
TODO : create a cool ascii logo here ;)

The Program itself ........................................  1
    What is it ? ..........................................  1.1
    Why ?  ................................................  1.2
    Disclaimer  ...........................................  1.3
    License  ..............................................  1.4
        General License Information .......................  1.4.1
        Special Note For Distributors .....................  1.4.2
Installation  .............................................  2
    Downloading  ..........................................  2.1
    Compilation  ..........................................  2.2
    Installation  .........................................  2.3
    Package building ......................................  2.4
Using the program  ........................................  3
    Generic use  ..........................................  3.1
    Options  ..............................................  3.2
        -v, --verbose  ....................................  3.2.1
        -h, --help  .......................................  3.2.2
        -d, --nodns  ......................................  3.2.3
        -n, --trigger <perc>  .............................  3.2.4
        -p,--port  ........................................  3.2.5
        -l,--polite  ......................................  3.2.6
        -t, --timeout <secs>  .............................  3.2.7
        -c, --conn_timeout <secs>  ........................  3.2.8
FAQ  ......................................................  4
    Troubleshooting  ......................................  4.1
        Compiling  ........................................  4.1.1
    Generic use  ..........................................  4.2
        Connection behaviour  .............................  4.2.1
        Scan Results  .....................................  4.2.2
    Features  .............................................  4.3
        Feature requests  .................................  4.3.1
Some words  ...............................................  5
    Use of smtpmap  .......................................  5.1
    Contact  ..............................................  5.2
Known Bugs and limitations  ...............................  6
    Known Servers  ........................................  6.1
    Bugs  .................................................  6.2
Future plans  .............................................  7
    Fast Scan  ............................................  7.1
    Other Protocols  ......................................  7.2
    Cool features  ........................................  7.3
End  ......................................................  8

1 The Program itself

1.1 What is it ?

  Smtpmap is able to identify the running smtp software on a given host. It
  shows the probability of the server version, and uses three different
  fingerprinting technologies to maximize the probabilities. It can also be
  used to look if there is any smtp service running on the given port.

1.2 Why ?

  Why not ? I've seen the ftpmap program of jedi, and also lots of so called
  "security advices" which tell to disable the banner, so no user can see
  what software version is running on the host. This should avoid hackers to
  break into the systems. Well, thats wrong for two reasons. First its
  possible to determine the version with a program like this, and secondly
  they don't care about the version, they just look which crack works.

1.3 Disclaimer

1.4 License

1.4.1 General License Information


  Bla Bla Bla

1.4.2 Special Note For Distributors

  You are allowed and requested to put this package on your distribution, 
  if you put my Name into the package information and nowhere claim this 
  program is from you (Except in the packager field, if you created the package)
  and if you tell me, that it is on the distro, where and when. And it would 
  be nice if you send me the package information (e.g. .spec for rpms) that was
  used to build the package, perhaps I will do this later too...

2. Installation
2.1 Downloading
2.2 Compilation
2.3 Installation
2.4 Package building
  make
  make install


3. Using the program

3.1 Generic use

3.2 Options

  This is a short overview of the options that smtpmap offers

  Usage  : smtpmap [-h] [-a] [-P <port>] [-n <perc>] <host>

  <host>                : connect to SMTP server running on <host> (IP or name)
  -v,--verbose          : be verbose. Up to 3 times for maximum verbosity
  -h,--help             : print help ( this screen )
  -d,--nodns            : Don't do additional DNS lookups, except for connect.
  -n,--trigger <perc>   : show all hits above <perc> Percent
  -p,--port <port>      : connect to port <port> (default=25)
  -l,--polite           : be polite when reading input
  -t,--timeout <secs>   : timeout in secs when waiting for an answer (default=3)
  -c,--conn_timeout <s> : timeout in secs when connecting to a host (default=30)


  I will add a manual page in the future where these functions and their
  behaviour is described more detailed, and in a short compressed form.



