It’s been awhile since my last post, but don’t worry! I have a few lined up, particularly about scanning HTTP servers with Nmap. More on that soon!
In the meantime, I wanted to direct your attention to <a href=’http://blog.rootshell.be/2009/09/01/detecting-vulnerable-iis-ftp-hosts-using-nmap/’‘>This post (update here) about finding potentially vulnerable Microsoft FTP servers. This is, of course, related to the currently <a href=http://www.microsoft.com/technet/security/advisory/975191.mspx’>unpatched vulnerability in Microsoft FTP</a>.
While this is great advice, and a useful script, we’ve taken the opportunity to put a scorched earth policy in place: tracking down every FTP server (especially Microsoft ones), and decide if they’re needed. In many cases, I expect we’re going to discover that somebody enabled FTP a long time ago, and never disabled it.
I asked one of my minions to come up with an Nmap command to find all FTP servers, and this seems to be working nicely:
./nmap -T4 -PS21 -p21 -O --max-rtt-timeout 200 --initial-rtt-timeout 150 \ --min-hostgroup 100 -oG /tmp/WindowsFTP.grep -iL ../WindowsServers24
If anybody has any better commands, we’d love to hear it!