
TODO : create a cool ascii logo here ;)

The Program itself ........................................  1
    What is it ? ..........................................  1.1
    Why ?  ................................................  1.2
    Disclaimer  ...........................................  1.3
    License  ..............................................  1.4
        General License Information .......................  1.4.1
        Special Note For Distributors .....................  1.4.2
Installation  .............................................  2
    Downloading  ..........................................  2.1
    Compilation  ..........................................  2.2
    Requirements  .........................................  2.2.1
    configure  ............................................  2.2.2
    make  .................................................  2.2.3
    Installation  .........................................  2.3
    Package building ......................................  2.4
Using the program  ........................................  3
    Generic use  ..........................................  3.1
    Options  ..............................................  3.2
        -F, --ftp  ........................................  3.2.1 
        -P, --pop3  .......................................  3.2.2 
        -S, --smtp  .......................................  3.2.3  
        -h, --help  .......................................  3.2.4  
        -V, --version  ....................................  3.2.5  
        -v, --verbose  ....................................  3.2.6  
        -p, --polite  .....................................  3.2.7  
        -d, --nodns  ......................................  3.2.8  
        -f, --fast  .......................................  3.2.9  
        -c, --conn_timeout <secs>  ........................  3.2.10 
        -t, --timeout <secs>  .............................  3.2.11 
        -n, --trigger <perc>  .............................  3.2.12 
        --ftp-port <port>  ................................  3.2.13 
        --smtp-port <port>  ...............................  3.2.14
        --pop3-port <port>  ...............................  3.2.15 
        --ftp-user  <user>  ...............................  3.2.16 
        --smtp-user <user>  ...............................  3.2.17 
        --pop3-user <user>  ...............................  3.2.18 
        --ftp-pass <pass>  ................................  3.2.19 
        --smtp-pass <pass>  ...............................  3.2.20 
        --pop3-pass <pass>  ...............................  3.2.21 
FAQ  ......................................................  4
    Troubleshooting  ......................................  4.1
        Compiling  ........................................  4.1.1
    Generic use  ..........................................  4.2
        Connection behaviour  .............................  4.2.1
        Scan Results  .....................................  4.2.2
    Features  .............................................  4.3
        Feature requests  .................................  4.3.1
Some words  ...............................................  5
    Use of smtpmap  .......................................  5.1
    Contact  ..............................................  5.2
Known Bugs and limitations  ...............................  6
    Known Servers  ........................................  6.1
    Bugs  .................................................  6.2
    Limitations ...........................................  6.3
Future plans  .............................................  7
    Fast Scan  ............................................  7.1
    Other Protocols  ......................................  7.2
    Cool features  ........................................  7.3
End  ......................................................  8

1 The Program itself

1.1 What is it ?

  Smtpmap is able to identify the running smtp software on a given host. It
  shows the probability of the server version, and uses three different
  fingerprinting technologies to maximize the probabilities. It can also be
  used to look if there is any smtp service running on the given port.
  Beginning with Version 0.8.212 smtpmap is even able to identify POP3 and 
  FTP Servers.

1.2 Why ?

  Why not ? I've seen the ftpmap program of jedi, and also lots of so called
  "security advices" which tell to disable the banner, so no user can see
  what software version is running on the host. This should avoid hackers to
  break into the systems. Well, thats wrong for two reasons. First its
  possible to determine the version with a program like this, and secondly
  they don't care about the version, they just look which crack works.

1.3 Disclaimer

  You know it. I am not responsible for what you do with this program, and what
  damage it might do to you or others or whatever. 
  
  USE AT YOUR OWN RISK !

1.4 License

1.4.1 General License Information

  This Program is delivered under the GPL. You should have received a copy in
  the file COPYING.

1.4.2 Special Note For Distributors

  You are allowed and requested to put this package on your distribution, if
  you put my Name into the package information and nowhere claim this program
  is from you (Except in the packager field, if you created the package) and if
  you tell me, that it is on the distro, where and when. And it would be nice
  if you send me the package information (e.g. .spec for rpms) that was used to
  build the package and some patches you needed to apply, perhaps I will do
  this later too...

