Re: Question: FTP via alternate port

From: Jason Baeder (jason_baeder@yahoo.com)
Date: Fri Jan 27 2006 - 10:08:52 EST

• Next message: Eugene: "Rolex, Cartier, Louis Vuitton, Tag Heuer, Breitling"
• Previous message: Max Ashton: "Re: Question: FTP via alternate port"
• In reply to: Niels Taylor: "Question: FTP via alternate port"
• Next in thread: Packet Man: "Re: Question: FTP via alternate port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Niels,

The problem with FTP is that it requires two ports to operate. FW's
that are "FTP-aware" are looking for the PORT or PASV command in the
FTP command stream in order to dynamically open that port for the data
stream. On many firewalls you can specify what port(s) the FW should
expect to be the FTP command channel. By default that port is 21 of
course. If you try FTP on any other port, you might open the command
channel (depends on the FW) but you won't be able to open the data
channel.

If, in this case, if only ports 80 and 443 are open outbound, using FTP
to move files off the compromised system would only be viable if 1) the
attacker used a FTP client in passive mode; 2) he/she could manually
set the data port. That way he/she could use 80 for the command channel
and 443 for the data channel. But that's not going to happen with the
MS FTP client -- ASFAIK it can't even talk passive mode and the command
options are extremely limited. Where outbound access is unrestricted,
the MS tftp client will serve the purpose of moving files off the
compromised box. But like the FTP client, AFAIK, you can not change
the port the MS tftp client uses. Not to mention, tftp inbound/outbound
should NOT be allowed.

Ideally the attacker would want to upload another tool onto the
compromised system: either a replacement for the MS FTP client, like
MOVEit Freely or pscp, or better yet, netcat or cryptcat (even more
functionality). This is by no means a definitive list of choices.

So the defender's job is make to sure an attacker cannot get onto the
SQL server to begin with, and then, if he/she does get on the box, to
make sure the attacker is (pardon the pun) boxed in with little room to
maneuver until you discover the intrusion (hopefully sooner than
later).

Jason Baeder
CISSP GCIA GCIH

--- Niels Taylor <niels.taylor@gmail.com> wrote:

>
> Hello list, I hope this question is not too "newbie," and I am sure
> if it is
> I will find out quickly. I am interested in ways an attacker could
> circumvent outbound FTP restrictions on a FW. I have researched this
> a bit
> but the information I am seeing is ambiguous, so I thought I'd take
> it
> straight to the experts.
>
> If a remote attacker gains command line access to a server (I am
> concerned
> about a Microsoft 2000 SQL server specifically) that is behind a
> firewall,
> and outbound FTP had been disabled at the FW, could the attacker use
> the MS
> FTP "Open" command to specify a different, unrestricted outbound port
> (e.g
> 80 or 443) to transfer files, (assuming of course that his FTP server
> is
> configured to listen on this port). Is this a viable scenario, and
> if not,
> could he send files via another method? This question assumes no
> outbound
> application layer inspection at the FW, so that it isn't able to see
> FTP
> traffic on port 23, or 80, for instance.
>
> Thank you for your help.
>
> Niels Taylor
>
>
>
>
------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on
> your
> website. Up to 75% of cyber attacks are launched on shopping carts,
> forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down
> servers are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
>
-------------------------------------------------------------------------------
>
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Eugene: "Rolex, Cartier, Louis Vuitton, Tag Heuer, Breitling"
• Previous message: Max Ashton: "Re: Question: FTP via alternate port"
• In reply to: Niels Taylor: "Question: FTP via alternate port"
• Next in thread: Packet Man: "Re: Question: FTP via alternate port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:25 EDT