zmap · codyprime · Jun 1, 2020 · May 20, 2020 · May 21, 2020 · May 21, 2020
diff --git a/go.sum b/go.sum
@@ -64,6 +64,7 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/weppos/publicsuffix-go v0.4.0 h1:YSnfg3V65LcCFKtIGKGoBhkyKolEd0hlipcXaOjdnQw=
 github.com/weppos/publicsuffix-go v0.4.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
 github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521 h1:kKCF7VX/wTmdg2ZjEaqlq99Bjsoiz7vH6sFniF/vI4M=

diff --git a/modules/dnp3/dnp3.go b/modules/dnp3/dnp3.go
@@ -18,6 +18,7 @@ import (
 	"encoding/binary"
 	"io"
 	"net"
+	"errors"
 
 	"github.com/zmap/zgrab2"
 )
@@ -73,9 +74,10 @@ func GetDNP3Banner(logStruct *DNP3Log, connection net.Conn) (err error) {
 	if len(data) >= LINK_MIN_HEADER_LENGTH && binary.BigEndian.Uint16(data[0:2]) == LINK_START_FIELD {
 		logStruct.IsDNP3 = true
 		logStruct.RawResponse = data
+		return nil
 	}
 
-	return nil
+	return zgrab2.NewScanError(zgrab2.SCAN_PROTOCOL_ERROR, errors.New("Invalid response for DNP3"))
 }
 
 func makeLinkStatusRequest(dstAddress uint16) []byte {

diff --git a/modules/imap/imap.go b/modules/imap/imap.go
@@ -3,6 +3,7 @@ package imap
 import (
 	"net"
 	"regexp"
+	"io"
 
 	"github.com/zmap/zgrab2"
 )
@@ -18,14 +19,14 @@ type Connection struct {
 }
 
 // ReadResponse reads from the connection until it matches the imapEndRegex. Copied from the original zgrab.
-// TODO: Catch corner cases, parse out success/error character.
+// TODO: Catch corner cases
 func (conn *Connection) ReadResponse() (string, error) {
 	ret := make([]byte, readBufferSize)
 	n, err := zgrab2.ReadUntilRegex(conn.Conn, ret, imapStatusEndRegex)
-	if err != nil {
-		return "", nil
+	if err != nil && err != io.EOF && !zgrab2.IsTimeoutError(err) {
+		return "", err
 	}
-	return string(ret[0:n]), nil
+	return string(ret[:n]), nil
 }
 
 // SendCommand sends a command, followed by a CRLF, then wait for / read the server's response.
@@ -34,4 +35,4 @@ func (conn *Connection) SendCommand(cmd string) (string, error) {
 		return "", err
 	}
 	return conn.ReadResponse()
-}
+}
diff --git a/modules/imap/scanner.go b/modules/imap/scanner.go
@@ -24,6 +24,7 @@ package imap
 
 import (
 	"fmt"
+	"errors"
 
 	"strings"
 
@@ -148,6 +149,29 @@ func getIMAPError(response string) error {
 	return fmt.Errorf("error: %s", response)
 }
 
+// Check the contents of the IMAP banner and return a relevant ScanStatus
+func VerifyIMAPContents(banner string) zgrab2.ScanStatus {
+	lowerBanner := strings.ToLower(banner)
+	switch {
+	case strings.HasPrefix(banner, "* NO"),
+	     strings.HasPrefix(banner, "* BAD"):
+		return zgrab2.SCAN_APPLICATION_ERROR
+	case strings.HasPrefix(banner, "* OK"),
+	     strings.HasPrefix(banner, "* PREAUTH"),
+	     strings.HasPrefix(banner, "* BYE"),
+	     strings.HasPrefix(banner, "* OKAY"),
+	     strings.Contains(banner, "IMAP"),
+	     strings.Contains(lowerBanner, "blacklist"),
+	     strings.Contains(lowerBanner, "abuse"),
+	     strings.Contains(lowerBanner, "rbl"),
+	     strings.Contains(lowerBanner, "spamhaus"),
+	     strings.Contains(lowerBanner, "relay"):
+		return zgrab2.SCAN_SUCCESS
+	default:
+		return zgrab2.SCAN_PROTOCOL_ERROR
+	}
+}
+
 // Scan performs the IMAP scan.
 // 1. Open a TCP connection to the target port (default 143).
 // 2. If --imaps is set, perform a TLS handshake using the command-line
@@ -180,6 +204,12 @@ func (scanner *Scanner) Scan(target zgrab2.ScanTarget) (zgrab2.ScanStatus, inter
 	if err != nil {
 		return zgrab2.TryGetScanStatus(err), nil, err
 	}
+	// Quit early if we didn't get a valid response
+	// OR save a valid scan result for later
+	sr := VerifyIMAPContents(banner)
+	if sr == zgrab2.SCAN_PROTOCOL_ERROR {
+		return sr, nil, errors.New("Invalid response for IMAP")
+	}
 	result.Banner = banner
 	if scanner.config.StartTLS {
 		ret, err := conn.SendCommand("a001 STARTTLS")
@@ -209,5 +239,5 @@ func (scanner *Scanner) Scan(target zgrab2.ScanTarget) (zgrab2.ScanStatus, inter
 		}
 		result.CLOSE = ret
 	}
-	return zgrab2.SCAN_SUCCESS, result, nil
+	return sr, result, nil
 }
diff --git a/modules/pop3/pop3.go b/modules/pop3/pop3.go
@@ -1,8 +1,12 @@
+// Scanner for POP3 protocol
+// https://www.ietf.org/rfc/rfc1939.txt
+
 package pop3
 
