Re: TFTP Scanner recommendation requested

From: H Carvey (keydet89_at_yahoo.com)
Date: 08/17/03

  • Next message: RMcElroy_at_mbe.com: "RE: best random dictionary tool ?"
    Date: 17 Aug 2003 16:52:04 -0000
    To: pen-test@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <3F3A895A.60600@sdf.lonestar.org>

    Barry,

    > First of all, my office just got completely
    pelted with a scan
    >looking for open udp/69 ports with tftp requests being
    made on each
    >port.

    Okay, you got scanned. Were the datagrams dropped?
    You say that your IDS alerted you. Is the IDS outside
    the firewall? Is the firewall configured to block this
    protocol?

    > (Our IDS alerted me to this). I know that msblast
    opens up that
    >port during the worm-infection period.

    Actually, the worm does NOT "open up that port".
    Instead, it launches the TFTP client on the system (not
    unlike the Unicode exploit against IIS servers). In
    doing so, it attempts to connect to a TFTP server, but
    it does not "open up that port".

    > So, the fact that this is
    >happening right now is not surprising. Is anyone else
    noticing this? (I
    >know that we aren't infected with msblast, so it's not
    worm traffic -
    >and I have verified that this is an automated backdoor
    scan.)
    >

    How have you verified this? Some clarification
    regarding how you were able to verify that this is an
    automated backdoor scan would be very instructive for
    the group.

    > Anyway, the reason I'm writing this to the
    pen-test list is for a
    >recommendation. I'd like to keep my eye out for open
    tftp servers on my
    >LAN just in case. Does anyone have a recommendation
    for a tftp scanner
    >that can scan a range of IPs for functioning tftp
    listeners?
    >

    What kind of architecture are you running? On an NT
    domain, you can do a wide variety of scans. For one,
    you can scan each system for services, to see if there
    is a TFTP server running. UDP scans are inherently
    unreliable, so check process lists for running TFTP
    servers, as well. All of this can be done from a
    central location using a Domain Admin account. Look at
    using psexec.exe from SysInternals to run fport, or
    better yet, openports.exe from DiamondCS.

    Hope that helps,

    Harlan

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: RMcElroy_at_mbe.com: "RE: best random dictionary tool ?"