Re: FTP Window of opportunity?

[Josh Tolley <josh () raintreeinc com>]

The first thing to do is turn on 
tcpdump/windump/ethereal/your-favorite-sniffer and see what exactly 
happened. Your computer sent a SYN packet... did you ever get the 
SYN/ACK back? If not, ISS probably meant "Connecting..." when they said 
"Connected..." because that's what it was really doing. If you *did* get 
a SYN/ACK back, things could be really interesting. Most likely, though, 
you didn't ever get a SYN/ACK packet, and ISS was just lying to you when 
it said "Connected..."

Josh

C Ryll wrote:

> I recently assessed a system in which I already know its configuration 
> (and have full legal rights to). FTP is purposefully not running, as 
> well as blocked by the firewall.
> When I scan with ISS, the FTP port shows up. When I use NMap, it does 
> not show FTP's port.
> Because of the discrepancy, I tried to manually FTP into the system. It 
> actually said "Connected...", hung for about 10 seconds, and then said 
> "Connection Terminated."
> (As a baseline, telnet's port is also blocked by the firewall, and does 
> not show up in scans - essentially, results for telnet are as expected).
>
> With ISS, I'm assuming that it saw "Connected..." and showed me that 
> port. My guess would be that NMap waited around to try something else, 
> but saw "Connection Terminated" and didn't list it.
>
> However, as I said previously, seeing that it actually says "Connected", 
> and then hangs for about 10 seconds before terminating:
> 1). Can I use this behavior to my advantage somehow? If yes, how?
> 2). Is there a known explanation to this?
>
> The firewall is the Internet Connection firewall, and I am curious if it 
> requires the ftp port inadvertently for its functioning when checking 
> the incoming packets...
>
> While I can make some changes to the system (like shutting off certain 
> services and shutting off the firewall), I cannot modify it such that I 
> can try another firewall or anything else like that.
>
> Any help is greatly appreciated.
> Carolyn.
>
> _________________________________________________________________
> All the action. All the drama. Get NCAA hoops coverage at MSN Sports by 
> ESPN. http://msn.espn.go.com/index.html?partnersite=espn
>
>
> ---------------------------------------------------------------------------
> You're a pen tester, but is google.com still your R&D team?
> Now you can get trustworthy commercial-grade exploits and the latest
> techniques from a world-class research group.
> www.coresecurity.com/promos/sf_ept1
> ---------------------------------------------------------------------------- 

--
Josh Tolley
Raintree Systems, Inc.
http://www.raintreeinc.com
760 509 9000

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------