Skip to Main Content
January 24, 2013

Pentester News: StatefulFTP on Windows 7 and Windows 8 breaks payloads

Written by David Kennedy
Penetration Testing Security Testing & Analysis
As penetration testers attacking from the Internet side of the house, we often attempt to compromise either systems, servers, or people. When we attack, we rely on external connections back out of the firewall (called reverse connections) in order to interact with a victim behind a NAT instance (behind the firewall). In common cases, a company will have some egress (outbound) connections that allow for these reverse connections to be successful. Common ports are 21, 22, 23, 25, 53, 3389, 80, 443, and 8080. In most cases, 21, 80, and 443 are the only ports available and 80 and 443 are typically heavily monitored and go through an authenticated proxy. In Windows 7 and Windows 8, there is a feature called StatefulFTP which is enabled by default. This feature does basic inspection of traffic in order to determine if the connection back is legitimate. This is problematic for us in the fact that it breaks a number of payloads including a meterpreter (Metasploit) payload. The initial first stage socket connection is successful however the StatefulFTP flag breaks the rest of the payload from executing properly. Below is an example of the first stage not working correctly and hanging: Unsuccessful shell via 21 When attacking Windows 7 or Windows 8, the shell will be unsuccessful and we are not graced with our payload. Interesting enough when using windows/shell/reverse_tcp does not trigger the StatefulFTP inspection and is successful. However if using session upgrades to a meterpreter shell via 21 will break the shell connection and terminate it. In order to get around this, prior to executing the payload, you need the ability to execute a netsh command to disable the StatefulFTP inspection. This can be accomplished by running the following command: disable netsh When running the shell, we are successful in establishing the full meterpreter session with the stages working correctly: successful session There is one slight challenges with this approach. The netsh command requires administrative level permissions in order to execute successful. As an attacker and penetration tester, if you have the ability to select the exploit multiple times, using the windows/exec payload and setting the CMD to netsh advfirewall set global StatefulFTP disable then setting the payload to a Windows meterpreter instance will fix this IF you have administrative level permissions. Another workaround is to use a custom payload that does not trip the StatefulFTP flag or has basic functionality such as upload and download features to attempt other ports to get your meterpreter session. In addition, the windows/shell/reverse_tcp does NOT trip the StatefulFTP flag, you can use that as well. This technique has now been incorporated into the Java Applet attack method within the Social-Engineer Toolkit (SET) v4.4.1 and automatically attempts to disable the StatefulFTP flag. Wonder how many missed shells we haven't seen due to these as penetration testers. Additional information: Special thanks: Special thanks for corelanc0d3r, egyp7, hdm, mihi, mubix, Tod Beardsley for helping with the testing on this.