Re: Sounds like ftp-anon needs work?

[David Fifield <david () bamsoftware com>]

On Thu, May 20, 2010 at 07:09:49PM +0100, Rob Nicholls wrote:
> On Wed, 19 May 2010 14:21:35 -0600, David Fifield <david () bamsoftware com>
> wrote:
> > > I'm a bit concerned about checking for a 2?? reply. The expected
> response
> > > would be 230, anything else beginning with a 2 would be quite unusual
> [1]
> > > and I'd imagine would always be a false positive. It'd be nice to work
> > > out
> > > why Ron has x.x.x.251 appearing in the Metasploit results and not the
> > > Nmap
> > > results - I'm personally hoping it's a false positive ;-)
> >
> > I don't know--all 2?? are "positive completion." In this case I'd rather
> > have false positives (that can be removed later) than false negatives
> > (that will never be discovered).
>
> Apologies for replying again to this message, but I took a closer look at
> what's on Wikipedia and it states:
>
> The first digit denotes whether the response is good, bad or incomplete.
> 2xx Positive Completion reply 
> The requested action has been successfully completed. A new request may be
> initiated.
>
> and
>
> The second digit is a grouping digit and encodes the following
> information.
> x3x Authentication and accounting 
> Replies for the login process and accounting procedures.
>
> and
>
> Below is a list of all known return codes that may be issued by an FTP
> server.
>
> <snip>
> 230 User logged in, proceed. Logged out if appropriate. 
> 231 User logged out; service terminated. 
> 232 Logout command noted, will complete when transfer done. 
> <snip>
>
> Given that 231 is a logout code and 232 notes a logout command, the only
> positive completion code (2xx) that's related to authentication (x3x) and
> isn't logout related is the code 230.
>
> Even after sending the extra step of an ACCT command that Gutek mentioned,
> which I haven't implemented yet, it will immediately return a 230 according
> to the DeleGate output.
>
> My current version of the script (I'll send it out shortly) checks for a 2
> after sending the password and modifies the returned output if any 2xx code
> other than a 230 is detected; but I'm still inclined to only check for 230,
> as I don't think we'll get any false negatives (short of an extremely badly
> written FTP server, but I would imagine it'd confuse/break most FTP clients
> into thinking the user still needs to authenticate). Has anyone ever seen
> anything other than a 230 that confirms a successful login? I'm currently
> repeating my test against the same ~2200 servers as yesterday to see what
> the script returns this time.

What about

200 Command okay.
202 Command not implemented, superfluous at this site.

I was thinking about 202 in particular when I suggested looking for all
2?? error codes. Let me say again that I'm very comfortable with
accepting false positives in this case. If there's a server that
consistently gets reported as anonymous when it's not, someone will
report it and we'll add a check to exclude it. But if the test is too
tight and misses some anonymous servers, we'll never know about it: no
one will ever report it because they won't know themselves.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/