Nmap Development mailing list archives
Re: Sounds like ftp-anon needs work?
From: Gutek <ange.gutek () gmail com>
Date: Mon, 24 May 2010 12:14:58 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Looks like we have a chronic false positive. I'm testing in-the-wild with -iR and the good news is that when it comes to 230 positive check i've not encountered any false positive so far. But the false-positive condition appears when the "Anonymous FTP login allowed (FTP code 200)" was found. Each time, it was a CheckPoint Firewall. It is a "secure FTP server", kind of proxy-ftp : - -> user have first to connect and identify on it with USER <my-account-on-the-real-ftp-I-wana-contact@the-ftp-I-wanna-contact>, - -> PASS <firewall's-password> <- 230- User <my-account-on-the-real-ftp-I-wana-contact> authenticated by FireWall-1 authentication <- 200- you can use 'quote hostname' or Account command ('ACCT') --NOTE : this line seems to be typical to CheckPoint Firewall - -> quote <the-ftp-I-wanna-contact> OR - -> ACCT <the-ftp-I-wanna-contact> <- 230- Logging in... <- 220- <Version> Server Ready - -> USER, PASS...We're on the "final" server and so we can use the usual scheme. I'm investigating further, but at this point my proposals are - -Hypothesis 1: re-discussing the 2xx codes that really reveal an anonymous FTP - -Hypothesis 2: keeping the 2xx check as-it, and string.matching for the line that seems to be a CheckPoint firewall evidence. If found, discarding this result. For the record, here are some topics dealing with CP Firewall behavior : http://www.ghisler.ch/board/viewtopic.php?t=284 http://www.linuxquestions.org/questions/linux-software-2/gftp-and-ftp-connecting-through-proxy-280446/ http://forum.filezilla-project.org/viewtopic.php?f=2&t=9495 A.G -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkv6UaIACgkQ3aDTTO0ha7ixZwCcDEDrzunPNXLhY89VHD/pB0im mSkAn07y/mxiqOZO44VR//KArHW5RACM =8iTj -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Sounds like ftp-anon needs work?, (continued)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 01)
- Re: Sounds like ftp-anon needs work? Gutek (Jun 01)
- Re: Sounds like ftp-anon needs work? David Fifield (Jun 01)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 01)
- Re: Sounds like ftp-anon needs work? David Fifield (Jun 01)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 04)
- Re: Sounds like ftp-anon needs work? David Fifield (Jun 04)
- Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 01)
- RE: Sounds like ftp-anon needs work? Rob Nicholls (May 23)
- Re: Sounds like ftp-anon needs work? Gutek (May 24)
- Re: Sounds like ftp-anon needs work? Gutek (May 24)
- Re: Sounds like ftp-anon needs work? Gutek (May 24)
- Re: Sounds like ftp-anon needs work? David Fifield (May 27)
- Re: Sounds like ftp-anon needs work? David Fifield (May 27)