Re: FTP Window of opportunity?

• Previous message: Jerry Shenk: "RE: FTP Window of opportunity?"
• In reply to: C Ryll: "FTP Window of opportunity?"
• Next in thread: Josh Tolley: "Re: FTP Window of opportunity?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 24 Mar 2004 10:36:48 +0100
To: C Ryll <carolynryll@hotmail.com>

C Ryll wrote:

> However, as I said previously, seeing that it actually says "Connected",
> and then hangs for about 10 seconds before terminating:
> 1). Can I use this behavior to my advantage somehow? If yes, how?
> 2). Is there a known explanation to this?

   As you don't say what platform you're using, or what particular FTP
client, I can only guess. My guess is that what you see is client
behaviour, not necessarily connected to actual FTP connectivity.
(Perhaps client writes 'Connected...', then tries to connect, and when
it times out, writes 'Connection terminated' even though there never
was a connection established in the first place.)

   Try using netcat (nc) if you have it. It doesn't add any output that may be
confusing: if it finds a FTP server, you'll get the banner line sent by
the server -- if it cannot connect it will terminate. If there's any
FTP proxy activity involved, it won't show it, though

   To be 100% certain, take a look at the actual FTP traffic with a sniffer.
This is probably the safest thing, as you'll see everything that goes on,
including any proxy behaviour (say, outside opens FTP connection speculatively,
only to close it later when the inside doesn't want to play along.)

   Since nmap doesn't see an FTP server (recent version of nmap, default
scan, no fancy options?), chances are pretty good there is nothing to see,
though.

-- 
Anders Thulin   anders.thulin@tietoenator.com   040-661 50 63	
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------

• Previous message: Jerry Shenk: "RE: FTP Window of opportunity?"
• In reply to: C Ryll: "FTP Window of opportunity?"
• Next in thread: Josh Tolley: "Re: FTP Window of opportunity?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: IPSwitch, Inc. WS_FTP Server ... > bounce attack as well as PASV connection hijacking. ... > The FTP bounce vulnerability allows a remote attacker to cause the ... > anonymously along with any internal addresses that the FTP server has ... That means it's got to handle a PORT ... (Bugtraq) Re: Microsoft FTP Server problem on W2K? ... It is a UNISYS ClearPath mainframe system that is trying to FTP using ... passive mode to a MS FTP server. ... Currently the mainframe FTPs in ACTIVE mode. ... Since the mainframe pushes files to our customers over a WAN connection, ... (microsoft.public.inetserver.iis.security) Re: how do i close an app that has no forms? ... FTP connections through Internet Explorer send info ... If you don't have a firewall ... > a connection is instantiated with a server. ... > a request is sent to the FTP server, ... (microsoft.public.vb.general.discussion) Re: help with allowing ftp access. ... The "connection refused" error occured because you had no ftp server running. ... Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org ... (comp.os.linux.setup) Re: Solaris FTP ls problem ... > When i am logged in and connected to a ftp server ... > Unable to build data connection: ... Name (fubar:duhring): duhring ... The FTP server did not show what system was the server, ... (comp.unix.solaris)