Anonymous FTP scanning differences between Metasploit and Nmap

Metasploit has a auxiliary module dedicated to anonymous FTP scanning. I was interest to compare this Metasploit module with Nmap ftp-anon NSE script.

I decided to scan a /19 rang, how represent 8192 IP addresses with the 2 tools, compare the results and the time to do these scans.

    Metasploit

    Just play with Metasploit cli to have the possibility, without configuring the Metasploit database, to measure the needed time to do the complete scan.
    time ./msfcli auxiliary/scanner/ftp/anonymous ConnectTimeout=1 FTPTimeout=1 RHOSTS=xxx.xxx.xxx.0/19 E
    By default, the Metasploit ftp_anonymous auxiliary module is single threaded, you can if you want increase the number of thread  by setting the THREADS variable. We will not change this default configuration, cause Nmap is single threaded.  But we will decrease the ConnectTimeout and FTPTimeout advanced configuration to 1 second.
    Metasploit has take around 75 minutes to scan all the 8192 IP addresses, and return us 35 anonymous FTP.
    With 256 threads, to be fair ^^, Metasploit scans the 8192 IP addresses in 1 minute 27seconds. (LOL)
    We had these kinds of results :
    [*] aaa.aaa.aaa.aaa:21 Anonymous READ (220 aaa.aaa.aaa.aaa FTP server ready)
    [*] Scanned 4075 of 8192 hosts (050% complete)
    [*] Auxiliary module execution completed
    [*] bbb.bbb.bbb.bbb:21 Anonymous READ/WRITE (220 Welcome to my FTP Server)
    [*] Scanned 5045 of 8192 hosts (060% complete)
    [*] Auxiliary module execution completed
    To test if the anonymous FTP is writable, Metasploit try to create a directory with the MKD command, and if the creation is successful, this directory is directly deleted by the RMD command. If the anonymous FTP is not writable, then he is logically only readable 🙂 In addition Metasploit will also grab the FTP banners of the anonymous FTP server.

    Nmap

    With Nmap, the following command will permit you to scan anonymous FTP, grab the banner and fingerprint the service, but will not test for you if the anonymous FTP is writable or not.
    time sudo nmap -p21 -n -sC -sV –script=banner –script=ftp-anon xxx.xxx.xxx.0/19
    Nmap has take around 20 minutes to scan all the 8192 IP addresses, and return us only 11 anonymous FTP.
    We has these kinds of results :
    Nmap scan report for aaa.aaa.aaa.aaa
    Host is up (0.026s latency).
    PORT   STATE SERVICE VERSION
    21/tcp open  ftp     ProFTPD
    |_banner: 220 aaa.aaa.aaa.aaa FTP server ready
    |_ftp-anon: Anonymous FTP login allowed
    Service Info: Host: aaa.aaa.aaa.aaa; OS: Unix
    Nmap scan report for bbb.bbb.bbb.bbb
    Host is up (0.027s latency).
    PORT   STATE SERVICE VERSION
    21/tcp open  ftp
    |_banner: 220 Welcome to my FTP Server
    |_ftp-anon: Anonymous FTP login allowed
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
    SF-Port21-TCP:V=5.21%I=7%D=5/16%Time=4BF05218%P=i386-apple-darwin9.8.0%r(N
    SF:ULL,1E,”220\x20Welcome\x20to\x20my\x20FTP\x20Server\r\n”)%r(GenericLine
    SF:s,33,”220\x20Welcome\x20to\x20my\x20FTP\x20Server\r\n500\x20Unknown\x20
    SF:Command\r\n”)%r(Help,33,”220\x20Welcome\x20to\x20my\x20FTP\x20Server\r\
    SF:n500\x20Unknown\x20Command\r\n”)%r(SMBProgNeg,33,”220\x20Welcome\x20to\
    SF:x20my\x20FTP\x20Server\r\n500\x20Unknown\x20Command\r\n”);
    Service Info: Host: my
    We have test 2 times the complete scans with Metasploit and Nmap, and we got the same results. What is surprising is the difference between the number of anonymous FTP detected by Metasploit (and verified by hand later) and the results of Nmap.
    As suggested by Ron Bowes, I tested a different approach for the Nmap anon-ftp scanning, to increase the time optimization.
    First test with :
    time sudo nmap -p21 -PS -n –script=ftp-anon xxx.xxx.xxx.0/19
    Nmap has finish the scan in 6 minutes and 20 seconds, still more than Metasploit, but no more 20 minutes.
    Second test with :
    time sudo nmap -p21 -PS -n -T4 –script=ftp-anon xxx.xxx.xxx.0/19
    Nmap has finish the scan in 6 minutes and 35 seconds, the -T4 option doesn’t has change anything in term of performances.
    Ron has also confirm that nmap anon-ftp LUA script is missing some anonymous FTP, and this randomly.

4 Replies to “Anonymous FTP scanning differences between Metasploit and Nmap”

  1. Ron thanks for your comments.

    Here the result on one IP with an anonymous FTP, the anon-ftp LUA script is working randomly as you say’s

    [[email protected] ~] time sudo nmap -p21 -PS -n –script=ftp-anon aaa.aaa.aaa.aaa

    Starting Nmap 5.21 ( http://nmap.org ) at 2010-05-19 21:20 CEST
    NSE: Script Scanning completed.
    Nmap scan report for aaa.aaa.aaa.aaa
    Host is up (0.027s latency).
    PORT STATE SERVICE
    21/tcp open ftp

    Nmap done: 1 IP address (1 host up) scanned in 5.25 seconds

    real 0m5.294s
    user 0m0.113s
    sys 0m0.022s

    [[email protected] ~] time sudo nmap -p21 -PS -n –script=ftp-anon aaa.aaa.aaa.aaa

    Starting Nmap 5.21 ( http://nmap.org ) at 2010-05-19 21:20 CEST
    NSE: Script Scanning completed.
    Nmap scan report for aaa.aaa.aaa.aaa
    Host is up (0.027s latency).
    PORT STATE SERVICE
    21/tcp open ftp
    |_ftp-anon: Anonymous FTP login allowed

    Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

    real 0m0.288s
    user 0m0.107s
    sys 0m0.018s

  2. Sorry for the double post, but my last one is somewhat irrelevant now.

    I did some experiments myself, and found that, when you scan more than one machine, Nmap typically finds maybe half of the anonymous ftp servers, but it isn’t the same half every time. It seems somewhat random. Uh oh!

    Also, when you’re doing timing tests, using -sV on Nmap isn’t fair. -sV is super slow. I’d suggest this:
    time sudo nmap -d -p21 -PS -n –script=ftp-anon xxx.xxx.xxx.0/19

    You can throw in a -T4 too, if you want to default the speeds to faster.

    With the commandline I gave (no -T4), Nmap took slightly over a minute. That’s a much fairer comparison, IMO.

Comments are closed.