Re: Question: FTP via alternate port

[Hugo Fortier <hfortier () recon cx>]

I really don't see where you are going with FTP. While FTP can be  
very hard to use in that kind of situation, the attacker could simply  
use http or https to transfer files if those port are open. Your  
issue is more than just with FTP server, FTP is probably the worst  
protocol to use in that kind of situation.  If your concern about him  
launching the available commands from the system(aka he can't install  
new program), you should also look at tftp.exe. Tftp protocol is alot  
simpler than FTP, and it will work way better than FTP when you try  
to bypass a firewall.

I have seen hardened windows box that had cmd.exe, ftp, tftp and a  
bunch of other programs removed from the system, you basically had to  
pop a CD in the system to locally admin it.

Depending on how the server have been compromised the attacker could  
also be using Metasploit and Meterpreter.

Normally I like to configure my servers so that they cannot initiate  
communication to untrusted ip, they can only accept connection. Also  
even if you block the server to initiate outgoing communication to  
the internet, the attacker might still be able to communicate the  
informations with the DNS protocol, so if your really paranoid block  
the server from doing dns lookup.

FTP seem to be the last resort I would use to transfer a file during  
a pentest. As you dig, I am sure you'll find bigger concern than FTP.

Hugo

On 26-Jan-06, at 3:27 PM, Niels Taylor wrote:

> Hello list, I hope this question is not too "newbie," and I am sure  
> if it is
> I will find out quickly.  I am interested in ways an attacker could
> circumvent outbound FTP restrictions on a FW.  I have researched  
> this a bit
> but the information I am seeing is ambiguous, so I thought I'd take it
> straight to the experts.
>
> If a remote attacker gains command line access to a server (I am  
> concerned
> about a Microsoft 2000 SQL server specifically) that is behind a  
> firewall,
> and outbound FTP had been disabled at the FW, could the attacker  
> use the MS
> FTP "Open" command to specify a different, unrestricted outbound  
> port (e.g
> 80 or 443) to transfer files, (assuming of course that his FTP  
> server is
> configured to listen on this port).  Is this a viable scenario, and  
> if not,
> could he send files via another method?  This question assumes no  
> outbound
> application layer inspection at the FW, so that it isn't able to  
> see FTP
> traffic on port 23, or 80, for instance.
>
> Thank you for your help.
>
> Niels Taylor
>
>
>
> ---------------------------------------------------------------------- 
> --------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications  
> on your
> website. Up to 75% of cyber attacks are launched on shopping carts,  
> forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down  
> servers are
> futile against web application hacking. Check your website for  
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before  
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ---------------------------------------------------------------------- 
> ---------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------