Finding the IIS FTP Vulnerability

On September 1st, Microsoft released a security advisory regarding an exploit that was discovered in their IIS FTP service, which you can find here. In short, the vulnerability allowed servers which allowed anonymous write access to be compromised.

Opening up my email, I notice the vulnerability in my inbox, and a message attached asking me to find all the servers in the government which might be vulnerable to this exploit. Now, as you can imagine, it’s not like there’s 50 servers in the government. This isn’t a situation where you go to each server manually and check for the vulnerability. This worked out to be a perfect situation to use nmap.

Nmap, as I had mentioned last post, is a security scanner. It’s powerful: really, REALLY powerful. There’s so many command line switches that they have to use two characters for a lot of them, and they’re case sensitive as well. To top it all off, it also provides scripting support. In layman’s terms, you tell it to jump, and it asks you how high, how many flips it should do, what music should be playing in the background, and what the acrobat’s costumes should look like. You get the picture.

Anyways, the task was put before me to determine which servers were vulnerable, and how many FTP services could simply be turned off. After acquiring a list of IP addresses of assets, I sorted the list, changed each IP to refer to the class C subnet ( or /24), and remove duplicates. I then came up with a list of IPs which had an FTP service. Some had closed ports, and others were filtered. Some of them were also open. A few quick grep commands and I had narrowed down the list to open Windows boxes. Below, I have the nmap command that I used to find all the servers with FTP running on them. I’d be curious to see if anyone has come up with a similar command that might be useful for this same purpose, and where improvements can be made.

./nmap -T4 -PS21 -p21 -O --max-rtt-timeout 200 --initial-rtt-timeout 150 --min-hostgroup 100 -oG /tmp/WindowsFTP.grep -iL ../WindowsServers24

Leave a Reply