Re: TFTP Scanner recommendation requested

From: Barry Fitzgerald (bkfsecat_private)
Date: Mon Aug 18 2003 - 13:43:15 PDT

Next message: Harlan Carvey: "Re: TFTP Scanner recommendation requested"

Previous message: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
In reply to: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
Next in thread: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
Reply: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Harlan Carvey wrote:

>
>No problem.  Understanding the issue and using the
>right terminology cuts down (but does not prevent) the
>wide-spread misinformation that tends to clog the
>lists and inundate the poor helpdesk.
>  
>
Never were truer words spoken!  (Being as I've both been on helpdesk and 
done security work, I know EXACTLY what you mean. :)  I have no excuse...)

>
>
>Good to hear.  Sometime folks post to the lists saying
>they "verified" that it was a scan, or a particular
>tool, or whatever...and there's never any clarifying
>information.  I think many of the readers who aren't
>as familiar with the particular situation would
>benefit from this...and by sharing info, we all
>benefit.
> 
>
I more wanted to cut down on the list traffic figuring that people would 
ask for specifics if they wanted them.  Turns out that it worked exactly 
in that way.  In hindsight, I should have given more information, and 
certainly - the more public education the better.

>
>It'll be tougher on *nix boxen, but you can set
>something up via SSH, most likely.  If you have a
>domain admin account, scanning the Windows boxen would
>be fairly, even to script.
>
>  
>

Actually, what I'm concerned with there (and likewise on the Windows 
boxes) is kernel-level process hiding rootkits - somebody having started 
a tftp server and then hiding it in the process list via kernel-level 
"patch".  So, scanning over the network would be better.  But, as you so 
aptly said, scanning via UDP in this way provides questionable results.  
Actually, without considering the possibility of a rootkit that hides 
the process, I'd consider a nice shellscript reporting tool to be fairly 
simple to write ('ps ax' and comparing against a baseline, just in case 
the tftp server were renamed - actually, that would serve as more than a 
tftp server-finder) - in fact, simpler than on MS Windows... but 
rootkits really throw  a wrench into both situations. :)  So, certainly, 
the most optimal type of tool would be a scanner that looks for active 
tftp servers over the network, focusing primarily on detecting tftp 
connections via UDP for my purposes.

          -Barry

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
Previous message: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
In reply to: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
Next in thread: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
Reply: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 16:02:25 PDT