Penetration Testing mailing list archives
RE: FTP Window of opportunity?
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Wed, 24 Mar 2004 13:24:46 -0500
I'm not sure that Raptor response is a bad thing....I think it could slow an attacker down by making them think that they has some worthwhile target on the line when in reality it was just a firewall lying to them. I do not think the traffic every actually got to the internal machines but I didn't test that. The connection connects and then immediately drops. -----Original Message----- From: Stevenson, John G [mailto:JGStevenson () pier1 com] Sent: Wednesday, March 24, 2004 12:57 PM To: Jerry Shenk; pen-test () securityfocus com Subject: RE: FTP Window of opportunity? Kind of off-topic, although I'd love for Carolyn to sniff the traffic and report back, just for our on satisfaction. Anyway, on to my question: Is this "intentional response" by the raptor firewall really a good thing? Does it allow the connections to pass 'to' the server or does it seemingly accept the connections and drop them once the response is sent to the attacker? Just curious... John -----Original Message----- From: Jerry Shenk [mailto:jshenk () decommunications com] Sent: Tuesday, March 23, 2004 9:37 PM To: pen-test () securityfocus com Subject: RE: FTP Window of opportunity? I'd use a sniffer to log monitor what actual packets are being received from the "ftp server" to see what scanner is right. It would seem to me that ISS should be getting something back if it's claiming that the port is open. You could run a sniffing in the path of the traffic between the scanning machine and the ftp server and set it to only log the traffic between that pair. It seems quite normal to get results back from an automated tool that conflict with something else. Then the pen tester needs to dig a little deeper and analyze what actually happened. BTW, some firewalls (Raptor at least) intentionally respond to all kinds of crazy traffic. It seems that they intentionally try to confuse an attacker (or pen tester;) by allowing connections to ports that aren't really open. -----Original Message----- From: C Ryll [mailto:carolynryll () hotmail com] Sent: Tuesday, March 23, 2004 4:50 PM To: pen-test () securityfocus com Subject: FTP Window of opportunity? I recently assessed a system in which I already know its configuration (and have full legal rights to). FTP is purposefully not running, as well as blocked by the firewall. When I scan with ISS, the FTP port shows up. When I use NMap, it does not show FTP's port. Because of the discrepancy, I tried to manually FTP into the system. It actually said "Connected...", hung for about 10 seconds, and then said "Connection Terminated." (As a baseline, telnet's port is also blocked by the firewall, and does not show up in scans - essentially, results for telnet are as expected). With ISS, I'm assuming that it saw "Connected..." and showed me that port. My guess would be that NMap waited around to try something else, but saw "Connection Terminated" and didn't list it. However, as I said previously, seeing that it actually says "Connected", and then hangs for about 10 seconds before terminating: 1). Can I use this behavior to my advantage somehow? If yes, how? 2). Is there a known explanation to this? The firewall is the Internet Connection firewall, and I am curious if it requires the ftp port inadvertently for its functioning when checking the incoming packets... While I can make some changes to the system (like shutting off certain services and shutting off the firewall), I cannot modify it such that I can try another firewall or anything else like that. Any help is greatly appreciated. Carolyn. _________________________________________________________________ All the action. All the drama. Get NCAA hoops coverage at MSN Sports by ESPN. http://msn.espn.go.com/index.html?partnersite=espn ------------------------------------------------------------------------ --- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- FTP Window of opportunity? C Ryll (Mar 23)
- RE: FTP Window of opportunity? Jerry Shenk (Mar 24)
- Re: FTP Window of opportunity? Nexus (Mar 24)
- Re: FTP Window of opportunity? Josh Tolley (Mar 24)
- Re: FTP Window of opportunity? Anders Thulin (Mar 24)
- <Possible follow-ups>
- RE: FTP Window of opportunity? Stevenson, John G (Mar 24)
- RE: FTP Window of opportunity? Jerry Shenk (Mar 24)
- RE: FTP Window of opportunity? C Ryll (Mar 24)
- Re: FTP Window of opportunity? Erik Birkholz (Mar 25)
- RE: FTP Window of opportunity? Jerry Shenk (Mar 24)