Scanning for Microsoft FTP with Nmap
Hi all,
It's been awhile since my last post, but don't worry! I have a few lined up, particularly about scanning HTTP servers with Nmap. More on that soon!
In the meantime, I wanted to direct your attention to This post (update here) about finding potentially vulnerable Microsoft FTP servers.
This is, of course, related to the currently unpatched vulnerability in Microsoft FTP.
While this is great advice, and a useful script, we've taken the opportunity to put a scorched earth policy in place: tracking down every FTP server (especially Microsoft ones), and decide if they're needed. In many cases, I expect we're going to discover that somebody enabled FTP a long time ago, and never disabled it.
I asked one of my minions to come up with an Nmap command to find all FTP servers, and this seems to be working nicely:
./nmap -T4 -PS21 -p21 -O --max-rtt-timeout 200 --initial-rtt-timeout 150 \ --min-hostgroup 100 -oG /tmp/WindowsFTP.grep -iL ../WindowsServers24
If anybody has any better commands, we'd love to hear it!
September 13th, 2009 at 21:42
Hi Ron,
I tried this command
nmap -p 21 -sV -v --script IIS-FTP 192.168.41.3
It can detect that IIS ftpd is enabled but no information if vulnerable or not
In the example posted in BRUCON, after the scan it should output something like this |_ IIS FTP: IIS Server allow anonymous and mkdir (potentially vulnerable)
My Scan Result show only open services without information if its vulnerable or not
Interesting ports on 159.215.225.70:
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
Service Info: OS: Windows
September 14th, 2009 at 10:19
Hi ny101880,
The script in question (iis-ftp.nse) isn't included by default. You'll have to download it from the site I linked and place it in your scripts directory. Run Nmap with '-d' to get a better error message.
Hope that helps!
Ron
September 14th, 2009 at 19:28
Hi Ron,
Yes, I did copy the the scripts from the link and place it in the scripts directory
Here is the result with -d (same result)
Initiating NSE at 08:20
NSE: NSE Script Threads (1) running:
NSE: Starting IIS-FTP against 192.168.41.5
NSE: Finished IIS-FTP against 192.168.41.5.
Completed NSE at 08:20, 7.50s elapsed
NSE: Script Scanning completed.
Host 192.168.41.5 is up, received echo-reply (0.50s latency).
Scanned at 2009-09-15 08:20:39 PHT for 10s
Interesting ports on 192.168.41.5:
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack Microsoft ftpd
Service Info: OS: Windows
Final times for host: srtt: 497581 rttvar: 373305 to: 1990801
Read from /usr/local/share/nmap: nmap-rpc nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.60 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (72B)
September 16th, 2009 at 09:17
Hi ny101880,
You're probably going to have to ask the original author of the script at the blog I linked. By the looks of it from your output, the script isn't even running.
Ron
September 16th, 2009 at 16:35
I Ron, I use Windows, When I run the script it doesn't show if is vulnerable or not. Is there an additional step, like rebuild the index of NSEs?
Thanks
September 16th, 2009 at 17:10
Hi again, I executed --script-updatedb and the file was updated. However the result of the test (vuln or not) not appears.
September 16th, 2009 at 17:24
You're probably going to have to ask the original author of the script. There shouldn't be any extra steps, though.
Ron
September 16th, 2009 at 18:39
Hi Ron,
There was a comment already in http://blog.rootshell.be/2009/09/01/updated-iis-ftp-nmap-script/ but the author did not reply. We are hoping you can help us.
September 17th, 2009 at 09:54
All right, I'll have a look when I have a chance.
Ron