From: Anders Thulin (Anders.Thulin@tietoenator.com)
Date: Wed Mar 24 2004 - 04:36:48 EST
C Ryll wrote:
> However, as I said previously, seeing that it actually says "Connected",
> and then hangs for about 10 seconds before terminating:
> 1). Can I use this behavior to my advantage somehow? If yes, how?
> 2). Is there a known explanation to this?
As you don't say what platform you're using, or what particular FTP
client, I can only guess. My guess is that what you see is client
behaviour, not necessarily connected to actual FTP connectivity.
(Perhaps client writes 'Connected...', then tries to connect, and when
it times out, writes 'Connection terminated' even though there never
was a connection established in the first place.)
Try using netcat (nc) if you have it. It doesn't add any output that may be
confusing: if it finds a FTP server, you'll get the banner line sent by
the server -- if it cannot connect it will terminate. If there's any
FTP proxy activity involved, it won't show it, though
To be 100% certain, take a look at the actual FTP traffic with a sniffer.
This is probably the safest thing, as you'll see everything that goes on,
including any proxy behaviour (say, outside opens FTP connection speculatively,
only to close it later when the inside doesn't want to play along.)
Since nmap doesn't see an FTP server (recent version of nmap, default
scan, no fancy options?), chances are pretty good there is nothing to see,
though.
-- Anders Thulin anders.thulin@tietoenator.com 040-661 50 63 TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT