Penetration Testing mailing list archives
Re: Question: FTP via alternate port
From: Jason Baeder <jason_baeder () yahoo com>
Date: Fri, 27 Jan 2006 07:08:52 -0800 (PST)
Niels, The problem with FTP is that it requires two ports to operate. FW's that are "FTP-aware" are looking for the PORT or PASV command in the FTP command stream in order to dynamically open that port for the data stream. On many firewalls you can specify what port(s) the FW should expect to be the FTP command channel. By default that port is 21 of course. If you try FTP on any other port, you might open the command channel (depends on the FW) but you won't be able to open the data channel. If, in this case, if only ports 80 and 443 are open outbound, using FTP to move files off the compromised system would only be viable if 1) the attacker used a FTP client in passive mode; 2) he/she could manually set the data port. That way he/she could use 80 for the command channel and 443 for the data channel. But that's not going to happen with the MS FTP client -- ASFAIK it can't even talk passive mode and the command options are extremely limited. Where outbound access is unrestricted, the MS tftp client will serve the purpose of moving files off the compromised box. But like the FTP client, AFAIK, you can not change the port the MS tftp client uses. Not to mention, tftp inbound/outbound should NOT be allowed. Ideally the attacker would want to upload another tool onto the compromised system: either a replacement for the MS FTP client, like MOVEit Freely or pscp, or better yet, netcat or cryptcat (even more functionality). This is by no means a definitive list of choices. So the defender's job is make to sure an attacker cannot get onto the SQL server to begin with, and then, if he/she does get on the box, to make sure the attacker is (pardon the pun) boxed in with little room to maneuver until you discover the intrusion (hopefully sooner than later). Jason Baeder CISSP GCIA GCIH --- Niels Taylor <niels.taylor () gmail com> wrote:
Hello list, I hope this question is not too "newbie," and I am sure if it is I will find out quickly. I am interested in ways an attacker could circumvent outbound FTP restrictions on a FW. I have researched this a bit but the information I am seeing is ambiguous, so I thought I'd take it straight to the experts. If a remote attacker gains command line access to a server (I am concerned about a Microsoft 2000 SQL server specifically) that is behind a firewall, and outbound FTP had been disabled at the FW, could the attacker use the MS FTP "Open" command to specify a different, unrestricted outbound port (e.g 80 or 443) to transfer files, (assuming of course that his FTP server is configured to listen on this port). Is this a viable scenario, and if not, could he send files via another method? This question assumes no outbound application layer inspection at the FW, so that it isn't able to see FTP traffic on port 23, or 80, for instance. Thank you for your help. Niels Taylor
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Question: FTP via alternate port Niels Taylor (Jan 26)
- Re: Question: FTP via alternate port Max Ashton (Jan 29)
- Re: Question: FTP via alternate port Jason Baeder (Jan 29)
- Re: Question: FTP via alternate port Packet Man (Jan 30)