Question: FTP via alternate port

From: "Niels Taylor" <niels.taylor@xxxxxxxxx>
Date: Thu, 26 Jan 2006 15:27:08 -0500

Hello list, I hope this question is not too "newbie," and I am sure if it is
I will find out quickly. I am interested in ways an attacker could
circumvent outbound FTP restrictions on a FW. I have researched this a bit
but the information I am seeing is ambiguous, so I thought I'd take it
straight to the experts.

If a remote attacker gains command line access to a server (I am concerned
about a Microsoft 2000 SQL server specifically) that is behind a firewall,
and outbound FTP had been disabled at the FW, could the attacker use the MS
FTP "Open" command to specify a different, unrestricted outbound port (e.g
80 or 443) to transfer files, (assuming of course that his FTP server is
configured to listen on this port). Is this a viable scenario, and if not,
could he send files via another method? This question assumes no outbound
application layer inspection at the FW, so that it isn't able to see FTP
traffic on port 23, or 80, for instance.

Thank you for your help.

Niels Taylor

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Follow-Ups:
- Re: Question: FTP via alternate port
  - From: Packet Man
- Re: Question: FTP via alternate port
  - From: Jason Baeder
- Re: Question: FTP via alternate port
  - From: Max Ashton

Prev by Date: RE: Penetrating a PC through a printer device
Next by Date: Re: Active Directory user enumeration
Previous by thread: Reason 0.2.0 Nessus Client (now with Charts/Graphs and more)
Next by thread: Re: Question: FTP via alternate port
Index(es):
- Date
- Thread

Relevant Pages

Re: Question: FTP via alternate port
... While FTP can be very hard to use in that kind of situation, the attacker could simply use http or https to transfer files if those port are open. ... Your issue is more than just with FTP server, FTP is probably the worst protocol to use in that kind of situation. ... Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! ...
(Pen-Test)
RE: Is this as bad as it seems?
... The network being protected by the router or firewall is still vulnerable to ... > circumvented - the administrator has explicitly allowed HTTP traffic on ... this exploit has the effect of allowing the attacker to send *INBOUND* HTTP ... The HTTP server (located on the internal network or anywhere else that is ...
(Security-Basics)
[NEWS] Firewall Circumvention Possible with All Browsers
... The exploit allows an attacker to use any JavaScript-enabled web browser ... any HTTP server behind the firewall. ... outlined in the section "Quick-Swap DNS". ... If the client in use is Microsoft Internet Explorer, ...
(Securiteam)
[NT] Unchecked Buffer in Network Share Provider Can Lead to Denial of Service
... SMB (Server Message Block) is the protocol Microsoft uses to share files, ... The attacker could use both a user account and anonymous access to ... What's the scope of the vulnerability? ...
(Securiteam)
[NEWS] Java Sandbox and Stateful Firewalls Interaction
... The attacker must lure the victim to a carefully ... The attacker creates a specifically crafted web site. ... The victim's browser downloads the applet and begins to run it. ... A FTP server on the same machine that hosts the originating web site ...
(Securiteam)