It's been awhile since my last post, but don't worry! I have a few lined up, particularly about scanning HTTP servers with Nmap. More on that soon!
In the meantime, I wanted to direct your attention to This post (update here) about finding potentially vulnerable Microsoft FTP servers.
This is, of course, related to the currently unpatched vulnerability in Microsoft FTP.
While this is great advice, and a useful script, we've taken the opportunity to put a scorched earth policy in place: tracking down every FTP server (especially Microsoft ones), and decide if they're needed. In many cases, I expect we're going to discover that somebody enabled FTP a long time ago, and never disabled it.
I asked one of my minions to come up with an Nmap command to find all FTP servers, and this seems to be working nicely:
./nmap -T4 -PS21 -p21 -O --max-rtt-timeout 200 --initial-rtt-timeout 150 \ --min-hostgroup 100 -oG /tmp/WindowsFTP.grep -iL ../WindowsServers24
If anybody has any better commands, we'd love to hear it!