Re: FTP Window of opportunity?

[Anders Thulin <Anders.Thulin () tietoenator com>]

C Ryll wrote:

> However, as I said previously, seeing that it actually says "Connected", 
> and then hangs for about 10 seconds before terminating:
> 1). Can I use this behavior to my advantage somehow? If yes, how?
> 2). Is there a known explanation to this?

  As you don't say what platform you're using, or what particular FTP
client, I can only guess. My guess is that what you see is client
behaviour, not necessarily connected to actual FTP connectivity.
(Perhaps client writes 'Connected...', then tries to connect, and when
it times out, writes 'Connection terminated' even though there never
was a connection established in the first place.)

  Try using netcat (nc) if you have it. It doesn't add any output that may be
confusing: if it finds a FTP server, you'll get the banner line sent by
the server -- if it cannot connect it will terminate. If there's any
FTP proxy activity involved, it won't show it, though

  To be 100% certain, take a look at the actual FTP traffic with a sniffer.
This is probably the safest thing, as you'll see everything that goes on,
including any proxy behaviour (say, outside opens FTP connection speculatively,
only to close it later when the inside doesn't want to play along.)

  Since nmap doesn't see an FTP server (recent version of nmap, default
scan, no fancy options?), chances are pretty good there is nothing to see,
though.

--
Anders Thulin   anders.thulin () tietoenator com   040-661 50 63        
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö



---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------