Lucene search
This script is Copyright (C) 2008-2024 and is owned by Tenable, Inc. or an Affiliate thereof.FTPD_NO_CMD.NASLHistoryMay 19, 2008 - 12:00 a.m.
FTP Server No Command Accepted (possible backdoor/proxy)
2008-05-1900:00:00
This script is Copyright (C) 2008-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
34
7.3 High
AI Score
Confidence
Low
The remote server advertises itself as an FTP server, but it does not accept valid commands, which indicates that it may be a backdoor or a proxy.
Further FTP tests on this port will be disabled to avoid false alerts.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if(description)
{
script_id(32374);
script_version("1.13");
script_name(english:"FTP Server No Command Accepted (possible backdoor/proxy)");
script_set_attribute(attribute:"synopsis", value:
"The remote FTP service is not working properly.");
script_set_attribute(attribute:"description", value:
"The remote server advertises itself as an FTP server, but it does not
accept valid commands, which indicates that it may be a backdoor or a
proxy.
Further FTP tests on this port will be disabled to avoid false alerts." );
script_set_attribute(attribute:"risk_factor", value: "None" );
script_set_attribute(attribute:"solution", value: "n/a" );
script_set_attribute(attribute:"plugin_publication_date", value: "2008/05/19");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_summary(english: "Checks that the FTP server accepts common commands");
script_category(ACT_GATHER_INFO);
script_family(english: "FTP");
script_copyright(english: "This script is Copyright (C) 2008-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("find_service_3digits.nasl", "doublecheck_std_services.nasl", "logins.nasl");
script_require_ports("Services/ftp", 21);
script_require_keys("Settings/ExperimentalScripts");
exit(0);
}
#
include('ftp_func.inc');
if (! experimental_scripts)
exit(0);
login = get_kb_item("ftp/login");
pass = get_kb_item("ftp/password");
# if (! login) login = "anonymous";
# if (! pass) pass = "[email protected]";
port = get_ftp_port(default: 21);
soc = open_sock_tcp(port);
if (! soc) audit(AUDIT_SOCK_FAIL, port);
dbg::detailed_log(name:'ftp_func', src:SCRIPT_NAME, lvl:2, msg:"Getting the FTP banner.");
r = ftp_recv_line(socket: soc, retry: 3);
if (! r)
{
debug_print('No FTP welcome banner on port ', port, '\n');
## set_kb_item(name: 'ftp/'+port+'/broken', value: TRUE);
set_kb_item(name: 'ftp/'+port+'/no_banner', value: TRUE);
ftp_close(socket: soc);
audit(AUDIT_NO_BANNER, port);
}
debug_print(level: 2, 'Banner = ', r);
if (r =~ '^[45][0-9][0-9] ' ||
match(string: r, pattern: 'Access denied*', icase: 1))
{
set_kb_item(name: 'ftp/'+port+'/denied', value: TRUE);
ftp_close(socket: soc);
exit(0, 'FTP server on port '+ port + ' is closed');
}
foreach cmd (make_list("HELP", "USER ftp"))
# Not QUIT, as some servers close the connection without a 2xx code
{
send(socket: soc, data: cmd + '\r\n');
r = ftp_recv_line(socket: soc, retry: 3);
# Avoid FP on FTPS
if (r =~ "^550[ -]SSL/TLS required")
{
set_kb_item(name: 'ftp/'+port+'/TLS', value: TRUE);
set_kb_item(name: 'ftp/'+port+'/broken', value: TRUE);# Temporary
close(soc);
exit(0, "This is an FTPS server");
}
if (r !~ '[1-5][0-9][0-9][ -]')
{
debug_print('FTP server on port ', port, ' answer to ', cmd, ': ', r);
security_note(port: port);
set_kb_item(name: 'ftp/'+port+'/broken', value: TRUE);
close(soc);
exit(0);
}
debug_print(level:2, 'FTP server on port ', port, ' answer to ', cmd, ': ', r);
}
close(soc);
7.3 High
AI Score
Confidence
Low