Nmap Development mailing list archives
Re: Sounds like ftp-anon needs work?
From: David Fifield <david () bamsoftware com>
Date: Wed, 19 May 2010 14:21:35 -0600
On Wed, May 19, 2010 at 09:09:44PM +0100, Rob Nicholls wrote:
On Wed, 19 May 2010 13:28:58 -0600, David Fifield <david () bamsoftware com> wrote:Looks good, and good job on the research. The patch requires a 331 response and only a 331 response after USER; the Metasploit code accepts 331 or any 2?? code. I recommend this procedure: 1. Send USER. 2. Read a single line and ignore it. (Check for a socket error.) 3. Send PASS. 4. Read lines, checking for any 2?? reply.I'm way ahead of you (okay, maybe a just a few minutes...)! It seems that a small minority of servers will simply accept "anonymous" without prompting for a password, so we need to check the first line for a 230 response rather than discarding it. How does the following sound instead? 1. Send USER. 2. Read a single line and check for 230 or 331 (break if 230; check for socket error) 3. If 331 send PASS. 4. Read a single line and check for 230. I've been running tests against over 2200 servers (based on an old list from http://www.ftp-sites.org). Just over half have open FTP servers and about 2/3rds of those allowed anonymous access using my updated script with a 5 second timeout. I'm currently testing it with a 30 second timeout to see how much of an improvement I get (but it's taking ages to run), as the majority of servers that weren't flagged that I've manually tested seemed to take 10-15 seconds to respond to the initial connection. Would 30 seconds be too long?
Okay, that looks good. Except that we should really handle multi-line responses. Since we're only interested in the status code, I think this can be done by reading lines until one begins with a number followed by a space.
I'm a bit concerned about checking for a 2?? reply. The expected response would be 230, anything else beginning with a 2 would be quite unusual [1] and I'd imagine would always be a false positive. It'd be nice to work out why Ron has x.x.x.251 appearing in the Metasploit results and not the Nmap results - I'm personally hoping it's a false positive ;-)
I don't know--all 2?? are "positive completion." In this case I'd rather have false positives (that can be removed later) than false negatives (that will never be discovered). David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Sounds like ftp-anon needs work?, (continued)
- Re: Sounds like ftp-anon needs work? Walt Scrivens (May 19)
- Re: Sounds like ftp-anon needs work? Joao Correa (May 19)
- Re: Sounds like ftp-anon needs work? Ron (May 19)
- Re: Sounds like ftp-anon needs work? Ron (May 19)
- Re: Sounds like ftp-anon needs work? Ron (May 19)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 19)
- Re: Sounds like ftp-anon needs work? Ron (May 19)
- Re: Sounds like ftp-anon needs work? Walt Scrivens (May 19)
- Re: Sounds like ftp-anon needs work? David Fifield (May 19)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 19)
- Re: Sounds like ftp-anon needs work? David Fifield (May 19)
- Re: Sounds like ftp-anon needs work? Gutek (May 19)
- RE: Sounds like ftp-anon needs work? Rob Nicholls (May 20)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 20)
- Re: Sounds like ftp-anon needs work? David Fifield (May 20)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 20)
- Re: Sounds like ftp-anon needs work? Ron (May 20)
- RE: Sounds like ftp-anon needs work? Rob Nicholls (May 22)
- Re: Sounds like ftp-anon needs work? Gutek (May 22)
- Re: Sounds like ftp-anon needs work? SM (May 23)
- Re: Sounds like ftp-anon needs work? David Fifield (May 27)