Re: FTP Window of opportunity?

From: Josh Tolley (josh@raintreeinc.com)
Date: Tue Mar 23 2004 - 19:54:10 EST


The first thing to do is turn on
tcpdump/windump/ethereal/your-favorite-sniffer and see what exactly
happened. Your computer sent a SYN packet... did you ever get the
SYN/ACK back? If not, ISS probably meant "Connecting..." when they said
"Connected..." because that's what it was really doing. If you *did* get
a SYN/ACK back, things could be really interesting. Most likely, though,
you didn't ever get a SYN/ACK packet, and ISS was just lying to you when
it said "Connected..."

Josh

C Ryll wrote:

> I recently assessed a system in which I already know its configuration
> (and have full legal rights to). FTP is purposefully not running, as
> well as blocked by the firewall.
> When I scan with ISS, the FTP port shows up. When I use NMap, it does
> not show FTP's port.
> Because of the discrepancy, I tried to manually FTP into the system. It
> actually said "Connected...", hung for about 10 seconds, and then said
> "Connection Terminated."
> (As a baseline, telnet's port is also blocked by the firewall, and does
> not show up in scans - essentially, results for telnet are as expected).
>
> With ISS, I'm assuming that it saw "Connected..." and showed me that
> port. My guess would be that NMap waited around to try something else,
> but saw "Connection Terminated" and didn't list it.
>
> However, as I said previously, seeing that it actually says "Connected",
> and then hangs for about 10 seconds before terminating:
> 1). Can I use this behavior to my advantage somehow? If yes, how?
> 2). Is there a known explanation to this?
>
> The firewall is the Internet Connection firewall, and I am curious if it
> requires the ftp port inadvertently for its functioning when checking
> the incoming packets...
>
> While I can make some changes to the system (like shutting off certain
> services and shutting off the firewall), I cannot modify it such that I
> can try another firewall or anything else like that.
>
> Any help is greatly appreciated.
> Carolyn.
>
> _________________________________________________________________
> All the action. All the drama. Get NCAA hoops coverage at MSN Sports by
> ESPN. http://msn.espn.go.com/index.html?partnersite=espn
>
>
> ---------------------------------------------------------------------------
> You're a pen tester, but is google.com still your R&D team?
> Now you can get trustworthy commercial-grade exploits and the latest
> techniques from a world-class research group.
> www.coresecurity.com/promos/sf_ept1
> ----------------------------------------------------------------------------
>
>

-- 
Josh Tolley
Raintree Systems, Inc.
http://www.raintreeinc.com
760 509 9000
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT