Nmap Development mailing list archives
Re: Sounds like ftp-anon needs work?
From: Gutek <ange.gutek () gmail com>
Date: Sat, 22 May 2010 18:48:08 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 According to the RFC640 and to summarize, here is the logon sequence with commands and (first) their respective positive replies, followed by the negative ones. Logon USER 230 530 500, 501, 421 331, 332 PASS 230 202 530 500, 501, 503, 421 332 ACCT 230 202 530 500, 501, 503, 421 (Complete: http://www.faqs.org/rfcs/rfc640.html) So if the script would deal with the ACCT-case it should check for a 332 at both USER stage and PASS stage (and another one I'll speak about later). When a 332 occurs, the answer should be a "ACCT <domain, privileged group name, whatever depending on the policy>". In an anonymous scenario the argument could be left blank : "ACCT" In this case the service takes the "mail" provided as a password as the ACCT variable for the session. Hence, we could have two answers : 1st case : a single (or a bunch of) 220-, acting as a banner, followed by the long-awaited 230 : 220-- ACCT for IEUser@. 230- Guest login ok 2nd case : our 230 directly. There is another case that could involve a 332-ACCT sequence : writing. For now the script obviously doesn't need to care about but what about acting as Metasploit does ? I mean : testing R/W right. Something like try(socket:send("MKD testdir\r\n")) while statusRights do statusRights, resultRights = socket:receive_lines(1); for rightsLine in resultRights:gmatch("[^\r\n]+") do if string.match(rightsLine, "^2") and status then try(socket:send("RMD testdir\r\n")) -- some code adding Writeable to the results end end end Please forgive me if I speak about hypothesis rather than stricts behaviors on a rare scenario: my job makes me exclusively deal with weird (and/or) hidden services so I might sound a bit paranoid and have a biased vision of the network :) A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkv4CsgACgkQ3aDTTO0ha7jdJACeI4DsWbB9v9wzUgJ0uhI0mexQ ovcAnRDNWn1Y/fyEnMMtBoyMjgw8yG4t =+tMW -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Sounds like ftp-anon needs work?, (continued)
- Re: Sounds like ftp-anon needs work? David Fifield (May 19)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 19)
- Re: Sounds like ftp-anon needs work? David Fifield (May 19)
- Re: Sounds like ftp-anon needs work? Gutek (May 19)
- RE: Sounds like ftp-anon needs work? Rob Nicholls (May 20)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 20)
- Re: Sounds like ftp-anon needs work? David Fifield (May 20)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (May 20)
- Re: Sounds like ftp-anon needs work? Ron (May 20)
- RE: Sounds like ftp-anon needs work? Rob Nicholls (May 22)
- Re: Sounds like ftp-anon needs work? Gutek (May 22)
- Re: Sounds like ftp-anon needs work? SM (May 23)
- Re: Sounds like ftp-anon needs work? David Fifield (May 27)
- Re: Sounds like ftp-anon needs work? Ron (May 27)
- Re: Sounds like ftp-anon needs work? Fyodor (May 29)
- Re: Sounds like ftp-anon needs work? Gutek (May 29)
- Re: Sounds like ftp-anon needs work? Richard Miles (May 30)
- Re: Sounds like ftp-anon needs work? Fyodor (May 30)
- Re: Sounds like ftp-anon needs work? David Fifield (May 31)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 01)
- Re: Sounds like ftp-anon needs work? Gutek (Jun 01)