Re: FTP Window of opportunity?
From: Josh Tolley (josh_at_raintreeinc.com)
Date: 03/24/04
- Previous message: Frank Knobbe: "RE: Bank Audit Best practices"
- In reply to: C Ryll: "FTP Window of opportunity?"
- Next in thread: Stevenson, John G: "RE: FTP Window of opportunity?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Mar 2004 16:54:10 -0800 To: C Ryll <carolynryll@hotmail.com>
The first thing to do is turn on
tcpdump/windump/ethereal/your-favorite-sniffer and see what exactly
happened. Your computer sent a SYN packet... did you ever get the
SYN/ACK back? If not, ISS probably meant "Connecting..." when they said
"Connected..." because that's what it was really doing. If you *did* get
a SYN/ACK back, things could be really interesting. Most likely, though,
you didn't ever get a SYN/ACK packet, and ISS was just lying to you when
it said "Connected..."
Josh
C Ryll wrote:
> I recently assessed a system in which I already know its configuration
> (and have full legal rights to). FTP is purposefully not running, as
> well as blocked by the firewall.
> When I scan with ISS, the FTP port shows up. When I use NMap, it does
> not show FTP's port.
> Because of the discrepancy, I tried to manually FTP into the system. It
> actually said "Connected...", hung for about 10 seconds, and then said
> "Connection Terminated."
> (As a baseline, telnet's port is also blocked by the firewall, and does
> not show up in scans - essentially, results for telnet are as expected).
>
> With ISS, I'm assuming that it saw "Connected..." and showed me that
> port. My guess would be that NMap waited around to try something else,
> but saw "Connection Terminated" and didn't list it.
>
> However, as I said previously, seeing that it actually says "Connected",
> and then hangs for about 10 seconds before terminating:
> 1). Can I use this behavior to my advantage somehow? If yes, how?
> 2). Is there a known explanation to this?
>
> The firewall is the Internet Connection firewall, and I am curious if it
> requires the ftp port inadvertently for its functioning when checking
> the incoming packets...
>
> While I can make some changes to the system (like shutting off certain
> services and shutting off the firewall), I cannot modify it such that I
> can try another firewall or anything else like that.
>
> Any help is greatly appreciated.
> Carolyn.
>
> _________________________________________________________________
> All the action. All the drama. Get NCAA hoops coverage at MSN Sports by
> ESPN. http://msn.espn.go.com/index.html?partnersite=espn
>
>
> ---------------------------------------------------------------------------
> You're a pen tester, but is google.com still your R&D team?
> Now you can get trustworthy commercial-grade exploits and the latest
> techniques from a world-class research group.
> www.coresecurity.com/promos/sf_ept1
> ----------------------------------------------------------------------------
>
>
-- Josh Tolley Raintree Systems, Inc. http://www.raintreeinc.com 760 509 9000 --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
- Previous message: Frank Knobbe: "RE: Bank Audit Best practices"
- In reply to: C Ryll: "FTP Window of opportunity?"
- Next in thread: Stevenson, John G: "RE: FTP Window of opportunity?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
