Detect IIS-FTP Vulnerable Hosts Using Nmap

New Microsoft Internet Information Server ftpd zeroday is released. And there are many datacenters and small organisations hosting and using IIS FTP server. This tool will be very help ful for system and security administrators. To find and apply workarounds.

219267a0a3ee361a2feec67915c55cd2 Detect IIS FTP Vulnerable Hosts Using Nmap

Based on an existing Nmap script, I quickly wrote a new one which performs the following actions:

Check if anonymous sessions are allowed.
Check if the detected FTP server is running Microsoft ftpd.
Check if the MKDIR command is allowed (this seems to be required by the exploit)
If all those conditions are met, the script exits with a warning message. Note that my script will only report servers which could be vulnerable. On the other side, running a server with anonymous users able to create directories is a major security breach and must be fixed independently of the newly discovered vulnerability!

Advantages of using nmap for testing focus on ftp application if found IIS then go further or abort scan. This helps not to disturb your existing network by scaning for all ports and applications.

How to use NMAP to Detect IIS-FTP Vulnerable Hosts

Copy the the copy in your local script repositoty ( /usr/local/share/nmap/scripts/) Windows users need to check most probaly inside program files/nmap

Run nmap –script-updatedb

nmap -p 21 -sV –script=IIS-FTP 192.168.1.1 (specify yur IP segment)

Sample output

Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-01 01:15 EST
Interesting ports on testing-win (192.168.1.1):
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ IIS FTP: IIS Server allow anonymous and mkdir (potentially vulnerable)
Service Info: OS: Windows

Download nmap Script Here

And if your lucky to be vulnerable then here is list of workaround.

1. Firewall will help you apply firewall rule for ftp from source single ip to destination single ip . This you you will know from where and who is accesing your data.

2. NIPS and NIDS write your costome rule to detect or blow if any one try to MKDIR command or other such command block or alert.

3. On server apply proper ACL’s on directoy browsing and user access.

Hope this helps you.

Related External Links

Microsoft Investigating IIS Zero-Day Security Vulnerability

Another Exploit, This Time On MS Excel

Armed and Dangerous » Blog Archive » The Microsoft patent attack

The Brain of Shawn » Blog Archive » Detecting Conficker with NMAP …

Searches leading to this post:
detecting local firewall using nmap, most vulnerable services nmap, nmap -n ftp, nmap iis scan, nmap scan ftp service, using nmap 5 21 to detect conficker

November 11, 2009 -- Microsoft Security Bulletin Summary – November 2009
March 14, 2010 -- joomlajulia-lfi.txt
March 14, 2010 -- azeno-sql.txt
March 14, 2010 -- onlineshop-lfi.txt
March 14, 2010 -- joomladgreinar-xss.txt
March 13, 2010 -- joomlaraces-sql.txt
March 13, 2010 -- CVE-2010-0188.py.txt
March 13, 2010 -- common-ports.pdf
March 13, 2010 -- physical-terminations.pdf

Tagged as: 0-day, Exploit, Microsoft, NMAP, security, Web Application Scanner

Black: @sanyal, I do not know why is it not downloading the version 0.8 for you! We have this link from SF which will...
sanyal: Hi, The download link goes to sourceforge.net 0.7 version. Needs to point to 0.8
hideaki: There’s also xt_pknock which seems to capable of much more.
stacksmasher: Any word on a quick tutorial for this tool?
ne01982: No, I had written the supplied OEM code, But the site says that is a wrong OEM code. Thanks for your time
ne01982: Hi, M8s, I´m affraid, this code doesnt work. Thanks anyway. Regards
rcarter: “You have submitted an unknown OEM Code or no code at all.”

Detect IIS-FTP Vulnerable Hosts Using Nmap

Related External Links

Related Posts

Twitter

Tag Cloud

Archives

Meta

Recently Updated Posts

Recently Updated Pages

Feed Count:

Site Search:

Categories

Recent Comments

Most Viewed Pages