FTP-NAT - Results
Am I vulnerable?
(short version)
Yes, if you find "200 Port open." in the output.
For technically interested people I will detail the meanings of the different status codes and the various ports below.
In case you only want to know, how serious this problem is and what you can do about it, click on "continue" right away.
Result codes
Code | Meaning |
IO error | There was a problem connecting to the test server. The test server may be down or maybe your firewall is blocking outbound connections. |
200 Port open. | The test server was able to connect back to your host at that
port. You should have a look at your locally opened ports, and if the pattern matches, you are vulnerable to the active-FTP-NAT problem. |
300 Port closed. | The test server was able to try to connect back to your
host at that port, but the port was not open. Compare that to your locally opened ports. If the port is closed there as well, this is normal, and no conclusions can be drawn. If the port is locally open, there is something denying access to it, which is probably a good thing. If none of the ports this test uses is listening locally, the test cannot give reliable results. You may want to make netcat or a similar tool listen at one of the ports
to get reliable results.
|
300 Port filtered. | The test server was not able to connect back to your host within
a reasonable time frame. Either the network was very loaded, or there is something filtering packets to/from the port. Regarding security against this attack, this is a good thing. However it is considered a bad idea to have packets dropped without proper notification of the sender, as it slows debugging of network problems. As this is your network, and others aren't supposed to access it anyway (you wouldn't do that test, if it would, right?), it is at least your foot that you shoot yourself in. |
400 PORT Error. | The PORT command was rejected by the test
server. This happens, if the IP address specified in the command differs form the address the server sees in the control connection. Unless you have an unusual setup, this usually is a sign, that you don't have a functioning active-FTP-NAT-helper which means you are secure from this attack. Of course at the price of not being able to do active FTP. As there is little reason to use active FTP nowadays, I'd rather recommend this setup. |
What do those port numbers mean?
The system tests a variety of ports to cover a wide range of systems.If you have none of these open locally, you won't get any sure results.
If this is the case, you you can start netcat on any of these ports to see, if you are affected.
It is not guaranteed, that "200 Port open." means, that it actually opened a connection to that port on your machine. It might as well have connected to a forwarded port on the router or some router config port.
Here is a commented list of tested ports.
22 | SSH.Secure Shell. Do you want this reachable from outside? |
80 | HTTP. You are running a webserver? Or maybe the router is offering its config site? |
111 | Unix Portmapper. Shouldn't be reachable from outside. Never ever. |
135 | epmap. Windows endpoint mapper. Shouldn't be reachable from outside. Dangerous, if your windows is not fully patched. Several known exploits. |
137 | netbios-ns. Windows netbios nameservice. Shouldn't be reachable from outside. |
139 | netbios-ssn. Windows netbios session. Shouldn't be reachable from outside. |
445 | SMB-DS. Windows shares. Shouldn't be reachable from outside. |
1900/ 5000 |
ssdp. Simple Service Discovery Protocol. Shouldn't be reachable from outside. |
3000 | alg. Application Level Gateway. Shouldn't be reachable from outside. |
3389 | RDP - Windows Remote Desktop Shouldn't be reachable from outside. |
580x/ 590x |
VNC - Ein anderer üblicher Remote Desktop Shouldn't be reachable from outside. |
6000 | First X11 Server (:0). Do you want this reachable from outside? |
47115 | TestPort. If this is shown as open, something is probably wrong, unless you opened it deliberately for testing purposes as described below. Or do you have a service running there? |
Am I vulnerable?
In general, you are vulnerable, if your local output of "netstat -a" (Windows) or "netstat -nlt" (Unix) matches the "200 Port open." messages from the test.However note, that some firewalls are configured to allow ftp-data-traffic only from port 20 to a high port. So if you have no services running on high ports, your NAT device might still be vulnerable, though you won't notice it with this test. Try opening the test port to rule that out.