3.2.1 -v, --verbose
    
  This Option will increase the debuglevel of the program. The maximum is
  3, and more than 3 -v will have no additional effect.

  0 	: no additional output, just progressper server, and guesses.
  1 	: also output scanned fingerprints & few stats
  2 	: output some additional information during run, such which fps
	  read, and which commands sent
  3	: for heavy debugging only, and very incomplete. display lots of
	  debugging stuff, mostly in internal developement only

3.2.2 -h, --help

  Trivial. Displays the help screen of section 3.2

3.2.3 -d, --nodns

  This will cause smtpmap to do no additional dns lookups.
  Normally smtpmap will lookup the host/ip it was called with, and then
  displays the IP and hostname, if different (reverse lookup).
  If this is not desired for some reason (slow dns) it can be disabled
  with this option. If a hostname is passed as an option, a lookup will
  still be done !

3.2.4 -n, --trigger <perc>

  This value is the percentage, from which on the fingerprints that match
  are printed. At least 3 fingerprints will be displayed, even if noone
  matches this value enough. The default is 90% which will only show the
  most probable matches.

3.2.5 -p,--port
  
  This is the port, the program will scan on. Defaults to port 25 (smtp)

3.2.6 -l,--polite

  Be a bit more polite when reading the fingeprints from the file. Errors
  are ignored, in normal mode, the programm will stop, assuming that the
  files are not usable. Use this only if you know what you do !

3.2.7 -t, --timeout <secs>

  Sets the timeout to wait for an answer of the server to secs seconds. This
  is for every step of fingeprint gathering, in difference to -c option 
  in section 3.2.8. Defaults to 30 seconds.

3.2.8 -c, --conn_timeout <secs>

  Sets the timeout for the initial connection to secs seconds. This is for
  every reconnection attempt. It defaults to 30 seconds.

4 FAQ

4.1 Troubleshooting
4.1.1 Compiling

  Q: The program won't compile, what have u done ?
  
  A: The program and makefiles are written, so that they will compile on 
     almost every machine with a gnu compiler, and gnu-c libs of newer
     version. If it does not compile, please give your complete output
     of the process from unpacking, configuring to compiling, and don't
     leave anything out.

  Q: I have compiler xyz, will it work ?

  A: I suppose not. But try it, and let me know. This program relies on
     some gnu libc specific calls, that are not part of most libraries.

4.2 Generic use
4.2.1 Connection behaviour

  Q: The Program always disconnect, but when I try to telnet to the machine
     everything seems fine.

  A: Try increasing the timeout to wait for an answer, perhaps 3 seconds is
     too slow for your line. It is also possible, that the server
     disconnects us, since it detects our scan, or too many bad commands.
     Verify this with a higher debug level.

  Q: The Program needs ages to begin scanning.

  A: Before Anything is done, we have to connect. Some Servers make the
     connection phase really long, or they try to use ident, which might
     be disabled/blocked on your host. This is not our fault, so you have
     to live with it, or try to figure out if enabling ident helps you.

  Q: smtpmap scans, but it needs lots of time for until percentage changes

  A: Some Servers slow down the connection in some cases, and for some 
     reasons we cannot influence. Try to find if it is because of ident
     like the connect thingie.

  Q: The Program seems to hang at some stage. It is always the same 
     percentage for the same server.

  A: smtpmap tries to get the result from the server, and if it times out
     it will disconnect. To make these conditions as rare as possible,
     smtpmap will try to get the answer several times, which may lead to 
     a longer period to wait than in the timeout setting.

4.2.2 Scan Results

  Q: The best probability is damn low, but I guess the server version is 
     in smtpmaps list, whats wrong ?

  A: If you look at the generated fingerprint ( --verbose ) it is possible
     that the generated values are "shifted" which means, that the results
     are interpreted wrong. (U see this, when the conf & return 
     fingerprints have a 0 at the beginning). You may try increasing the
     timeout value, perhaps this helps. This should not happen if the server
     reacts rfc conform, but some don't.


