Nmap Development mailing list archives

Re: Sounds like ftp-anon needs work?

From: Gutek <ange.gutek () gmail com>
Date: Mon, 24 May 2010 12:14:58 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Looks like we have a chronic false positive.
I'm testing in-the-wild with -iR and the good news is that when it comes
to 230 positive check i've not encountered any false positive so far.
But the false-positive condition appears when the "Anonymous FTP login
allowed (FTP code 200)" was found. Each time, it was a CheckPoint Firewall.

It is a "secure FTP server", kind of proxy-ftp :
- -> user have first to connect and identify on it with USER
<my-account-on-the-real-ftp-I-wana-contact@the-ftp-I-wanna-contact>,
- -> PASS <firewall's-password>
<- 230- User <my-account-on-the-real-ftp-I-wana-contact> authenticated
by FireWall-1 authentication
<- 200- you can use 'quote hostname' or Account command ('ACCT') --NOTE
: this line seems to be typical to CheckPoint Firewall

- -> quote <the-ftp-I-wanna-contact>
OR
- -> ACCT <the-ftp-I-wanna-contact>
<- 230- Logging in...
<- 220- <Version> Server Ready
- -> USER, PASS...We're on the "final" server and so we can use the usual
scheme.

I'm investigating further, but at this point my proposals are
- -Hypothesis 1: re-discussing the 2xx codes that really reveal an
anonymous FTP
- -Hypothesis 2: keeping the 2xx check as-it, and string.matching for the
line that seems to be a CheckPoint firewall evidence. If found,
discarding this result.

For the record, here are some topics dealing with CP Firewall behavior :
http://www.ghisler.ch/board/viewtopic.php?t=284
http://www.linuxquestions.org/questions/linux-software-2/gftp-and-ftp-connecting-through-proxy-280446/
http://forum.filezilla-project.org/viewtopic.php?f=2&t=9495

A.G
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkv6UaIACgkQ3aDTTO0ha7ixZwCcDEDrzunPNXLhY89VHD/pB0im
mSkAn07y/mxiqOZO44VR//KArHW5RACM
=8iTj
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Sounds like ftp-anon needs work?, (continued)
- - - Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 01)
    - Re: Sounds like ftp-anon needs work? Gutek (Jun 01)
    - Re: Sounds like ftp-anon needs work? David Fifield (Jun 01)
    - Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 01)
    - Re: Sounds like ftp-anon needs work? David Fifield (Jun 01)
    - Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 04)
    - Re: Sounds like ftp-anon needs work? David Fifield (Jun 04)
    - Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 01)
    - RE: Sounds like ftp-anon needs work? Rob Nicholls (May 23)
    - Re: Sounds like ftp-anon needs work? Gutek (May 24)
    - Re: Sounds like ftp-anon needs work? Gutek (May 24)
    - Re: Sounds like ftp-anon needs work? Gutek (May 24)
    - Re: Sounds like ftp-anon needs work? David Fifield (May 27)
    - Re: Sounds like ftp-anon needs work? David Fifield (May 27)