*base.Credential{cred}, Banner: result.Banner, Extra: map[string]interface{}{ "service": "SMTP", "port": info.Ports, "username": cred.Username, "password": cred.Password, "type": "weak-password", }, }, nil } } // 所有凭据都失败,但可能识别到了SMTP服务 return p.performServiceIdentification(ctx, info) } // generateCredentials 生成SMTP凭据 func (p *SMTPPlugin) generateCredentials() []*base.Credential { var credentials []*base.Credential // 获取SMTP用户名字典 usernames := common.Userdict["smtp"] if len(usernames) == 0 { usernames = []string{"admin", "root", "mail", "postmaster", "user", "test", "smtp"} } // 获取密码字典 passwords := common.Passwords if len(passwords) == 0 { passwords = []string{"", "admin", "password", "123456", "admin123", "root123", "mail123", "postmaster", "smtp"} } // 生成用户名密码组合 for _, username := range usernames { for _, password := range passwords { // 替换密码中的用户名占位符 actualPassword := strings.Replace(password, "{user}", username, -1) credentials = append(credentials, &base.Credential{ Username: username, Password: actualPassword, }) } } return credentials } // Exploit 使用exploiter执行利用 func (p *SMTPPlugin) Exploit(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) { return p.exploiter.Exploit(ctx, info, creds) } // GetExploitMethods 获取利用方法 func (p *SMTPPlugin) GetExploitMethods() []base.ExploitMethod { return p.exploiter.GetExploitMethods() } // IsExploitSupported 检查利用支持 func (p *SMTPPlugin) IsExploitSupported(method base.ExploitType) bool { return p.exploiter.IsExploitSupported(method) } // performServiceIdentification 执行SMTP服务识别(-nobr模式) func (p *SMTPPlugin) performServiceIdentification(ctx context.Context, info *common.HostInfo) (*base.ScanResult, error) { target := fmt.Sprintf("%s:%s", info.Host, info.Ports) // 尝试识别SMTP服务 connector := NewSMTPConnector() conn, err := connector.Connect(ctx, info) if err == nil && conn != nil { if smtpConn, ok := conn.(*SMTPConnection); ok { // 记录服务识别成功 common.LogSuccess(i18n.GetText("smtp_service_identified", target, smtpConn.info)) connector.Close(conn) return &base.ScanResult{ Success: true, Service: "SMTP", Banner: smtpConn.info, Extra: map[string]interface{}{ "service": "SMTP", "port": info.Ports, "info": smtpConn.info, "protocol": "SMTP", }, }, nil } } // 如果无法识别为SMTP,返回失败 return &base.ScanResult{ Success: false, Error: fmt.Errorf("无法识别为SMTP服务"), }, nil } // ============================================================================= // 插件注册 // ============================================================================= // RegisterSMTPPlugin 注册SMTP插件 func RegisterSMTPPlugin() { factory := base.NewSimplePluginFactory( &base.PluginMetadata{ Name: "smtp", Version: "2.0.0", Author: "fscan-team", Description: "SMTP邮件服务扫描插件", Category: "service", Ports: []int{25, 465, 587}, // SMTP端口、SMTPS端口、MSA端口 Protocols: []string{"tcp"}, Tags: []string{"smtp", "email", "weak-password", "unauthorized-access"}, }, func() base.Plugin { return NewSMTPPlugin() }, ) base.GlobalPluginRegistry.Register("smtp", factory) } // 自动注册 func init() { RegisterSMTPPlugin() }