Nmap Development mailing list archives
Re: Sounds like ftp-anon needs work?
From: Rob Nicholls <robert () robnicholls co uk>
Date: Thu, 20 May 2010 19:09:49 +0100
On Wed, 19 May 2010 14:21:35 -0600, David Fifield <david () bamsoftware com> wrote:
I'm a bit concerned about checking for a 2?? reply. The expected
response
would be 230, anything else beginning with a 2 would be quite unusual
[1]
and I'd imagine would always be a false positive. It'd be nice to work out why Ron has x.x.x.251 appearing in the Metasploit results and not the Nmap results - I'm personally hoping it's a false positive ;-)I don't know--all 2?? are "positive completion." In this case I'd rather have false positives (that can be removed later) than false negatives (that will never be discovered).
Apologies for replying again to this message, but I took a closer look at what's on Wikipedia and it states: The first digit denotes whether the response is good, bad or incomplete. 2xx Positive Completion reply The requested action has been successfully completed. A new request may be initiated. and The second digit is a grouping digit and encodes the following information. x3x Authentication and accounting Replies for the login process and accounting procedures. and Below is a list of all known return codes that may be issued by an FTP server. <snip> 230 User logged in, proceed. Logged out if appropriate. 231 User logged out; service terminated. 232 Logout command noted, will complete when transfer done. <snip> Given that 231 is a logout code and 232 notes a logout command, the only positive completion code (2xx) that's related to authentication (x3x) and isn't logout related is the code 230. Even after sending the extra step of an ACCT command that Gutek mentioned, which I haven't implemented yet, it will immediately return a 230 according to the DeleGate output. My current version of the script (I'll send it out shortly) checks for a 2 after sending the password and modifies the returned output if any 2xx code other than a 230 is detected; but I'm still inclined to only check for 230, as I don't think we'll get any false negatives (short of an extremely badly written FTP server, but I would imagine it'd confuse/break most FTP clients into thinking the user still needs to authenticate). Has anyone ever seen anything other than a 230 that confirms a successful login? I'm currently repeating my test against the same ~2200 servers as yesterday to see what the script returns this time. Rob _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Sounds like ftp-anon needs work?, (continued)
- Re: Sounds like ftp-anon needs work? Ron (May 19)
- Re: Sounds like ftp-anon needs work? Ron (May 19)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 19)
- Re: Sounds like ftp-anon needs work? Ron (May 19)
- Re: Sounds like ftp-anon needs work? Walt Scrivens (May 19)
- Re: Sounds like ftp-anon needs work? David Fifield (May 19)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 19)
- Re: Sounds like ftp-anon needs work? David Fifield (May 19)
- Re: Sounds like ftp-anon needs work? Gutek (May 19)
- RE: Sounds like ftp-anon needs work? Rob Nicholls (May 20)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 20)
- Re: Sounds like ftp-anon needs work? David Fifield (May 20)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 20)
- Re: Sounds like ftp-anon needs work? Ron (May 20)
- RE: Sounds like ftp-anon needs work? Rob Nicholls (May 22)
- Re: Sounds like ftp-anon needs work? Gutek (May 22)
- Re: Sounds like ftp-anon needs work? SM (May 23)
- Re: Sounds like ftp-anon needs work? David Fifield (May 27)
- Re: Sounds like ftp-anon needs work? Ron (May 27)
- Re: Sounds like ftp-anon needs work? Fyodor (May 29)
- Re: Sounds like ftp-anon needs work? Gutek (May 29)