2. Installation

  This section will describe how to produce a working version of smtpmap.

2.1 Downloading

  You can download the latest Version of this Program under :

  http://plasmahh.free-bsd.org/down_tool

  If your package is rather old, this URI might have changed, therefore you can
  also look under :
  
  http://freshmeat.net/projects/smtpmap

  for the latest URIs.

  The latest Version this README refers to is 0.8.212-BETA.

2.2 Compilation
  
  First you need to untar the package. This may depend on your System and
  installed tools. For gnu tar you need to do the following :

  tar xvzf smtpmap-0.8-beta.tar.gz

  or 

  tar xvjf smtpmap-0.8-beta.tar.bz2

  You need to have gzip or bzip2 installed to uncompress the tar package (Or a
  tar with gzip/bzip2 support). Depending on your OS the options to tar might
  differ (like I instead of j on solaris tar) , please refer to the specific
  manpage.

2.2.1 Requirements  

  This Program needs to be compiled with a gcc 2.96 or later. It relies on some
  of the glibc funtions. I have noticed that on some systems the glibc does not
  include the getopt_long function. On those system you may need to install the
  gnu getopt package.
  
2.2.2 configure

  When you are in the generated directory, you may run the configure script to
  let the package do some checks and to configure a few options. If you are
  happy with the default installation directoy of /usr/bin/ and /usr/share you
  can just do a make on most linux systems. If you want to have it installed in
  another directory thatn /usr you must do a configure (the example is to
  install all in subdirs of /usr/local):

  ./configure --prefix=/usr/local

  The script will also do some self checks, and checks for some needed programs
  and utilities (e.g. a compiler ;)

2.2.3 make

  After running the configure script you should simply type:

  make

  to build smtpmap. I recommend GNU make version 3.79 at least. Other may work
  too, but the makefiles was tested and written for this version. If you run
  another OS than Linux you should have run the configure script before, since
  it will make the necessary changes to build and compile smtpmap correctly. If
  your OS is not supported, the configure script will inform you but anyway try
  to continue.

2.3 Installation

  If you want to install the package in the specified directory, type :

  make install

  This will copy the binary to $PREFIX/bin/ and the fingerprint files to
  $PREFIX/share/smtpmap/ . smtpmap will always search in the directory
  specified at build time, so changing at runtime does not work.

2.4 Package building

  I currently do not have a proper spec file to create a working .rpm package.
  I have seen some packages (like for Mandrake and FreeBSD as well as NetBSD)
  out there, so perhaps you may have luck and find the necessary files for it.

3. Using the program

3.1 Generic use

3.2 Options

  This is a short overview of the options that smtpmap offers

Usage: smtpmap [OPTIONS]... HOST


  -F, --ftp           Scan a ftp Server.
  -P, --pop3          Scan a pop3 Server.
  -S, --smtp          Scan a smtp Server (defaults to this if none
                      of the 3 is given).
  -h, --help          This nice help screen.
  -V, --version       Output "0.8.210-BETA"
  -v, --verbose       Be Verbose (Up to three times for max. verbosity).
  -p, --polite        Be polite when reading database and options.
  -d, --nodns         Don't do any DNS lookups if possible.
  -f, --fast          Do a fast probe (No Fingerprint scans).
  -c, --conn_timeout <secs> The time after which a connection attempt
                      is considered as failed.
  -t, --timeout <secs> Time after which a request times out (when connected).
  -n, --trigger <perc> Only results that match above perc are shown.

