Nmap Development mailing list archives
RE: Sounds like ftp-anon needs work?
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Sun, 23 May 2010 21:01:21 +0100
Here's a new version to keep everyone on their toes. It should be quicker (as it gives up after a 530, rather than typically waiting for a timeout), hopefully much easier to read the code if anyone wants to improve it in the future (e.g. adding checks to confirm R/W), and should support returning an ACCT if it sees a 332. I tried it against Ncat running on localhost and it seemed to work as expected if I pretended to be an FTP server and fed a 331 and/or 332 in different orders. Rob -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Rob Nicholls Sent: 22 May 2010 16:33 To: nmap-dev () insecure org Subject: RE: Sounds like ftp-anon needs work? I've tried to take on board everyone's suggestions with this version of the script (and it should be a little bit faster compared to my previous version for servers that respond properly). If everyone's happy with it, let me know and I'll commit this one. Suggestions are also welcome. It doesn't currently deal with the ACCT code at this point - what would we send at that point? IEUser@ again? Some quick stats against some servers on the internet: My scan of ~2200 servers detected 1294 open 21/tcp ports this time. The script detected 962 supported anonymous logins this time. The only FTP code detected was 230. In comparison, the previous version I sent out picked up 829 and with a longer timeout it would pick up 935 that supported anonymous logins (which suggests around 3% of FTP servers don't require a password for the anonymous account), so this is definitely an improvement. I've done some checks of open ports that weren't flagged by the script and it doesn't appear to have missed anything. This script should flag other FTP codes, and was briefly flagging 220 until I added some checks to try and parse the banner to avoid false positives when servers return dodgy "220-" banners that contained line breaks (this seemed to affect a few dozen servers). Also, something I hadn't appreciated last time was that socket:receive_lines(1) doesn't return a single line. I assume the name is simply a little ambiguous, rather than this being a bug. Rob -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Ron Sent: 20 May 2010 20:19 To: nmap-dev () insecure org Subject: Re: Sounds like ftp-anon needs work? On Wed, 19 May 2010 21:09:44 +0100 Rob Nicholls <robert () robnicholls co uk> wrote:
It seems that a small minority of servers will simply accept "anonymous" without prompting for a password, so we need to check the first line for a 230 response rather than discarding it. How does the following sound instead?
I told you this off list, but I thought I'd let everybody know. This definitely happens. PureFTPd, one of the servers we were testing on, seems to do that occasionally (but not always). A second issue we noticed is that during a -sS scan, it worked, but with a -sT or -sV scan, it didn't. I assume this is because the FTPd did some rate limiting when it saw an actual connection (instead of a half-open). If we upped the timeout to 30 seconds, everything worked fine. -- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86
Attachment:
ftp-anon.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Sounds like ftp-anon needs work?, (continued)
- Re: Sounds like ftp-anon needs work? Fyodor (May 30)
- Re: Sounds like ftp-anon needs work? David Fifield (May 31)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 01)
- Re: Sounds like ftp-anon needs work? Gutek (Jun 01)
- Re: Sounds like ftp-anon needs work? David Fifield (Jun 01)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 01)
- Re: Sounds like ftp-anon needs work? David Fifield (Jun 01)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 04)
- Re: Sounds like ftp-anon needs work? David Fifield (Jun 04)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 01)
- RE: Sounds like ftp-anon needs work? Rob Nicholls (May 23)
- Re: Sounds like ftp-anon needs work? Gutek (May 24)
- Re: Sounds like ftp-anon needs work? Gutek (May 24)
- Re: Sounds like ftp-anon needs work? Gutek (May 24)
- Re: Sounds like ftp-anon needs work? David Fifield (May 27)
- Re: Sounds like ftp-anon needs work? David Fifield (May 27)