Re: TFTP Scanner recommendation requested

From: H Carvey (keydet89@yahoo.com)
Date: Sun Aug 17 2003 - 12:52:04 EDT

Next message: RMcElroy@mbe.com: "RE: best random dictionary tool ?"
Previous message: iriXx: "best random dictionary tool ?"
Maybe in reply to: Barry Fitzgerald: "TFTP Scanner recommendation requested"
Next in thread: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
Reply: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <3F3A895A.60600@sdf.lonestar.org>

Barry,

> First of all, my office just got completely
pelted with a scan
>looking for open udp/69 ports with tftp requests being
made on each
>port.

Okay, you got scanned. Were the datagrams dropped?
You say that your IDS alerted you. Is the IDS outside
the firewall? Is the firewall configured to block this
protocol?

> (Our IDS alerted me to this). I know that msblast
opens up that
>port during the worm-infection period.

Actually, the worm does NOT "open up that port".
Instead, it launches the TFTP client on the system (not
unlike the Unicode exploit against IIS servers). In
doing so, it attempts to connect to a TFTP server, but
it does not "open up that port".

> So, the fact that this is
>happening right now is not surprising. Is anyone else
noticing this? (I
>know that we aren't infected with msblast, so it's not
worm traffic -
>and I have verified that this is an automated backdoor
scan.)
>

How have you verified this? Some clarification
regarding how you were able to verify that this is an
automated backdoor scan would be very instructive for
the group.

> Anyway, the reason I'm writing this to the
pen-test list is for a
>recommendation. I'd like to keep my eye out for open
tftp servers on my
>LAN just in case. Does anyone have a recommendation
for a tftp scanner
>that can scan a range of IPs for functioning tftp
listeners?
>

What kind of architecture are you running? On an NT
domain, you can do a wide variety of scans. For one,
you can scan each system for services, to see if there
is a TFTP server running. UDP scans are inherently
unreliable, so check process lists for running TFTP
servers, as well. All of this can be done from a
central location using a Domain Admin account. Look at
using psexec.exe from SysInternals to run fport, or
better yet, openports.exe from DiamondCS.

Hope that helps,

Harlan

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: RMcElroy@mbe.com: "RE: best random dictionary tool ?"
Previous message: iriXx: "best random dictionary tool ?"
Maybe in reply to: Barry Fitzgerald: "TFTP Scanner recommendation requested"
Next in thread: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
Reply: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:38 EDT