Nmap Development mailing list archives

Re: Sounds like ftp-anon needs work?

From: Rob Nicholls <robert () robnicholls co uk>
Date: Tue, 01 Jun 2010 19:01:12 +0100

On Tue, 01 Jun 2010 18:55:14 +0200, Gutek <ange.gutek () gmail com> wrote:

I'm a bit lost between my working copy and those that were already
proposed to the list, but i'm nearly sure that the line
socket:send("PASS IEUser@\r\n") has never changed since the beginning


Apologies, you're right that your attachment was fine in the email that
was sent out. However, I grabbed the script earlier today from the
seclists.org website, and the version at
http://seclists.org/nmap-dev/2010/q2/att-653/ftp-anon-rw-v3.nse appears to
have the @ symbol replaced with (), presumably to prevent spammers from
grabbing email addresses off the mailing list! So neither of us are going
mad :)

A few hours after posting my last copy of the script I've noticed,too,
that it warns about unhandeled 530 too many times for very common
reasons that, indeed, did not worth to mention like "530 Login
incorrect.".


I also discovered a very quirky (anti-Windows?!) FTP server that returned
a 530 if you sent anonymous\n but would return 331 - with exactly the same
message - if you sent anonymous\r\n (and then returned an "unhandled" 503
FTP code telling us off for not sending USER after we sent it a PASS). I
think the best way of dealing with that specific case is to let the script
flag the unusual/unhandled FTP code, especially as it'd probably be
difficult to code around without breaking anything else.

I'm afraid it will be hard (or: I don't know how) to detect this
max-users-limit-reached, as the 530 code is a very generic failure and
the message attached can be in any language (i.e: we can't string.match
on it)


I wish I had a better answer, but we might have to rely on string.match to
check for "530 Login incorrect." type messages to prevent the majority of
unhandled exceptions, and then flag any other 530 result as an unhandled
exception that needs to be manually investigated. I guess the FTP codes
weren't really designed to deal with "too many users, try again later"
scenarios, plus it'd be too late to try and create a new (4xx?) one now.

Rob

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Sounds like ftp-anon needs work?, (continued)
- - - Re: Sounds like ftp-anon needs work? Richard Miles (May 30)
    - Re: Sounds like ftp-anon needs work? Fyodor (May 30)
    - Re: Sounds like ftp-anon needs work? David Fifield (May 31)
    - Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 01)
    - Re: Sounds like ftp-anon needs work? Gutek (Jun 01)
    - Re: Sounds like ftp-anon needs work? David Fifield (Jun 01)
    - Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 01)
    - Re: Sounds like ftp-anon needs work? David Fifield (Jun 01)
    - Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 04)
    - Re: Sounds like ftp-anon needs work? David Fifield (Jun 04)
    - Re: Sounds like ftp-anon needs work? Rob Nicholls (Jun 01)
    - RE: Sounds like ftp-anon needs work? Rob Nicholls (May 23)
    - Re: Sounds like ftp-anon needs work? Gutek (May 24)
    - Re: Sounds like ftp-anon needs work? Gutek (May 24)
    - Re: Sounds like ftp-anon needs work? Gutek (May 24)
    - Re: Sounds like ftp-anon needs work? David Fifield (May 27)
    - Re: Sounds like ftp-anon needs work? David Fifield (May 27)