Re: Question: FTP via alternate port



Niels,

The problem with FTP is that it requires two ports to operate. FW's
that are "FTP-aware" are looking for the PORT or PASV command in the
FTP command stream in order to dynamically open that port for the data
stream. On many firewalls you can specify what port(s) the FW should
expect to be the FTP command channel. By default that port is 21 of
course. If you try FTP on any other port, you might open the command
channel (depends on the FW) but you won't be able to open the data
channel.

If, in this case, if only ports 80 and 443 are open outbound, using FTP
to move files off the compromised system would only be viable if 1) the
attacker used a FTP client in passive mode; 2) he/she could manually
set the data port. That way he/she could use 80 for the command channel
and 443 for the data channel. But that's not going to happen with the
MS FTP client -- ASFAIK it can't even talk passive mode and the command
options are extremely limited. Where outbound access is unrestricted,
the MS tftp client will serve the purpose of moving files off the
compromised box. But like the FTP client, AFAIK, you can not change
the port the MS tftp client uses. Not to mention, tftp inbound/outbound
should NOT be allowed.

Ideally the attacker would want to upload another tool onto the
compromised system: either a replacement for the MS FTP client, like
MOVEit Freely or pscp, or better yet, netcat or cryptcat (even more
functionality). This is by no means a definitive list of choices.

So the defender's job is make to sure an attacker cannot get onto the
SQL server to begin with, and then, if he/she does get on the box, to
make sure the attacker is (pardon the pun) boxed in with little room to
maneuver until you discover the intrusion (hopefully sooner than
later).

Jason Baeder
CISSP GCIA GCIH




--- Niels Taylor <niels.taylor@xxxxxxxxx> wrote:

>
> Hello list, I hope this question is not too "newbie," and I am sure
> if it is
> I will find out quickly. I am interested in ways an attacker could
> circumvent outbound FTP restrictions on a FW. I have researched this
> a bit
> but the information I am seeing is ambiguous, so I thought I'd take
> it
> straight to the experts.
>
> If a remote attacker gains command line access to a server (I am
> concerned
> about a Microsoft 2000 SQL server specifically) that is behind a
> firewall,
> and outbound FTP had been disabled at the FW, could the attacker use
> the MS
> FTP "Open" command to specify a different, unrestricted outbound port
> (e.g
> 80 or 443) to transfer files, (assuming of course that his FTP server
> is
> configured to listen on this port). Is this a viable scenario, and
> if not,
> could he send files via another method? This question assumes no
> outbound
> application layer inspection at the FW, so that it isn't able to see
> FTP
> traffic on port 23, or 80, for instance.
>
> Thank you for your help.
>
> Niels Taylor
>
>
>
>
------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on
> your
> website. Up to 75% of cyber attacks are launched on shopping carts,
> forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down
> servers are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
>
-------------------------------------------------------------------------------
>
>



__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



Relevant Pages

  • Re: Firewalling on FreeBSD
    ... ftp man page, hope it helps - ... the ftp client will send a PASV command for all ... data connections instead of the usual PORT command. ... 00x00 allow tcp from any to any established ...
    (Security-Basics)
  • Re: Some questions
    ... > using my ftp software behind my router. ... > issued to server by the client. ... When PORT is used: ... > Can you give me a command line used in a browser to explain me what is the ...
    (comp.security.firewalls)
  • Re: Internet Explorer Keeps Timing out on FTP
    ... >> This is a problem with the FTP client. ... I have not started the FTP server ... > client chooses which method to use, by sending either a PORT or PASV ... > command to the server. ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Two problems
    ... > Had this been plain telnet or SSH or anything but FTP it ... You could move the FTP server to port 2000 and ... FTP uses a command connection and any number of data connections. ... the server responds to a PASV command with a reply that says ...
    (comp.lang.pascal.delphi.misc)
  • ftpd.c DoS Fix
    ... service attacks where an attacker can lock out all other users from ... the process is bound to port 20, ... data connections during this 90 second wait. ... log into the test victim FTP server ...
    (FreeBSD-Security)