Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sounds like ftp-anon needs work?

From: Gutek <ange.gutek () gmail com>
Date: Sat, 22 May 2010 18:48:08 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to the RFC640 and to summarize, here is the logon sequence
with commands and (first) their respective positive replies, followed by
the negative ones.

Logon

          USER
             230
             530
             500, 501, 421
             331, 332
          PASS
             230
             202
             530
             500, 501, 503, 421
             332
          ACCT
             230
             202
             530
             500, 501, 503, 421


(Complete: http://www.faqs.org/rfcs/rfc640.html)
So if the script would deal with the ACCT-case it should check for a 332
at both USER stage and PASS stage (and another one I'll speak about later).
When a 332 occurs, the answer should be a "ACCT <domain, privileged
group name, whatever depending on the policy>".
In an anonymous scenario the argument could be left blank : "ACCT"
In this case the service takes the "mail" provided as a password as the
ACCT variable for the session. Hence, we could have two answers :

1st case : a single (or a bunch of) 220-, acting as a banner, followed
by the long-awaited 230 :
220-- ACCT for IEUser@.
230- Guest login ok

2nd case : our 230 directly.

There is another case that could involve a 332-ACCT sequence : writing.
For now the script obviously doesn't need to care about but what about
acting as Metasploit does ? I mean : testing R/W right.
Something like
try(socket:send("MKD testdir\r\n"))
while statusRights do
                        statusRights, resultRights = socket:receive_lines(1);
                        for rightsLine in resultRights:gmatch("[^\r\n]+") do
                              if string.match(rightsLine, "^2") and status then
                                                                           try(socket:send("RMD testdir\r\n"))
                                                                           -- some code adding Writeable to the results
                              end
                        end

end

Please forgive me if I speak about hypothesis rather than  stricts
behaviors on a rare scenario: my job makes me exclusively deal with
weird (and/or) hidden services so I might sound a bit paranoid and have
a biased vision of the network :)


A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkv4CsgACgkQ3aDTTO0ha7jdJACeI4DsWbB9v9wzUgJ0uhI0mexQ
ovcAnRDNWn1Y/fyEnMMtBoyMjgw8yG4t
=+tMW
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: