Scanning for Microsoft FTP with Nmap

Hi all,

It's been awhile since my last post, but don't worry! I have a few lined up, particularly about scanning HTTP servers with Nmap. More on that soon!

In the meantime, I wanted to direct your attention to This post (update here) about finding potentially vulnerable Microsoft FTP servers.

This is, of course, related to the currently unpatched vulnerability in Microsoft FTP.

While this is great advice, and a useful script, we've taken the opportunity to put a scorched earth policy in place: tracking down every FTP server (especially Microsoft ones), and decide if they're needed. In many cases, I expect we're going to discover that somebody enabled FTP a long time ago, and never disabled it.

I asked one of my minions to come up with an Nmap command to find all FTP servers, and this seems to be working nicely:

./nmap -T4 -PS21 -p21 -O --max-rtt-timeout 200 --initial-rtt-timeout 150 \
--min-hostgroup 100 -oG /tmp/WindowsFTP.grep -iL ../WindowsServers24

If anybody has any better commands, we'd love to hear it!

9 thoughts on “Scanning for Microsoft FTP with Nmap

  1. Reply

    ny101880

    Hi Ron,

    I tried this command
    nmap -p 21 -sV -v --script IIS-FTP 192.168.41.3

    It can detect that IIS ftpd is enabled but no information if vulnerable or not

    In the example posted in BRUCON, after the scan it should output something like this |_ IIS FTP: IIS Server allow anonymous and mkdir (potentially vulnerable)

    My Scan Result show only open services without information if its vulnerable or not
    Interesting ports on 159.215.225.70:
    PORT STATE SERVICE VERSION
    21/tcp open ftp Microsoft ftpd
    Service Info: OS: Windows

    1. Reply

      Ron Post author

      Hi ny101880,

      The script in question (iis-ftp.nse) isn't included by default. You'll have to download it from the site I linked and place it in your scripts directory. Run Nmap with '-d' to get a better error message.

      Hope that helps!
      Ron

  2. Reply

    ny101880

    Hi Ron,

    Yes, I did copy the the scripts from the link and place it in the scripts directory

    Here is the result with -d (same result)

    Initiating NSE at 08:20
    NSE: NSE Script Threads (1) running:
    NSE: Starting IIS-FTP against 192.168.41.5
    NSE: Finished IIS-FTP against 192.168.41.5.
    Completed NSE at 08:20, 7.50s elapsed
    NSE: Script Scanning completed.
    Host 192.168.41.5 is up, received echo-reply (0.50s latency).
    Scanned at 2009-09-15 08:20:39 PHT for 10s
    Interesting ports on 192.168.41.5:
    PORT STATE SERVICE REASON VERSION
    21/tcp open ftp syn-ack Microsoft ftpd
    Service Info: OS: Windows
    Final times for host: srtt: 497581 rttvar: 373305 to: 1990801

    Read from /usr/local/share/nmap: nmap-rpc nmap-service-probes nmap-services.
    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 10.60 seconds
    Raw packets sent: 5 (196B) | Rcvd: 2 (72B)

    1. Reply

      Ron Post author

      Hi ny101880,

      You're probably going to have to ask the original author of the script at the blog I linked. By the looks of it from your output, the script isn't even running.

      Ron

  3. Reply

    jacppe

    I Ron, I use Windows, When I run the script it doesn't show if is vulnerable or not. Is there an additional step, like rebuild the index of NSEs?
    Thanks

  4. Reply

    jacppe

    Hi again, I executed --script-updatedb and the file was updated. However the result of the test (vuln or not) not appears.

    1. Reply

      Ron Post author

      You're probably going to have to ask the original author of the script. There shouldn't be any extra steps, though.

      Ron

  5. Reply

    ny101880

    Hi Ron,

    There was a comment already in http://blog.rootshell.be/2009/09/01/updated-iis-ftp-nmap-script/ but the author did not reply. We are hoping you can help us.

    1. Reply

      Ron Post author

      All right, I'll have a look when I have a chance.

      Ron

Leave a Reply

Your email address will not be published.