 import (
 	"net"
 	"regexp"
+	"io"
 
 	"github.com/zmap/zgrab2"
 )
@@ -18,14 +22,15 @@ type Connection struct {
 }
 
 // ReadResponse reads from the connection until it matches the pop3EndRegex. Copied from the original zgrab.
-// TODO: Catch corner cases, parse out success/error character.
+// TODO: Catch corner cases
 func (conn *Connection) ReadResponse() (string, error) {
 	ret := make([]byte, readBufferSize)
 	n, err := zgrab2.ReadUntilRegex(conn.Conn, ret, pop3EndRegex)
-	if err != nil {
-		return "", nil
+	// Don't quit for timeouts since we might have gotten relevant data still
+	if err != nil && err != io.EOF && !zgrab2.IsTimeoutError(err) {
+		return "", err
 	}
-	return string(ret[0:n]), nil
+	return string(ret[:n]), nil
 }
 
 // SendCommand sends a command, followed by a CRLF, then wait for / read the server's response.
@@ -34,4 +39,4 @@ func (conn *Connection) SendCommand(cmd string) (string, error) {
 		return "", err
 	}
 	return conn.ReadResponse()
-}
+}
diff --git a/modules/pop3/scanner.go b/modules/pop3/scanner.go
@@ -27,7 +27,7 @@ package pop3
 
 import (
 	"fmt"
-
+	"errors"
 	"strings"
 
 	log "github.com/sirupsen/logrus"
@@ -163,6 +163,27 @@ func getPOP3Error(response string) error {
 	return fmt.Errorf("POP3 error: %s", response[1:])
 }
 
+// Check the contents of the POP3 header and return a relevant ScanStatus
+func VerifyPOP3Contents(banner string) zgrab2.ScanStatus {
+	lowerBanner := strings.ToLower(banner)
+	switch {
+	case strings.HasPrefix(banner, "-ERR "):
+		return zgrab2.SCAN_APPLICATION_ERROR
+	case strings.HasPrefix(banner, "+OK "),
+	     strings.Contains(banner, "POP3"),
+	     // These are rare for POP3 if they happen at all,
+	     // But it won't hurt to check just in case as a backup
+	     strings.Contains(lowerBanner, "blacklist"),
+	     strings.Contains(lowerBanner, "abuse"),
+	     strings.Contains(lowerBanner, "rbl"),
+	     strings.Contains(lowerBanner, "spamhaus"),
+	     strings.Contains(lowerBanner, "relay"):
+		return zgrab2.SCAN_SUCCESS
+	default:
+		return zgrab2.SCAN_PROTOCOL_ERROR
+	}
+}
+
 // Scan performs the POP3 scan.
 // 1. Open a TCP connection to the target port (default 110).
 // 2. If --pop3s is set, perform a TLS handshake using the command-line
@@ -197,6 +218,12 @@ func (scanner *Scanner) Scan(target zgrab2.ScanTarget) (zgrab2.ScanStatus, inter
 	if err != nil {
 		return zgrab2.TryGetScanStatus(err), nil, err
 	}
+	// Quit early if no valid response
+	// OR save it to return later
+	sr := VerifyPOP3Contents(banner)
+	if sr == zgrab2.SCAN_PROTOCOL_ERROR {
+		return sr, nil, errors.New("Invalid response for POP3")
+	}
 	result.Banner = banner
 	if scanner.config.SendHELP {
 		ret, err := conn.SendCommand("HELP")
@@ -240,5 +267,5 @@ func (scanner *Scanner) Scan(target zgrab2.ScanTarget) (zgrab2.ScanStatus, inter
 		}
 		result.QUIT = ret
 	}
-	return zgrab2.SCAN_SUCCESS, result, nil
+	return sr, result, nil
 }
diff --git a/modules/smtp/scanner.go b/modules/smtp/scanner.go
@@ -36,7 +36,7 @@ import (
 )
 