  Q: The probabilties seem to vary, and are not very good. I see lots of 
     disconnects.

  A: A disconnect displays another message than the command normally would.
     To avoid endless loops in single commands, causing this disconnect, 
     smtpmap goes on with the next command. This makes the fingerprint 
     "dirty" which will cause the match to decrease. I try to improve this
     behaviour in the future.

  Q: I have submitted a fingeprint, but it is not in the list/ the host I
     scanned does not have 100% match.

  A: I edit the fingerprints by hand, and try to get a overall best match 
     for them. Problem is, that some servers set messages like hostnames
     current time, or others into their results, so they vary a bit. I try
     to compensate this, which leads to high (>95%) match values, but i
     sometimes not 100%

4.3 Features
4.3.1 Feature requests

  Q: Will you implement feature xyz for me ?

  A: If you ask nice, pay money, or if it is cool, perhaps. I have not much
     time to spend on this program, so you can perhaps give me some ideas
     in detail, on how to improve this program, perhaps I will add them. In
     section 6 (Limitations) I will describe features that I will add, that
     have bugs, and also some that I definetly will not add. Look at this
     section first before requesting a feature.



5 Some words

5.1 Use of smtpmap

  The use of smtpmap is free for private & educational use. It is fully
  copyrighted by me. If you want to use the sources, to build other 
  programs or whatever, I would be glad if you ask me before. If you use
  smtpmap on a regular base, you may donate me some money. How much ?
  Its on you, so much, u think its worth it. You must not, you may. Conatct
  me then, to get my account information.

5.2 Contact
  
  You can contact me preferrebly at plasmahh@gmx.net . If this document is
  more than 6 month old, you should get a new one, perhaps the adress has
  changed. I do not accept emails from yahoo, hotmail and msn, and also not
  from some other seldom used email services, because I get ~20-40 spam mails
  from each per day.

6 Known Bugs and limitations

6.1 Known Servers

  Since smtpmap relies on fingerprints, it is limited to recognize them by
  local database. Scanning and submitting fingerprint will increase the
  number of known Servers. I have some Sendmail Fingerprints, but I still
  need Postfix, Qmail, Exim and lots of other Versions.

6.2 Bugs
  
  Since the new 0.7 version class structure smtpmap lacks full ipv6 support. 
  I currently have a developement branch with ipv6, but my problem is the
  aut detection, and that the connect call returns error, although the 
  connection seems to be succesfully. I have to work on this, if you can 
  give me some advice in how to make smtpmap ipv6 ready, I would be glad if
  you mail me at plasmahh@gmx.net.
  Smtpmap will sometimes consume very much memory if you try to scan big
  wildcarded ipranges (such as 1.2.*.*). This limitation will not be removed
  because smtpmap is not a field-portscan program, its just a scanner for
  some servers, and since it takes minutes for on server, it is not necessary 
  to scan thousands of servers.


7 Future plans

7.1 Fast Scan
  
  Lots of servers only Change the greeting Banner, but the HELP command
  remains unchanged, which is often a good indicator for at least the
  name of the server software. I plan to add a fast scan option to parse
  those messages, so a rough guess can be made, which version it is.

7.2 Other Protocols

  The class structure of smtpmap should make it possible to easily 
  implement other protocols such as POP3, FTP, IMAP and perhaps even some
  binary based ones. If I have enough time in some future date, I will try
  to code some other protocol scans, but this will probably be in a far
  future.

7.3 Cool features

  In about 20 or 25 years, when I have earned enough money, I will make
  smtpmap a program with every feature, every kind of UI, and all u want,
  but until then I will work and get the money. You can help me with
  donating something, if you like smtpmap, and plan to use it.

8 End
               - Dennis Lubert <plasmahh@gmx.net>
