Nmap Development mailing list archives
Re: Sounds like ftp-anon needs work?
From: David Fifield <david () bamsoftware com>
Date: Thu, 20 May 2010 12:37:00 -0600
On Thu, May 20, 2010 at 07:09:49PM +0100, Rob Nicholls wrote:
On Wed, 19 May 2010 14:21:35 -0600, David Fifield <david () bamsoftware com> wrote:I'm a bit concerned about checking for a 2?? reply. The expectedresponsewould be 230, anything else beginning with a 2 would be quite unusual[1]and I'd imagine would always be a false positive. It'd be nice to work out why Ron has x.x.x.251 appearing in the Metasploit results and not the Nmap results - I'm personally hoping it's a false positive ;-)I don't know--all 2?? are "positive completion." In this case I'd rather have false positives (that can be removed later) than false negatives (that will never be discovered).Apologies for replying again to this message, but I took a closer look at what's on Wikipedia and it states: The first digit denotes whether the response is good, bad or incomplete. 2xx Positive Completion reply The requested action has been successfully completed. A new request may be initiated. and The second digit is a grouping digit and encodes the following information. x3x Authentication and accounting Replies for the login process and accounting procedures. and Below is a list of all known return codes that may be issued by an FTP server. <snip> 230 User logged in, proceed. Logged out if appropriate. 231 User logged out; service terminated. 232 Logout command noted, will complete when transfer done. <snip> Given that 231 is a logout code and 232 notes a logout command, the only positive completion code (2xx) that's related to authentication (x3x) and isn't logout related is the code 230. Even after sending the extra step of an ACCT command that Gutek mentioned, which I haven't implemented yet, it will immediately return a 230 according to the DeleGate output. My current version of the script (I'll send it out shortly) checks for a 2 after sending the password and modifies the returned output if any 2xx code other than a 230 is detected; but I'm still inclined to only check for 230, as I don't think we'll get any false negatives (short of an extremely badly written FTP server, but I would imagine it'd confuse/break most FTP clients into thinking the user still needs to authenticate). Has anyone ever seen anything other than a 230 that confirms a successful login? I'm currently repeating my test against the same ~2200 servers as yesterday to see what the script returns this time.
What about 200 Command okay. 202 Command not implemented, superfluous at this site. I was thinking about 202 in particular when I suggested looking for all 2?? error codes. Let me say again that I'm very comfortable with accepting false positives in this case. If there's a server that consistently gets reported as anonymous when it's not, someone will report it and we'll add a check to exclude it. But if the test is too tight and misses some anonymous servers, we'll never know about it: no one will ever report it because they won't know themselves. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Sounds like ftp-anon needs work?, (continued)
- Re: Sounds like ftp-anon needs work? Ron (May 19)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 19)
- Re: Sounds like ftp-anon needs work? Ron (May 19)
- Re: Sounds like ftp-anon needs work? Walt Scrivens (May 19)
- Re: Sounds like ftp-anon needs work? David Fifield (May 19)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 19)
- Re: Sounds like ftp-anon needs work? David Fifield (May 19)
- Re: Sounds like ftp-anon needs work? Gutek (May 19)
- RE: Sounds like ftp-anon needs work? Rob Nicholls (May 20)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 20)
- Re: Sounds like ftp-anon needs work? David Fifield (May 20)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 20)
- Re: Sounds like ftp-anon needs work? Ron (May 20)
- RE: Sounds like ftp-anon needs work? Rob Nicholls (May 22)
- Re: Sounds like ftp-anon needs work? Gutek (May 22)
- Re: Sounds like ftp-anon needs work? SM (May 23)
- Re: Sounds like ftp-anon needs work? David Fifield (May 27)
- Re: Sounds like ftp-anon needs work? Ron (May 27)
- Re: Sounds like ftp-anon needs work? Fyodor (May 29)
- Re: Sounds like ftp-anon needs work? Gutek (May 29)
- Re: Sounds like ftp-anon needs work? Richard Miles (May 30)