Re: TFTP Scanner recommendation requested

From: H Carvey (keydet89_at_yahoo.com)
Date: 08/17/03

  • Next message: RMcElroy_at_mbe.com: "RE: best random dictionary tool ?"
    Date: 17 Aug 2003 16:52:04 -0000
    To: pen-test@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <3F3A895A.60600@sdf.lonestar.org>

    Barry,

    > First of all, my office just got completely
    pelted with a scan
    >looking for open udp/69 ports with tftp requests being
    made on each
    >port.

    Okay, you got scanned. Were the datagrams dropped?
    You say that your IDS alerted you. Is the IDS outside
    the firewall? Is the firewall configured to block this
    protocol?

    > (Our IDS alerted me to this). I know that msblast
    opens up that
    >port during the worm-infection period.

    Actually, the worm does NOT "open up that port".
    Instead, it launches the TFTP client on the system (not
    unlike the Unicode exploit against IIS servers). In
    doing so, it attempts to connect to a TFTP server, but
    it does not "open up that port".

    > So, the fact that this is
    >happening right now is not surprising. Is anyone else
    noticing this? (I
    >know that we aren't infected with msblast, so it's not
    worm traffic -
    >and I have verified that this is an automated backdoor
    scan.)
    >

    How have you verified this? Some clarification
    regarding how you were able to verify that this is an
    automated backdoor scan would be very instructive for
    the group.

    > Anyway, the reason I'm writing this to the
    pen-test list is for a
    >recommendation. I'd like to keep my eye out for open
    tftp servers on my
    >LAN just in case. Does anyone have a recommendation
    for a tftp scanner
    >that can scan a range of IPs for functioning tftp
    listeners?
    >

    What kind of architecture are you running? On an NT
    domain, you can do a wide variety of scans. For one,
    you can scan each system for services, to see if there
    is a TFTP server running. UDP scans are inherently
    unreliable, so check process lists for running TFTP
    servers, as well. All of this can be done from a
    central location using a Domain Admin account. Look at
    using psexec.exe from SysInternals to run fport, or
    better yet, openports.exe from DiamondCS.

    Hope that helps,

    Harlan

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: RMcElroy_at_mbe.com: "RE: best random dictionary tool ?"

    Relevant Pages

    • RE: TFTP Scanner recommendation requested
      ... that port open, it needs to be checked regardless if there is an ... Subject: TFTP Scanner recommendation requested ... looking for open udp/69 ports with tftp requests being made on each ... I know that msblast opens up that ...
      (Pen-Test)
    • TFTP Scanner recommendation requested
      ... I know that msblast opens up that ... port during the worm-infection period. ... I'd like to keep my eye out for open tftp servers on my ...
      (Pen-Test)
    • RE: RHEL6 - TFTP Timeout
      ... Following is the response for your suggestion while tftp server & client are running, it seems that port is fine.. ... I already performed TFTP data transfer between TFTP Server running on windows machine and TFTP client running on Linux machine successfully. ...
      (RedHat)
    • Pix 501 updgrade problems
      ... TFTP Server listening on port 69. ... ping 192.168.1.2 ...
      (comp.dcom.sys.cisco)
    • Re: Still no TFTP client?
      ... I am running a tftp server you probably won't find it) how would ... sometimes the issue was caused by a simple typo in the configuration file. ... Application sends SNMP command to network device telling it to write its config to this file name. ...
      (comp.os.vms)