Lucene search
Daniel MillerNMAP:FTP-SYST.NSEHistoryJul 26, 2017 - 7:34 p.m.
ftp-syst NSE Script
2017-07-2619:34:25
Daniel Miller
nmap.org
712
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Sends FTP SYST and STAT commands and returns the result.
The canonical SYST response of “UNIX Type: L8” is stripped or ignored, since it is meaningless. Typical FTP response codes (215 for SYST and 211 for STAT) are also hidden.
References:
Example Usage
nmap -sV -sC <target>
Script Output
| ftp-syst:
| SYST: UNIX MikroTik 6.34.3
| STAT:
| Enver Curri FTP server (MikroTik 6.34.3) status:
| Logged in as
| TYPE: ASCII; STRUcture: File; transfer MODE: Stream
| No data connection
|_End of status
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.0.2.13
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 2.0.5 - secure, fast, stable
|_End of status
| ftp-syst:
| SYST: Version: Linux 2.6.26.8-rt16
| STAT:
| HES_CPE FTP server status:
| ftpd (GNU inetutils) 1.4.1
| Connected to 72.14.177.105
| Waiting for user name
| TYPE: ASCII, FORM: Nonprint; STRUcture: File; transfer MODE: Stream
| No data connection
|_End of status
Requires
local ftp = require "ftp"
local shortport = require "shortport"
local stdnse = require "stdnse"
description = [[
Sends FTP SYST and STAT commands and returns the result.
The canonical SYST response of "UNIX Type: L8" is stripped or ignored, since it
is meaningless. Typical FTP response codes (215 for SYST and 211 for STAT) are
also hidden.
References:
* https://cr.yp.to/ftp/syst.html
]]
author = "Daniel Miller"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}
---
-- @output
-- | ftp-syst:
-- | SYST: UNIX MikroTik 6.34.3
-- | STAT:
-- | Enver Curri FTP server (MikroTik 6.34.3) status:
-- | Logged in as
-- | TYPE: ASCII; STRUcture: File; transfer MODE: Stream
-- | No data connection
-- |_End of status
--
-- | ftp-syst:
-- | STAT:
-- | FTP server status:
-- | Connected to 192.0.2.13
-- | Logged in as ftp
-- | TYPE: ASCII
-- | No session bandwidth limit
-- | Session timeout in seconds is 300
-- | Control connection is plain text
-- | Data connections will be plain text
-- | At session startup, client count was 1
-- | vsFTPd 2.0.5 - secure, fast, stable
-- |_End of status
--
-- | ftp-syst:
-- | SYST: Version: Linux 2.6.26.8-rt16
-- | STAT:
-- | HES_CPE FTP server status:
-- | ftpd (GNU inetutils) 1.4.1
-- | Connected to 72.14.177.105
-- | Waiting for user name
-- | TYPE: ASCII, FORM: Nonprint; STRUcture: File; transfer MODE: Stream
-- | No data connection
-- |_End of status
--
-- @xmloutput
-- <elem key="SYST">Version: Linux 3.10.73</elem>
-- <elem key="STAT">
-- FRITZ!Box7490 FTP server status:
-- Connected to 72.14.177.105
-- Waiting for user name
-- TYPE: ASCII, FORM: Nonprint; STRUcture: File; transfer MODE: Stream
-- No data connection
-- End of status</elem>
portrule = shortport.port_or_service({21,990}, {"ftp","ftps"})
local function do_syst(socket, buffer)
end
action = function(host, port)
local socket, code, message, buffer = ftp.connect(host, port)
if not socket then
stdnse.debug1("Couldn't connect: %s", code or message)
return nil
end
if code and code ~= 220 then
stdnse.debug1("banner code %d %q.", code, message)
return nil
end
-- SYST
local auth_done = false
local syst = nil
repeat
if not socket:send("SYST\r\n") then
return nil
end
code, message = ftp.read_reply(buffer)
if not code then
stdnse.debug1("SYST error: %s", message)
break
end
if code == 215 then
local stripped = message:gsub("^UNIX Type: L8 *", "")
if stripped ~= "" then
syst = stripped
end
break
elseif code < 300 then
syst = ("%d %s"):format(code, message)
break
elseif not auth_done and -- we haven't tried logging in yet
( code == 503 -- Command SYST not accepted during Connected
or code == 521 -- Not logged in - Secure authentication required
or (code % 100) // 10 == 3 -- x3x codes are auth-related
) then
-- Try logging in
local status, code, message = ftp.auth(socket, buffer, "anonymous", "IEUser@")
if status then
auth_done = true
end
else
stdnse.debug1("SYST error: %d %s", code, message)
break
end
until not auth_done
-- STAT
if not socket:send("STAT\r\n") then
if syst then
return {SYST=syst}
else
return nil
end
end
local out = stdnse.output_table()
out.SYST = syst
local code, stat = ftp.read_reply(buffer)
if code then
if code == 211 then
out.STAT = "\n" .. stat
elseif code < 300 then
out.STAT = ("%d\n%s"):format(code, stat)
end
end
ftp.close(socket)
if #out > 0 then
return out
end
end
Related
nmap
nmap
ms-sql-empty-password NSE Script
2010-04-04 10:11:54
nat-pmp-info NSE Script
2010-09-28 19:43:06
stuxnet-detect NSE Script
2010-12-12 22:40:42
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Related for NMAP:FTP-SYST.NSE