  --ftp-port  <port>  An alternative port the FTP Scan should go to.
  --smtp-port <port>  An alternative port the SMTP Scan should go to.
  --pop3-port <port>  An alternative port the POP3 Scan should go to.
  --ftp-user  <user>  An alternative user for FTP scan (default : anonymous).
  --smtp-user <user>  An alternative user for SMTP scan (default : anonymous).
  --pop3-user <user>  An alternative user for POP3 scan (default : anonymous).
  --ftp-pass  <pass>  An alternative password for the FTP scan
                      (default : anony_user@nononet.org).
  --smtp-pass <pass>  An alternative password for the SMTP scan
                      (default : anony_user@nononet.org).
  --pop3-pass <pass>  An alternative password for the POP3 scan
                      (default : anony_user@nononet.org).


  I will add a manual page in the future where these functions and their
  behaviour is described more detailed, and in a short compressed form.


3.2.1  -F, --ftp
  
  This tells smtpmap to scan the server as FTP server. Can be combined with -S
  and -P to scan other protocols.
  
3.2.2  -P, --pop3
  
  This tells smtpmap to scan the server as POP3 server. Can be combined with -S
  and -F to scan other protocols.
  
3.2.3  -S, --smtp
  
  This tells smtpmap to scan the server as SMTP server. Can be combined with -F
  and -P to scan other protocols.

  If none of those is given, smtpmap defaults to SMTP protocol.

3.2.4  -h, --help

  Displays a short help screen as in section 3.2
 
3.2.5  -V, --version

  Displays the Version number of the smtpmap you are currently running. The
  latest version known at time of writing this file is 0.8.212-BETA

3.2.6  -v, --verbose
    
  This Option will increase the debuglevel of the program. The maximum is
  3, and more than 3 -v will have no additional effect.

  0 	: no additional output, just progressper server, and guesses.
  1 	: also output scanned fingerprints & few stats
  2 	: output some additional information during run, such which fps
	  read, and which commands sent
  3	: for heavy debugging only, and very incomplete. display lots of
	  debugging stuff, mostly in internal developement only
	  
3.2.7  -p, --polite

  Be a bit more polite when reading the fingeprints from the file. Errors
  are ignored, in normal mode, the programm will stop, assuming that the
  files are not usable. Use this only if you know what you do !

3.2.8  -d, --nodns

  This will cause smtpmap to do no additional dns lookups.
  Normally smtpmap will lookup the host/ip it was called with, and then
  displays the IP and hostname, if different (reverse lookup).
  If this is not desired for some reason (slow dns) it can be disabled
  with this option. If a hostname is passed as an option, a lookup will
  still be done !

3.2.9  -f, --fast

  This does a fast banner scan for the specified protocols, just displaying
  what the banners tell us (no fingerprinting at all). 
  This can be used for a short overview of what is running in a subnet.

3.2.10 -c, --conn_timeout <secs>

  Sets the timeout for the initial connection to secs seconds. This is for
  every reconnection attempt. 
  
  Defaults to 30 seconds.

3.2.11 -t, --timeout <secs>

  Sets the timeout to wait for an answer of the server to secs seconds. This
  is for every step of fingeprint gathering, in difference to -c option 
  in section 3.2.10. 
  
  Defaults to 30 seconds.

3.2.12 -n, --trigger <perc>

  This value is the percentage, from which on the fingerprints that match
  are printed. At least 3 fingerprints will be displayed, even if noone
  matches this value enough. The default is 95% which will only show the
  most probable matches.
  
3.2.13 --ftp-port <port>  

  An alternative port the FTP Scan should go to. 

  
3.2.14 --smtp-port <port>  

  An alternative port the SMTP Scan should go to.

3.2.15 --pop3-port <port>  

  An alternative port the POP3 Scan should go to.

3.2.16 --ftp-user  <user>  

  This sets the user the ftp scan should use. If none is given, it tries to
  login as anonymous with password anony_user@nonet.org
  
3.2.17 --smtp-user <user>  

  If the smtp server needs authentication, this is used as the username. This
  feature is currently not available.

3.2.18 --pop3-user <user>

  Use this as the user when trying to scan an pop3 server. Since most commands
  require a valid login, specifying this option is recommended. Running without
  this, will set the user to anonymous, which will most likely fail to login
  (with password anony_user@nonet.org), causing the fingerprinting to display
  strange results.

