Re: TFTP Scanner recommendation requested

From: Harlan Carvey (keydet89@yahoo.com)
Date: Mon Aug 18 2003 - 17:08:07 EDT

• Next message: gr00vy: "RE: best random dictionary tool ?"
• Previous message: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
• In reply to: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Barry,

> Actually, what I'm concerned with there (and
> likewise on the Windows
> boxes) is kernel-level process hiding rootkits -
> somebody having started
> a tftp server and then hiding it in the process list
> via kernel-level
> "patch". So, scanning over the network would be
> better. But, as you so
> aptly said, scanning via UDP in this way provides
> questionable results.

Yes, that's something to keep in mind. It's something
I ran into w/ an audit...the audit report was preceded
by two pages of "why UDP scans are unreliable", then
reported a great number of UDP ports open...

> Actually, without considering the possibility of a
> rootkit that hides
> the process, I'd consider a nice shellscript
> reporting tool to be fairly
> simple to write ('ps ax' and comparing against a
> baseline, just in case
> the tftp server were renamed - actually, that would
> serve as more than a
> tftp server-finder) - in fact, simpler than on MS
> Windows... but
> rootkits really throw a wrench into both
> situations. :)

I'm not entirely sure what you're getting at here.
Taking the rootkit issue out of the equation for a
moment, running lsof or fuser on the Linux boxen, and
openports (rather than fport) on the Windows boxen,
will identify processes bound to UDP port 69 as a
listener/server.

Now, putting rootkits back into the picture...while
such things are more prevalent on Linux boxen, they
are by no means impossible on Windows...though we
haven't seen nearly the volume/variety as we have on
Linux. Of course, the whole thing goes back to system
configurations, permissions, and ACLs.

> So, certainly,
> the most optimal type of tool would be a scanner
> that looks for active
> tftp servers over the network, focusing primarily on
> detecting tftp
> connections via UDP for my purposes.

One idea might be a snort box, w/ the appropriate rule
in place to pick up TFTP traffic.

Harlan

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: gr00vy: "RE: best random dictionary tool ?"
• Previous message: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
• In reply to: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:38 EDT