RE: FTP Window of opportunity?
From: Jerry Shenk (jshenk_at_decommunications.com)
Date: 03/24/04
- Previous message: Gault, Brian: "RE: Bank Audit Best practices"
- In reply to: Stevenson, John G: "RE: FTP Window of opportunity?"
- Next in thread: C Ryll: "RE: FTP Window of opportunity?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Stevenson, John G'" <JGStevenson@pier1.com>, <pen-test@securityfocus.com> Date: Wed, 24 Mar 2004 13:24:46 -0500
I'm not sure that Raptor response is a bad thing....I think it could
slow an attacker down by making them think that they has some worthwhile
target on the line when in reality it was just a firewall lying to them.
I do not think the traffic every actually got to the internal machines
but I didn't test that. The connection connects and then immediately
drops.
-----Original Message-----
From: Stevenson, John G [mailto:JGStevenson@pier1.com]
Sent: Wednesday, March 24, 2004 12:57 PM
To: Jerry Shenk; pen-test@securityfocus.com
Subject: RE: FTP Window of opportunity?
Kind of off-topic, although I'd love for Carolyn to sniff the traffic
and report back, just for our on satisfaction. Anyway, on to my
question: Is this "intentional response" by the raptor firewall really
a good thing? Does it allow the connections to pass 'to' the server or
does it seemingly accept the connections and drop them once the response
is sent to the attacker? Just curious...
John
-----Original Message-----
From: Jerry Shenk [mailto:jshenk@decommunications.com]
Sent: Tuesday, March 23, 2004 9:37 PM
To: pen-test@securityfocus.com
Subject: RE: FTP Window of opportunity?
I'd use a sniffer to log monitor what actual packets are being received
from the "ftp server" to see what scanner is right. It would seem to me
that ISS should be getting something back if it's claiming that the port
is open. You could run a sniffing in the path of the traffic between
the scanning machine and the ftp server and set it to only log the
traffic between that pair.
It seems quite normal to get results back from an automated tool that
conflict with something else. Then the pen tester needs to dig a little
deeper and analyze what actually happened.
BTW, some firewalls (Raptor at least) intentionally respond to all kinds
of crazy traffic. It seems that they intentionally try to confuse an
attacker (or pen tester;) by allowing connections to ports that aren't
really open.
-----Original Message-----
From: C Ryll [mailto:carolynryll@hotmail.com]
Sent: Tuesday, March 23, 2004 4:50 PM
To: pen-test@securityfocus.com
Subject: FTP Window of opportunity?
I recently assessed a system in which I already know its configuration
(and
have full legal rights to). FTP is purposefully not running, as well as
blocked by the firewall.
When I scan with ISS, the FTP port shows up. When I use NMap, it does
not
show FTP's port.
Because of the discrepancy, I tried to manually FTP into the system. It
actually said "Connected...", hung for about 10 seconds, and then said
"Connection Terminated."
(As a baseline, telnet's port is also blocked by the firewall, and does
not
show up in scans - essentially, results for telnet are as expected).
With ISS, I'm assuming that it saw "Connected..." and showed me that
port.
My guess would be that NMap waited around to try something else, but saw
"Connection Terminated" and didn't list it.
However, as I said previously, seeing that it actually says "Connected",
and
then hangs for about 10 seconds before terminating:
1). Can I use this behavior to my advantage somehow? If yes, how?
2). Is there a known explanation to this?
The firewall is the Internet Connection firewall, and I am curious if it
requires the ftp port inadvertently for its functioning when checking
the
incoming packets...
While I can make some changes to the system (like shutting off certain
services and shutting off the firewall), I cannot modify it such that I
can
try another firewall or anything else like that.
Any help is greatly appreciated.
Carolyn.
_________________________________________________________________
All the action. All the drama. Get NCAA hoops coverage at MSN Sports by
ESPN. http://msn.espn.go.com/index.html?partnersite=espn
------------------------------------------------------------------------
--- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
- Previous message: Gault, Brian: "RE: Bank Audit Best practices"
- In reply to: Stevenson, John G: "RE: FTP Window of opportunity?"
- Next in thread: C Ryll: "RE: FTP Window of opportunity?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
