package services import ( "context" "crypto/tls" "fmt" "net" "net/smtp" "strings" "time" "github.com/shadow1ng/fscan/common" ) type SMTPPlugin struct { name string ports []int } func NewSMTPPlugin() *SMTPPlugin { return &SMTPPlugin{ name: "smtp", ports: []int{25, 465, 587, 2525}, } } func (p *SMTPPlugin) Name() string { return p.name } func (p *SMTPPlugin) GetPorts() []int { return p.ports } func (p *SMTPPlugin) Scan(ctx context.Context, info *common.HostInfo) *ScanResult { target := fmt.Sprintf("%s:%s", info.Host, info.Ports) if common.DisableBrute { return p.identifyService(ctx, info) } if result := p.testOpenRelay(ctx, info); result != nil && result.Success { common.LogSuccess(fmt.Sprintf("SMTP %s 开放中继", target)) return result } credentials := GenerateCredentials("smtp") if len(credentials) == 0 { return &ScanResult{ Success: false, Service: "smtp", Error: fmt.Errorf("没有可用的测试凭据"), } } for _, cred := range credentials { if p.testCredential(ctx, info, cred) { common.LogSuccess(fmt.Sprintf("SMTP %s %s:%s", target, cred.Username, cred.Password)) return &ScanResult{ Success: true, Service: "smtp", Username: cred.Username, Password: cred.Password, } } } return &ScanResult{ Success: false, Service: "smtp", Error: fmt.Errorf("未发现弱密码"), } } func (p *SMTPPlugin) testOpenRelay(ctx context.Context, info *common.HostInfo) *ScanResult { target := fmt.Sprintf("%s:%s", info.Host, info.Ports) client, err := smtp.Dial(target) if err != nil { return nil } defer client.Quit() if err := client.Hello("fscan.test"); err != nil { return nil } if err := client.Mail("test@fscan.test"); err != nil { return nil } if err := client.Rcpt("external@example.com"); err != nil { return nil } return &ScanResult{ Success: true, Service: "smtp", Banner: "开放中继", } } func (p *SMTPPlugin) testCredential(ctx context.Context, info *common.HostInfo, cred Credential) bool { target := fmt.Sprintf("%s:%s", info.Host, info.Ports) var client *smtp.Client var err error if info.Ports == "465" { conn, err := tls.Dial("tcp", target, &tls.Config{InsecureSkipVerify: true}) if err != nil { return false } defer conn.Close() client, err = smtp.NewClient(conn, info.Host) if err != nil { return false } } else { client, err = smtp.Dial(target) if err != nil { return false } } defer client.Quit() if ok, _ := client.Extension("STARTTLS"); ok { if err := client.StartTLS(&tls.Config{InsecureSkipVerify: true}); err != nil { } } auth := smtp.PlainAuth("", cred.Username, cred.Password, info.Host) if err := client.Auth(auth); err != nil { return false } return true } func (p *SMTPPlugin) getServerInfo(ctx context.Context, info *common.HostInfo) string { target := fmt.Sprintf("%s:%s", info.Host, info.Ports) conn, err := net.DialTimeout("tcp", target, time.Duration(common.Timeout)*time.Second) if err != nil { return "" } defer conn.Close() conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second)) buffer := make([]byte, 1024) n, err := conn.Read(buffer) if err != nil { return "" } welcome := strings.TrimSpace(string(buffer[:n])) if strings.HasPrefix(welcome, "220") { return strings.TrimPrefix(welcome, "220 ") } return welcome } func (p *SMTPPlugin) identifyService(ctx context.Context, info *common.HostInfo) *ScanResult { target := fmt.Sprintf("%s:%s", info.Host, info.Ports) serverInfo := p.getServerInfo(ctx, info) var banner string if serverInfo != "" { banner = fmt.Sprintf("SMTP邮件服务 (%s)", serverInfo) } else { conn, err := net.DialTimeout("tcp", target, time.Duration(common.Timeout)*time.Second) if err != nil { return &ScanResult{ Success: false, Service: "smtp", Error: err, } } defer conn.Close() banner = "SMTP邮件服务" } common.LogSuccess(fmt.Sprintf("SMTP %s %s", target, banner)) return &ScanResult{ Success: true, Service: "smtp", Banner: banner, } } func init() { // 使用高效注册方式:直接传递端口信息,避免实例创建 RegisterPluginWithPorts("smtp", func() Plugin { return NewSMTPPlugin() }, []int{25, 465, 587, 2525}) }