FTP scan -STATS-
For those who is interested in my stats
and findings after a nice big scan of FTP
I scanned in groups of 50000 Dutch IPs with NMap.
I used -T5 to speed up the things so he can missed some
ftp servers with slow response.
scan command/the script I used
#!/bin/bash
# $1 : infile (without .txt) output is infile + _p21.gnmap/nmap/xml
sudo nmap -v -iL "$1".txt -Pn -T5 -sV --version-all -n -p 21 -oA ~/workingdir/output/p21/"$1"_p21 --script=ftp-anon,banner,ftp-proftpd-backdoor,ftp-vsftpd-backdoor --open -sS
I scanned for this 105 ip lists of 5000 gives me a total op 5.250.000 IP's
(still busy, 45 to go)
Not 1 time I got a hit from the 2 scripts of nmap which checks for a backdoored FTP version
so
num ip's : 5.250.000 (
list)
uniq IP's w/o port 21 : 41.412 (
list)
Top 5 ip groups (
list)
6963 145.216
3442 145.217
1642 83.162
1194 212.204
996 86.109
backdoored : 0
Found Service Info : 142 *not much(-T5 is fastscan with not enough waiting time)
Top 5
85 Service Info: OS: Unix
27 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
4 Service Info: Device: firewall
3 Service Info: Device: broadband router
2 Service Info: OS: VxWorks; CPE: cpe:/o:windriver:vxworks
FTP anonymous access : 1765* succesfully logins with user:anonymous pass:anon@
also the scan did a banner grab (short one because of the T5 option of NMap)
Banner grabbed : 20457 (almost 50% of the open ports found) (link)
Return codes top 3
20190 220
62 530
46 550
ProFTPD : 5308 (1/4 of all the banners)
Top 5 versions
621 ProFTPD 1.3.1 Server
368 ProFTPD 1.3.3c Server
355 ProFTPD 1.3.2e Server
240 ProFTPD 1.3.3e Server
141 ProFTPD 1.3.3a Server
vsFTPD : 1653
Top 5 versions
907 (vsFTPd 2.0.5)
205 (vsFTPd 2.0.7)
122 (vsFTPd 2.3.2)
119 (vsFTPd 2.2.2)
68 (vsFTPd 2.0.1)
FileZilla : 710
Top 5 versions
168 FileZilla Server version 0.9.37 beta
142 FileZilla Server version 0.9.39 beta
83 FileZilla Server version 0.9.40 beta
72 FileZilla Server version 0.9.34 beta
41 FileZilla Server version 0.9.33 beta
VxWorks : 99
Top 5 versions
69 VxWorks (VxWorks5.4.2) FTP server ready
17 Tornado-vxWorks (VxWorks5.4.2) FTP server ready
9 VxWorks (5.4.2) FTP server ready
2 VxWorks (VxWorks5.5.1) FTP server ready
1 VxWorks FTP server (VxWorks 5.4.2) ready.
NASFTP : 359
Turbo : 350
277 Turbo station 2.x 1.3.2e Server
73 Turbo station 2.x 1.3.1rc2 Server
3.x Server : 9
Serv-U : 139
Top 5 versions
29 v6.4
16 v6.0
14 v11.1
11 v6.2
8 v6.3
FTP Server ready. : 2469
some other statics
NAS found : 615
Microsoft FTP Service : 1805
FritzBox : 86
'welcome' in banner : 3116
'ready' in banner : 8792
service not available : 33
Cisco : 23
P2612HW : 62 *ZyXEL Router
camera's : 47 *39 AXIS
DreamBox : 197
Moxa FTP : 13
DSL Router : 30
DiskStation : 255
Check Point Firewall: : 119
TCAdmin : 40
Winsock ready... : 93
Gene6 : 54
spftp : 38
ucftpd : 20
FTP-Uploadserver : 61
WAR-FTPD : 7
BulletProof FTP : 27
Titan FTP : 14
zFTPServer : 20
Cerberus : 22
Rumpus : 37
JD FTP : 33
Card AOS : 68
pd-admin : 6
Welcome to
the CS network : 25 ? so many
Netwerkschijf : 7 *dutch for "disk drive"
Inactivity timer text : 72
Connection refused,
unknown IP address : 59
IP in banner : 3859
Why I make stats?
can be handy with pentesting!
For example knowning that the word 'welcome' isn't often used (+/- 25%)
and 'ready' not reaching 50% that a scanner based on return strings
isn't the best idea.
Or if you see the versions of the mainly used ftp servers don't have the latest
version. 1.3.1. for ProFTPD and 2.0.5 for vsFTPd. and googling around brings
a lot of exploits based on this versions.
Serv-U 6.4 is most used, and a lot of exploits are on the net.
(Dir traversal, BoF's, Auth. bypass).