Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sounds like ftp-anon needs work?

From: David Fifield <david () bamsoftware com>
Date: Thu, 27 May 2010 20:54:14 -0600
On Mon, May 24, 2010 at 12:14:58PM +0200, Gutek wrote:

Looks like we have a chronic false positive.
I'm testing in-the-wild with -iR and the good news is that when it comes
to 230 positive check i've not encountered any false positive so far.
But the false-positive condition appears when the "Anonymous FTP login
allowed (FTP code 200)" was found. Each time, it was a CheckPoint Firewall.

It is a "secure FTP server", kind of proxy-ftp :
-> user have first to connect and identify on it with USER
<my-account-on-the-real-ftp-I-wana-contact@the-ftp-I-wanna-contact>,
-> PASS <firewall's-password>
<- 230- User <my-account-on-the-real-ftp-I-wana-contact> authenticated
by FireWall-1 authentication
<- 200- you can use 'quote hostname' or Account command ('ACCT') --NOTE
: this line seems to be typical to CheckPoint Firewall

-> quote <the-ftp-I-wanna-contact>
OR
-> ACCT <the-ftp-I-wanna-contact>
<- 230- Logging in...
<- 220- <Version> Server Ready
-> USER, PASS...We're on the "final" server and so we can use the usual
scheme.


If I understand you correctly, this isn't a false positive at all.
Doesn't the 200 code mean that this is an open FTP proxy? In that case I
would say the script is working as designed.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: