Nmap Development mailing list archives
Re: Sounds like ftp-anon needs work?
From: Ron <ron () skullsecurity net>
Date: Wed, 19 May 2010 10:03:57 -0500
Sorry for all the replies, but I have some more details. With one FTP server, it never misses it. If I give two, it misses one or both pretty regularly. I did a pcap of a session where I scanned two ftp servers and discovered that, within about 0.2 seconds, the requests went out and the responses came back. Then there was a 5 second delay (the socket's timeout) and my computer sent out a FIN and closed the connection. There's obviously some logic bug that's cropping up. This is kind of ugly. :) Also, for what it's worth, Metasploit missed at least one FTP server -- x.x.x.21 is an open ftp server than Nmap finds (if I narrow down the range). On Wed, 19 May 2010 09:41:29 -0500 Ron <ron () skullsecurity net> wrote:
So, it appears that the problem is a reliability issue -- it misses ftp servers. I tried with Metasploit on my business network and found these (all printers): x.x.x.20 x.x.x.22 x.x.x.26 x.x.x.30 x.x.x.32 x.x.x.33 x.x.x.36 x.x.x.38 x.x.x.42 x.x.x.43 x.x.x.224 x.x.x.225 x.x.x.251 Then I ran it three times with Nmap and got different results... Nmap attempt 1: x.x.x.30 x.x.x.33 x.x.x.43 Nmap attempt 2: x.x.x.20 x.x.x.22 x.x.x.28 x.x.x.43 x.x.x.224 x.x.x.225 Nmap attempt 3: x.x.x.27 x.x.x.29 x.x.x.33 x.x.x.34 x.x.x.38From a quick look, the timeout is set to 5 seconds on the socket. I tried upping the timeout to 10 seconds and only got two results:x.x.x.23 x.x.x.34 So yeah, I'm not sure what's going on. If somebody can think of further tests, or wants a pcap (off list), I'll definitely share. On Tue, 18 May 2010 21:08:03 -0400 kx <kxmail () gmail com> wrote:I have an itching suspicion it is because of the username and password nmap uses vs. metasploit Nmap: try(socket:send("USER anonymous\r\n")) try(socket:send("PASS IEUser@\r\n")) Metasploit: OptString.new('FTPUSER', [ false, 'The username to authenticate as', 'anonymous']), OptString.new('FTPPASS', [ false, 'The password for the specified username', 'mozilla () example com']) But I don't know of an ftp server to test against that nmap doesn't get a response from, but metasploit does. cheers, kx On Tue, May 18, 2010 at 9:27 AM, Ron <ron () skullsecurity net> wrote:Absolutely! I do my best to answer scripting questions here or in #nmap on freenode whenever I can. (If you do ask in #nmap on Freenode, make sure you stick around for the answer :) ). On Tue, 18 May 2010 08:31:29 -0400 Walt Scrivens <walts () gate net> wrote:This looks interesting. I'll give it a try, but I'm a total N00B at Nmap Scripting and I'm likely to have to ask a lot of questions. OK? Walt On May 17, 2010, at 7:26 PM, Ron wrote:http://eromang.zataz.com/2010/05/16/anonymous-ftp-scanning-differences-between-metasploit-and-nmap Metasploit found about twice as many anonymous FTP servers than Nmap's ftp-anon.nse script. Metasploit also says whether it's read or read/write. Improving ftp-anon.nse might be a good task for somebody who's looking to learn Nmap scripting a little. It's going to be more troubleshooting than coding, likely. Any takers? -- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/-- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/-- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86
-- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86
Attachment:
_bin
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Sounds like ftp-anon needs work? Ron (May 17)
- Re: Sounds like ftp-anon needs work? Walt Scrivens (May 18)
- Re: Sounds like ftp-anon needs work? Ron (May 18)
- Re: Sounds like ftp-anon needs work? kx (May 18)
- Re: Sounds like ftp-anon needs work? Walt Scrivens (May 19)
- Re: Sounds like ftp-anon needs work? Joao Correa (May 19)
- Re: Sounds like ftp-anon needs work? Walt Scrivens (May 19)
- Re: Sounds like ftp-anon needs work? Joao Correa (May 19)
- Re: Sounds like ftp-anon needs work? Ron (May 19)
- Re: Sounds like ftp-anon needs work? Ron (May 18)
- Re: Sounds like ftp-anon needs work? Walt Scrivens (May 18)
- Re: Sounds like ftp-anon needs work? Ron (May 19)
- Re: Sounds like ftp-anon needs work? Ron (May 19)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 19)
- Re: Sounds like ftp-anon needs work? Ron (May 19)
- Re: Sounds like ftp-anon needs work? Walt Scrivens (May 19)
- Re: Sounds like ftp-anon needs work? David Fifield (May 19)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 19)
- Re: Sounds like ftp-anon needs work? David Fifield (May 19)
- Re: Sounds like ftp-anon needs work? Gutek (May 19)
- RE: Sounds like ftp-anon needs work? Rob Nicholls (May 20)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 20)
- Re: Sounds like ftp-anon needs work? David Fifield (May 20)