3.2.19 --ftp-pass <pass>

  Per default the FTP scan uses anony_user@nononet.org as the password when
  logging in. If you want to set it to another password, e.g. if you want to
  login or set another for anonymous login, you can specify it here.

3.2.20 --smtp-pass <pass>  

  An alternative password for the SMTP scan. Feature currently not available.

  
3.2.21 --pop3-pass <pass>

  Per default the POP3 scan uses anony_user@nononet.org as the password for the
  scan. In most cases this will not result in a succesfull login and therefore
  does not work for correct fingerprinting.

  Note: The POP3 Server needs to accept plain logins, CRAM-MD5 and DIGEST-MD5
  as well as APOP do not work !

3.3 Interpreting results

  The Results smtpmap gives are not always clear, especially for unknown servers. 
  Here I will describe the ways how to interprete the results. 
  
3.3.1 Simple output example
  
  This is part of output of a simple scan :

  plasmahh@tragx:~/ smtpmap tragx
  smtp-map 0.8.222-BETA

  Scanning tragx ( [ 192.168.27.33 ] )
  100 %
  According to Configuration Fingerprinting the server matches the following :
    Version                                       Probability
  Sendmail 8.12.6 -rv-                            100 %
  Sendmail 8.12.3                                 99.9671 %
  Sendmail 8.12.4                                 95.0444 %

  According to RFC Fingerprinting the server matches the following :
    Version                                       Probability
  Sendmail 8.12.6 -rv-                            100 %
  Sendmail 8.10.1                                 98.1172 %
  Sendmail 8.12.8                                 97.2181 %
  Sendmail 8.12.5                                 96.4672 %
  Sendmail 8.12.6                                 96.2438 %
  Sendmail 8.11.3                                 95.6031 %
  Sendmail 8.12.8                                 95.5156 %
  Sendmail 8.11.6                                 95.0366 %

  According to Overall Fingerprinting the server matches the following :
    Version                                       Probability
  Sendmail 8.12.6 -rv-                            100 %
  Sendmail 8.12.3                                 99.2072 %
  Sendmail 8.12.4                                 98.3945 %
  Sendmail 8.12.2                                 98.361 %

  As you can see, all three fingerprint types say that the server is a 
  Sendmail 8.12.6 Server. Usually this is ok, also the other possibilities talk
  about sendmail.
  If the probability is below 95% its unlikely that smtpmap got the service exact, but if
  all three say that it is at least a sendmail, then it is most likely a sendmail service. 
  If all three say different things, and the probability is below ~80% then smtpmap usually
  does not really know what it is. The RFC scanning type (ftp and smtp only) is the one
  that is most fault tolerant against configuration changes of the server. But the Conf scan 
  can sometimes even distinguish between some configuration options like relaying, write access,
  chroot and sometimes others. Some fingerprints are marked with the features they stand for.
  
3.3.2  -v- and other remarks

  When playing with smtpmap, you might have noticed remarks like -v- or -rv- for the result output.
  These are fingerprints that are verified with the latest version of smtpmap on a reachable, full
  functional server. The meaning is slightly different for the different tests.

  Test | Remark | Meaning
  -----+--------+-------------------------------------------------------------------------
   FTP |   -v-  | FP has been verified for use with the latest Version of smtpmap
   FTP |  -av-  | Has been verified, and applies mainly for login as anonymous
   FTP |  -uv-  | Has been verified, and applies mainly for login as valid user
  SMTP |  -rv-  | Has been verified, with relay possible
  SMTP |   -v-  | Has been generally verified, without special features.
  POP3 |   -v-  | Has been verified.

  Note: for POP3, the result also has the remark, if login was succesfull, and
  if a logged in user has mail, or has no mail.

  Other remarks may be introduced in later versions.
  
3.3.3 Advanced interpretation and own fingerprints
  
  You may also put your own fingerprints into smtpmaps database. When you run smtpmap
  with -v option, it will display the fingerprint of the currently scanned host. You can now
  copy and paste this fingerprint to the corresponding <protocol>-fingerprints-<type> files,
  installed into the smtpmap shared directory.

