Re: TFTP Scanner recommendation requested

• Previous message: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
• In reply to: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 18 Aug 2003 14:08:07 -0700 (PDT)
To: pen-test@securityfocus.com

Barry,

> Actually, what I'm concerned with there (and
> likewise on the Windows
> boxes) is kernel-level process hiding rootkits -
> somebody having started
> a tftp server and then hiding it in the process list
> via kernel-level
> "patch". So, scanning over the network would be
> better. But, as you so
> aptly said, scanning via UDP in this way provides
> questionable results.

Yes, that's something to keep in mind. It's something
I ran into w/ an audit...the audit report was preceded
by two pages of "why UDP scans are unreliable", then
reported a great number of UDP ports open...

> Actually, without considering the possibility of a
> rootkit that hides
> the process, I'd consider a nice shellscript
> reporting tool to be fairly
> simple to write ('ps ax' and comparing against a
> baseline, just in case
> the tftp server were renamed - actually, that would
> serve as more than a
> tftp server-finder) - in fact, simpler than on MS
> Windows... but
> rootkits really throw a wrench into both
> situations. :)

I'm not entirely sure what you're getting at here.
Taking the rootkit issue out of the equation for a
moment, running lsof or fuser on the Linux boxen, and
openports (rather than fport) on the Windows boxen,
will identify processes bound to UDP port 69 as a
listener/server.

Now, putting rootkits back into the picture...while
such things are more prevalent on Linux boxen, they
are by no means impossible on Windows...though we
haven't seen nearly the volume/variety as we have on
Linux. Of course, the whole thing goes back to system
configurations, permissions, and ACLs.

> So, certainly,
> the most optimal type of tool would be a scanner
> that looks for active
> tftp servers over the network, focusing primarily on
> detecting tftp
> connections via UDP for my purposes.

One idea might be a snort box, w/ the appropriate rule
in place to pick up TFTP traffic.

Harlan

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
• In reply to: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Fail to Convert Aironet 1242 from lightweight mode back to autonomous mode ... Step 1 The static IP address of the PC on which your TFTP server ... Step 2 The PC contains the access point image file (such as c1200-k9w7- ... Ensure all Windows files are visible. ... Initializing ethernet port 0 ... (comp.dcom.sys.cisco) Re: TFTP Server for WIN XP ... Can someone give me some guidelines on selection of a TFTP server, ... Installation & configuration of it for a Windows XP environment. ... TFTPD32 also functions well as a one-stop PXE server! ... (comp.arch.embedded) Re: pix 501 password reset issue ... I don't believe Windows has a native tftp server and running a telnet ... Install one of them, make sure it is configured to send ... and make sure you see an arp reso for the pix on your Windows box. ... (comp.dcom.sys.cisco) Re: TFTP Server for WIN XP ... Can someone give me some guidelines on selection of a TFTP server, ... Installation & configuration of it for a Windows XP environment. ... (comp.arch.embedded)