Project description

Command Injection Tester

The command-injection-tester script allows for straightforward testing of email servers for the STARTTLS command injection vulnerability in SMTP, POP3, and IMAP.

Usage

The command

python3 command-injection-tester --imap --pop3 --smtp <hostname>

tests <hostname> for the command injection in IMAP, POP3, and SMTP.

Parameters

--help (-h): Print help message.
--imap: Use the IMAP protocol
--pop3: Use the POP3 protocol
--smtp: Use the SMTP protocol
--imap-port (-i): IMAP port to check (default: 143)
--pop3-port (-p): POP3 port to check (default: 110)
--smtp-port (-s): SMTP port to check (default: 587)
--quiet (-q): Be less verbose
--timeout (-t): Timeout in seconds to use for network sockets. Increase in case of problems (default: 2)
--logdir (-l): Path to log directory (default: ./logs)

Example:

The Command Injection Tester can best be tested using the Fake Mail Server:

Start the Fake Mail Server:

$ sudo ./fake_mail_server setup

Run this script against the server:

$ python3 command-injection-tester --imap --pop3 --smtp localhost

Since the Fake Mail Server is intentionally vulnerable against the command injection, you should see Command injection here! after every protocol test.

Testing live servers should be just as easy. If connections keep timing out/the sanity test keeps failing, try increasing the timeout using the --timeout parameter.

Background

This tool was published as part of our research on security vulnerabilities in STARTTLS:

https://nostarttls.secvuln.info/

Project details

These details have not been verified by PyPI

Project links

Homepage

Release history Release notifications | RSS feed

This version

0.0.2

Aug 18, 2021

0.0.1

Aug 16, 2021

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

command-injection-tester-0.0.2.tar.gz (6.5 kB view details)

Uploaded Aug 18, 2021 Source

Built Distribution

command_injection_tester-0.0.2-py3-none-any.whl (7.2 kB view details)

Uploaded Aug 18, 2021 Python 3

File details

Details for the file command-injection-tester-0.0.2.tar.gz.

File metadata

Download URL: command-injection-tester-0.0.2.tar.gz
Upload date: Aug 18, 2021
Size: 6.5 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/3.4.2 importlib_metadata/4.6.4 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.1 CPython/3.8.11

File hashes

Hashes for command-injection-tester-0.0.2.tar.gz
Algorithm	Hash digest
SHA256	`03e8b67bfc2876dc8c2016d7331470341f4d1ef287603da05498e4878c9ccfb7`
MD5	`b748096fbfb03cdb958402c861cea1bb`
BLAKE2b-256	`5b53ffc5b2a806f2d2d895d5d043dcdf37405b87aa8a70bc28d042f9bafd7111`

See more details on using hashes here.

File details

Details for the file command_injection_tester-0.0.2-py3-none-any.whl.

File metadata

Download URL: command_injection_tester-0.0.2-py3-none-any.whl
Upload date: Aug 18, 2021
Size: 7.2 kB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: twine/3.4.2 importlib_metadata/4.6.4 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.1 CPython/3.8.11

File hashes

Hashes for command_injection_tester-0.0.2-py3-none-any.whl
Algorithm	Hash digest
SHA256	`762ebeefba7255c3f69e5311df0dad033186e4d2c4f119a23120e3f75209c364`
MD5	`4f8a1ef1fa625f60e1e3c0b13ac1cd7d`
BLAKE2b-256	`14f6d1569d5161da553e3ba6dee2f6ce18595bf5ac7ae4907b4e7f90a69f438b`