[ TOOL ] winftprecon - Windows FTP SITE STATS poller for enumeration purposes

["tom () ashrae be" <tom () ashrae be>]

winftprecon is a tool to poll a Windows FTP service for the output of the SITE
STATS command. The SITE STATS command gives out statistics on the FTP service
which can be used for simple statistics purposes but also for remote
enumeration of the FTP service for attack and penetration purposes.  For
example, when were uploads/downloads performed?  When do most users log on to
the service e.g. when would it hurt the target to perform a DoS attack?  Do the
IP ID values of the target increment and does this correspond with major file
uploads or downloads?  Can you hijack or break the high ports of the host while
these transfers are in progress?  The advantages of having this kind of
information has been demonstrated during several talks emphasizing the
importance of enumeration and fingerprinting of a remote target.  One of them
being the "Tactical Exploitation Talk" at Defcon two years ago: 
http://www.metasploit.org/data/confs/blackhat2007/tactical_blackhat2007.pdf
(slide 34 gives an example on what can be extracted and visualized with
winftprecon)

In general, the output of the SITE STATS command if supported and enabled
consists of a list of FTP commands that were issued towards the FTP service and
how many times in the form of a number. The information is automatically saved
in CSV format or a sqlite3 database as dataset for statistics and
enumeration of the ftp service to obtain valuable information towards
attack/assessment planning.   

Downloadable at http://www.ashrae.be/tom/tools/winftprecon0.9.tgz or
PacketStorm Security


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/