Re: Sounds like ftp-anon needs work?

[Ron <ron () skullsecurity net>]

So, it appears that the problem is a reliability issue -- it misses ftp servers. 

I tried with Metasploit on my business network and found these (all printers):
 x.x.x.20
 x.x.x.22
 x.x.x.26
 x.x.x.30
 x.x.x.32
 x.x.x.33
 x.x.x.36
 x.x.x.38
 x.x.x.42
 x.x.x.43
 x.x.x.224
 x.x.x.225
 x.x.x.251

Then I ran it three times with Nmap and got different results...

Nmap attempt 1:
 x.x.x.30
 x.x.x.33
 x.x.x.43

Nmap attempt 2:
 x.x.x.20
 x.x.x.22
 x.x.x.28
 x.x.x.43
 x.x.x.224
 x.x.x.225

Nmap attempt 3:
 x.x.x.27
 x.x.x.29
 x.x.x.33
 x.x.x.34
 x.x.x.38

> From a quick look, the timeout is set to 5 seconds on the socket. I tried upping the timeout to 10 seconds and only 
> got two results:
 x.x.x.23
 x.x.x.34

So yeah, I'm not sure what's going on. If somebody can think of further tests, or wants a pcap (off list), I'll 
definitely share. 


On Tue, 18 May 2010 21:08:03 -0400 kx <kxmail () gmail com> wrote:
> I have an itching suspicion it is because of the username and password
> nmap uses vs. metasploit
>
> Nmap:
>       try(socket:send("USER anonymous\r\n"))
>       try(socket:send("PASS IEUser@\r\n"))
>
> Metasploit:
>   OptString.new('FTPUSER', [ false, 'The username to authenticate as',
> 'anonymous']),
>   OptString.new('FTPPASS', [ false, 'The password for the specified
> username', 'mozilla () example com'])
>
> But I don't know of an ftp server to test against that nmap doesn't
> get a response from, but metasploit does.
>
> cheers,
>   kx
>
> On Tue, May 18, 2010 at 9:27 AM, Ron <ron () skullsecurity net> wrote:
> > Absolutely! I do my best to answer scripting questions here or in
> > #nmap on freenode whenever I can.
> >
> > (If you do ask in #nmap on Freenode, make sure you stick around for
> > the answer :) ).
> >
> > On Tue, 18 May 2010 08:31:29 -0400 Walt Scrivens <walts () gate net>
> > wrote:
> > > This looks interesting.   I'll give it a try, but I'm a total N00B
> > > at Nmap Scripting and I'm likely to have to ask a lot of
> > > questions.  OK?
> > >
> > > Walt
> > >
> > > On May 17, 2010, at 7:26 PM, Ron wrote:
> > >
> > > > http://eromang.zataz.com/2010/05/16/anonymous-ftp-scanning-differences-between-metasploit-and-nmap
> > > >
> > > > Metasploit found about twice as many anonymous FTP servers than
> > > > Nmap's ftp-anon.nse script. Metasploit also says whether it's
> > > > read or read/write.
> > > >
> > > > Improving ftp-anon.nse might be a good task for somebody who's
> > > > looking to learn Nmap scripting a little. It's going to be more
> > > > troubleshooting than coding, likely.
> > > >
> > > > Any takers?
> > > >
> > > > --
> > > > Ron Bowes
> > > > http://www.skullsecurity.org
> > > > http://www.twitter.com/iagox86
> > > > _______________________________________________
> > > > Sent through the nmap-dev mailing list
> > > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > > Archived at http://seclists.org/nmap-dev/
> >
> >
> > --
> > Ron Bowes
> > http://www.skullsecurity.org
> > http://www.twitter.com/iagox86
> >
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://seclists.org/nmap-dev/
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/


-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86

Attachment: _bin
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/