Re: TFTP Scanner recommendation requested

From: Harlan Carvey (keydet89at_private)
Date: Mon Aug 18 2003 - 14:08:07 PDT

Next message: gr00vy: "RE: best random dictionary tool ?"

Previous message: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
In reply to: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Barry,

> Actually, what I'm concerned with there (and
> likewise on the Windows 
> boxes) is kernel-level process hiding rootkits -
> somebody having started 
> a tftp server and then hiding it in the process list
> via kernel-level 
> "patch".  So, scanning over the network would be
> better.  But, as you so 
> aptly said, scanning via UDP in this way provides
> questionable results.  

Yes, that's something to keep in mind.  It's something
I ran into w/ an audit...the audit report was preceded
by two pages of "why UDP scans are unreliable", then
reported a great number of UDP ports open...

> Actually, without considering the possibility of a
> rootkit that hides 
> the process, I'd consider a nice shellscript
> reporting tool to be fairly 
> simple to write ('ps ax' and comparing against a
> baseline, just in case 
> the tftp server were renamed - actually, that would
> serve as more than a 
> tftp server-finder) - in fact, simpler than on MS
> Windows... but 
> rootkits really throw  a wrench into both
> situations. :) 

I'm not entirely sure what you're getting at here. 
Taking the rootkit issue out of the equation for a
moment, running lsof or fuser on the Linux boxen, and
openports (rather than fport) on the Windows boxen,
will identify processes bound to UDP port 69 as a
listener/server.

Now, putting rootkits back into the picture...while
such things are more prevalent on Linux boxen, they
are by no means impossible on Windows...though we
haven't seen nearly the volume/variety as we have on
Linux.  Of course, the whole thing goes back to system
configurations, permissions, and ACLs.

> So, certainly, 
> the most optimal type of tool would be a scanner
> that looks for active 
> tftp servers over the network, focusing primarily on
> detecting tftp 
> connections via UDP for my purposes.

One idea might be a snort box, w/ the appropriate rule
in place to pick up TFTP traffic.

Harlan


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: gr00vy: "RE: best random dictionary tool ?"
Previous message: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
In reply to: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 16:03:17 PDT