 // ErrInvalidResponse is returned when the server returns an invalid or unexpected response.
-var ErrInvalidResponse = errors.New("invalid response")
+var ErrInvalidResponse = zgrab2.NewScanError(zgrab2.SCAN_PROTOCOL_ERROR, errors.New("Invalid response for SMTP"))
 
 // ScanResults instances are returned by the module's Scan function.
 type ScanResults struct {
@@ -201,6 +201,27 @@ func getCommand(cmd string, arg string) string {
 	return cmd + " " + arg
 }
 
+// Verify that an SMTP code was returned, and that it is a successful one!
+// Return code on SCAN_APPLICATION_ERROR for better info
+func VerifySMTPContents(banner string) (zgrab2.ScanStatus, int) {
+	code, err := getSMTPCode(banner)
+	lowerBanner := strings.ToLower(banner)
+	switch {
+	case err == nil && (code < 200 || code >= 300):
+		return zgrab2.SCAN_APPLICATION_ERROR, code
+	case err == nil,
+	     strings.Contains(banner, "STMP"),
+	     strings.Contains(lowerBanner, "blacklist"),
+	     strings.Contains(lowerBanner, "abuse"),
+	     strings.Contains(lowerBanner, "rbl"),
+	     strings.Contains(lowerBanner, "spamhaus"),
+	     strings.Contains(lowerBanner, "relay"):
+		return zgrab2.SCAN_SUCCESS, 0
+	default:
+		return zgrab2.SCAN_PROTOCOL_ERROR, 0
+	}
+}
+
 // Scan performs the SMTP scan.
 // 1. Open a TCP connection to the target port (default 25).
 // 2. If --smtps is set, perform a TLS handshake.
@@ -238,6 +259,12 @@ func (scanner *Scanner) Scan(target zgrab2.ScanTarget) (zgrab2.ScanStatus, inter
 		}
 		return zgrab2.TryGetScanStatus(err), result, err
 	}
+	// Quit early if we didn't get a valid response
+	// OR save response to return later
+	sr, bannerResponseCode := VerifySMTPContents(banner)
+	if sr == zgrab2.SCAN_PROTOCOL_ERROR {
+		return sr, nil, errors.New("Invalid response for SMTP")
+	}
 	result.Banner = banner
 	if scanner.config.SendHELO {
 		ret, err := conn.SendCommand(getCommand("HELO", scanner.config.HELODomain))
@@ -292,5 +319,8 @@ func (scanner *Scanner) Scan(target zgrab2.ScanTarget) (zgrab2.ScanStatus, inter
 		}
 		result.QUIT = ret
 	}
-	return zgrab2.SCAN_SUCCESS, result, nil
+	if sr == zgrab2.SCAN_APPLICATION_ERROR {
+		return sr, result, fmt.Errorf("SMTP error code %d returned in banner grab", bannerResponseCode)
+	}
+	return sr, result, nil
 }
diff --git a/modules/smtp/smtp.go b/modules/smtp/smtp.go
@@ -3,6 +3,7 @@ package smtp
 import (
 	"net"
 	"regexp"
+	"io"
 
 	"github.com/zmap/zgrab2"
 )
@@ -19,14 +20,14 @@ type Connection struct {
 }
 
 // ReadResponse reads from the connection until it matches the smtpEndRegex. Copied from the original zgrab.
-// TODO: Catch corner cases, parse out response code.
+// TODO: Catch corner cases
 func (conn *Connection) ReadResponse() (string, error) {
 	ret := make([]byte, readBufferSize)
 	n, err := zgrab2.ReadUntilRegex(conn.Conn, ret, smtpEndRegex)
-	if err != nil {
-		return "", nil
+	if err != nil && err != io.EOF && !zgrab2.IsTimeoutError(err) {
+		return "", err
 	}
-	return string(ret[0:n]), nil
+	return string(ret[:n]), nil
 }
 
 // SendCommand sends a command, followed by a CRLF, then wait for / read the server's response.

diff --git a/modules/telnet/telnet.go b/modules/telnet/telnet.go
@@ -115,6 +115,10 @@ func GetTelnetBanner(logStruct *TelnetLog, conn net.Conn, maxReadSize int) (err
 	if err != nil && err != io.EOF && !zgrab2.IsTimeoutError(err) {
 		return err
 	}
+	// Make sure it is a telnet banner
+	if !logStruct.isTelnet() {
+		return zgrab2.NewScanError(zgrab2.SCAN_PROTOCOL_ERROR, errors.New("Invalid response for Telnet"))
+	}
 	return nil
 }