  It often happens, that if you scan a server then again, the fingeprint gives a good match, but not
  quite 100%. This may have different reasons :

  - The Server results sometimes contain UIDs (e.g. POP3 UIDL command returns one if a message is there), 
    that make a fingerprinting difficult, if not impossible in some times. In this case, 
    the RETURN fingerprint is affected most. Here you should compare two fingerprints from the same
    server, and put a 0 (zero) where they differ because of this UID or UID like result (watch with
    -v -v -v for detailed output).
   
  - The result comes from a return, that is affected by more or less random circumstances (like random 
    disconnects, files/mails on server etc.). In this case all fingerprints might be affected more or
    less. Figure out with maximum verbosity and set 0 for the CONF or RETURN fingerprint there.

  - Somtimes a result message is one of 2 or 3 (or more) possibles. In this case RETURN and RFC fingerprints
    are affected most. You can then add all of the possible checksums to a RFC Code number in the RFC fingerprint,
    and/or put a 0 in the RETURN fingerprint.

  - If the results differ for the same server version, but on different machines, then you might not scan
    the right hostname. Smtpmap tries to strip out the hostname wherever possible. Sometimes it cannot determine 
    the correct hostname that the server uses. If possible, specify this as target to be scanned. In the 
    future there may be a special option, that tries to guess the hostname used by the server.
  
  All those may of course be reasons why the shipped fingerprints do not give proper results. E.g. the CONF
  fingerprints will often change, if you change something on the configuration of the server.

  You can therefore use conf fingerprints also to use for special feature scanning, like relay/no relay,
  write capabilities or even enable/disable of the VRFY feature. Smtpmap will introduce some special fingerprints
  to test those, if desired by you !


4 FAQ

4.1 Troubleshooting
4.1.1 Compiling

  Q: The program won't compile, what have u done ?
  
  A: The program and makefiles are written, so that they will compile on 
     almost every machine with a gnu compiler, and gnu-c libs of newer
     version. 
     Please refer to section 2.2.1 Requirements to see if you fullfill all of
     them before continuing.  If it does not compile, please give your complete
     output of the process from unpacking, configuring to compiling, and don't
     leave anything out.

  Q: I have compiler xyz, will it work ?

  A: I suppose not. But try it, and let me know. This program relies on
     some gnu libc specific calls, that are not part of most libraries.

4.2 Generic use
4.2.1 Connection behaviour

  Q: The Program always disconnect, but when I try to telnet to the machine
     everything seems fine.

  A: Try increasing the timeout to wait for an answer, perhaps 3 seconds is
     too slow for your line. It is also possible, that the server
     disconnects us, since it detects our scan, or too many bad commands.
     Verify this with a higher debug level.

  Q: The Program needs ages to begin scanning.

  A: Before Anything is done, we have to connect. Some Servers make the
     connection phase really long, or they try to use ident, which might
     be disabled/blocked on your host. This is not our fault, so you have
     to live with it, or try to figure out if enabling ident helps you.

  Q: smtpmap scans, but it needs lots of time for until percentage changes

  A: Some Servers slow down the connection in some cases, and for some 
     reasons we cannot influence. Try to find if it is because of ident
     like the connect thingie. Postfix servers seem to be especially slow.

  Q: The Program seems to hang at some stage. It is always the same 
     percentage for the same server.

  A: smtpmap tries to get the result from the server, and if it times out
     it will disconnect. To make these conditions as rare as possible,
     smtpmap will try to get the answer several times, which may lead to 
     a longer period to wait than in the timeout setting. Try to wait a while
    (possibly even some minutes).

4.2.2 Scan Results

  Q: The best probability is damn low, but I guess the server version is 
     in smtpmaps list, whats wrong ?

