Re: TFTP Scanner recommendation requested
From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 08/18/03
- Previous message: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
- In reply to: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Aug 2003 14:08:07 -0700 (PDT) To: pen-test@securityfocus.com
Barry,
> Actually, what I'm concerned with there (and
> likewise on the Windows
> boxes) is kernel-level process hiding rootkits -
> somebody having started
> a tftp server and then hiding it in the process list
> via kernel-level
> "patch". So, scanning over the network would be
> better. But, as you so
> aptly said, scanning via UDP in this way provides
> questionable results.
Yes, that's something to keep in mind. It's something
I ran into w/ an audit...the audit report was preceded
by two pages of "why UDP scans are unreliable", then
reported a great number of UDP ports open...
> Actually, without considering the possibility of a
> rootkit that hides
> the process, I'd consider a nice shellscript
> reporting tool to be fairly
> simple to write ('ps ax' and comparing against a
> baseline, just in case
> the tftp server were renamed - actually, that would
> serve as more than a
> tftp server-finder) - in fact, simpler than on MS
> Windows... but
> rootkits really throw a wrench into both
> situations. :)
I'm not entirely sure what you're getting at here.
Taking the rootkit issue out of the equation for a
moment, running lsof or fuser on the Linux boxen, and
openports (rather than fport) on the Windows boxen,
will identify processes bound to UDP port 69 as a
listener/server.
Now, putting rootkits back into the picture...while
such things are more prevalent on Linux boxen, they
are by no means impossible on Windows...though we
haven't seen nearly the volume/variety as we have on
Linux. Of course, the whole thing goes back to system
configurations, permissions, and ACLs.
> So, certainly,
> the most optimal type of tool would be a scanner
> that looks for active
> tftp servers over the network, focusing primarily on
> detecting tftp
> connections via UDP for my purposes.
One idea might be a snort box, w/ the appropriate rule
in place to pick up TFTP traffic.
Harlan
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
- In reply to: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
