Re: TFTP Scanner recommendation requested

From: Barry Fitzgerald (bkfsec_at_sdf.lonestar.org)
Date: 08/18/03

  • Next message: Harlan Carvey: "Re: TFTP Scanner recommendation requested" 
    Date: Mon, 18 Aug 2003 16:43:15 -0400
To: Harlan Carvey <keydet89@yahoo.com>

    Harlan Carvey wrote:

    >
    >No problem. Understanding the issue and using the
    >right terminology cuts down (but does not prevent) the
    >wide-spread misinformation that tends to clog the
    >lists and inundate the poor helpdesk.
    >
    >
    Never were truer words spoken! (Being as I've both been on helpdesk and
    done security work, I know EXACTLY what you mean. :) I have no excuse...)

    >
    >
    >Good to hear. Sometime folks post to the lists saying
    >they "verified" that it was a scan, or a particular
    >tool, or whatever...and there's never any clarifying
    >information. I think many of the readers who aren't
    >as familiar with the particular situation would
    >benefit from this...and by sharing info, we all
    >benefit.
    >
    >
    I more wanted to cut down on the list traffic figuring that people would
    ask for specifics if they wanted them. Turns out that it worked exactly
    in that way. In hindsight, I should have given more information, and
    certainly - the more public education the better.

    >
    >It'll be tougher on *nix boxen, but you can set
    >something up via SSH, most likely. If you have a
    >domain admin account, scanning the Windows boxen would
    >be fairly, even to script.
    >
    >
    >

    Actually, what I'm concerned with there (and likewise on the Windows
    boxes) is kernel-level process hiding rootkits - somebody having started
    a tftp server and then hiding it in the process list via kernel-level
    "patch". So, scanning over the network would be better. But, as you so
    aptly said, scanning via UDP in this way provides questionable results.
    Actually, without considering the possibility of a rootkit that hides
    the process, I'd consider a nice shellscript reporting tool to be fairly
    simple to write ('ps ax' and comparing against a baseline, just in case
    the tftp server were renamed - actually, that would serve as more than a
    tftp server-finder) - in fact, simpler than on MS Windows... but
    rootkits really throw a wrench into both situations. :) So, certainly,
    the most optimal type of tool would be a scanner that looks for active
    tftp servers over the network, focusing primarily on detecting tftp
    connections via UDP for my purposes.

              -Barry

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Harlan Carvey: "Re: TFTP Scanner recommendation requested"