  A: If you look at the generated fingerprint ( --verbose ) it is possible
     that the generated values are "shifted" which means, that the results
     are interpreted wrong. (U see this, when the conf & return 
     fingerprints have a 0 at the beginning). You may try increasing the
     timeout value, perhaps this helps. This should not happen if the server
     reacts rfc conform, but some don't.


  Q: The probabilties seem to vary, and are not very good. I see lots of 
     disconnects.

  A: A disconnect displays another message than the command normally would.
     To avoid endless loops in single commands, causing this disconnect, 
     smtpmap goes on with the next command. This makes the fingerprint 
     "dirty" which will cause the match to decrease. I try to improve this
     behaviour in the future.

  Q: I have submitted a fingeprint, but it is not in the list/ the host I
     scanned does not have 100% match.

  A: I edit the fingerprints by hand, and try to get a overall best match 
     for them. Problem is, that some servers set messages like hostnames
     current time, or others into their results, so they vary a bit. I try
     to compensate this, which leads to high (>95%) match values, but its
     sometimes not 100%

4.3 Features
4.3.1 Feature requests

  Q: Will you implement feature xyz for me ?

  A: If you ask nice, pay money, or if it is cool, perhaps. I have not much
     time to spend on this program, so you can perhaps give me some ideas
     in detail, on how to improve this program, perhaps I will add them. In
     section 6 (Limitations) I will describe features that I will add, that
     have bugs, and also some that I definetly will not add. Look at this
     section first before requesting a feature.



5 Some words

5.1 Use of smtpmap

  The use of smtpmap is free for private & educational use. It is fully
  copyrighted by me. If you want to use the sources, to build other 
  programs or whatever, I would be glad if you ask me before. If you use
  smtpmap on a regular base, you may donate me some money. How much ?
  Its on you, so much, u think its worth it. You must not, you may. Contact
  me then, to get my account information.

5.2 Contact
  
  You can contact me preferrebly at plasmahh@gmx.net . If this document is
  more than 6 month old, you should get a new one, perhaps the adress has
  changed. I do not accept emails from yahoo, hotmail and msn, and also not
  from some other seldom used email services, because I get ~20-40 spam mails
  from each per day.

6 Known Bugs and limitations

6.1 Known Servers

  Since smtpmap relies on fingerprints, it is limited to recognize them by
  local database. Scanning and submitting fingerprint will increase the
  number of known Servers. I have some Sendmail Fingerprints, but I still
  need Postfix, Qmail, Exim and lots of other Versions.

6.2 Bugs
  
  Since the new 0.7 version class structure smtpmap lacks full ipv6 support. 
  I currently have a developement branch with ipv6, but my problem is the
  aut detection, and that the connect call returns error, although the 
  connection seems to be succesfully. I have to work on this, if you can 
  give me some advice in how to make smtpmap ipv6 ready, I would be glad if
  you mail me at plasmahh@gmx.net.

6.3 Limitations

  Smtpmap will sometimes consume very much memory if you try to scan big
  wildcarded ipranges (such as 1.2.*.*). This limitation will not be removed
  because smtpmap is not a field-portscan program, its just a scanner for
  some servers, and since it takes minutes for on server, it is not necessary 
  to scan thousands of servers.


7 Future plans

7.1 Fast Scan
  
  Lots of servers only Change the greeting Banner, but the HELP command
  remains unchanged, which is often a good indicator for at least the
  name of the server software. I plan to add a fast scan option to parse
  those messages, so a rough guess can be made, which version it is.

7.2 Other Protocols

  The class structure of smtpmap should make it possible to easily 
  implement other protocols such as POP3, FTP, IMAP and perhaps even some
  binary based ones. If I have enough time in some future date, I will try
  to code some other protocol scans, but this will probably be in a far
  future.

7.3 Cool features

  In about 20 or 25 years, when I have earned enough money, I will make
  smtpmap a program with every feature, every kind of UI, and all u want,
  but until then I will work and get the money. You can help me with
  donating something, if you like smtpmap, and plan to use it.

8 End
                Dennis Lubert <plasmahh@gmx.net>
