Remote Covert Remote Covert Investigation of FTP for Investigation of FTP for

Forensic PurposesForensic Purposes

ByBy

Arron Martin Zeus-Brown BSc Arron Martin Zeus-Brown BSc

ContentsContents

The presentation contents The presentation contents IntroIntro Background Background The problemsThe problems The possible solutionsThe possible solutions

IntroductionIntroduction

Who am I?Who am I? What is this presentation about?What is this presentation about?

BackgroundBackground Distribution network AKA the Distro networkDistribution network AKA the Distro network

The File Transfer Protocol (FTP) is one of the oldest applicationThe File Transfer Protocol (FTP) is one of the oldest applicationprotocols on the internet and its use has been thought to be inprotocols on the internet and its use has been thought to be indecline since the creation of the HyperText Transfer Protocol and decline since the creation of the HyperText Transfer Protocol and thetheWorld-Wide Web. Recently, however, copyright enforcement World-Wide Web. Recently, however, copyright enforcement agencies have identified a growth in FTP traffic and servers, agencies have identified a growth in FTP traffic and servers, associated with organised groups distributing illegally copied associated with organised groups distributing illegally copied copyright material. This marks a change in the distribution copyright material. This marks a change in the distribution mechanism, which has largely depended on peer to peer networks mechanism, which has largely depended on peer to peer networks such as Kazaa, e-mule, and BitTorrent.such as Kazaa, e-mule, and BitTorrent.

What is FTP ?What is FTP ? While it is possible to While it is possible to

perform an ``end to end'' perform an ``end to end'' trace on a peer to peer trace on a peer to peer connection, ftp provides a connection, ftp provides a semi-anonymous middle semi-anonymous middle point in the network whose point in the network whose content and location may content and location may be difficult to determine. be difficult to determine. Furthermore, it is thought Furthermore, it is thought to be almost impossible to to be almost impossible to determine the origins of determine the origins of data on the FTP server data on the FTP server without physical or without physical or authorized access to the authorized access to the machine.machine.

WHY FTP?WHY FTP?

Warez gang choose ftp for Warez gang choose ftp for It speedIt speed Easy of installationEasy of installation Ability to takeover or illegally set up a FTP Ability to takeover or illegally set up a FTP

server on a remote location unknown to server on a remote location unknown to the hardware ownerthe hardware owner

A visualisation from Ref: [Various 2006]

Main software

crackers and ripper

Pay for FTP Warez site

Other Free FTP servers

Distributor small organised gangs using copyright material to fund other avenues

Kazza / e-mule and other file sharing

services

Hardcopy CD/DVD Burning warehouse's

E Market stall’s and Real market stall

End home user

The Distro (distribution) network is the way the illegal software movies and other such material

Distro mapDistro map

P2P Networks Usenet

Open IRC channels Websites

End user internet

End user internet

Couriers

Couriers

Couriers

Couriers post on staging sites to earn downloading credits and web cudos

Couriers leaving files in shared folders using the End user internet in order to obtain more files from the End user internet

IRC BOTS IRC BOTS

Ranked topsites

Couriers post on Unranked topsites to earn downloading credits and web cudos

Couriers post on Ranked topsites to earn downloading credits and web cudos

Pay for ftp Usenet

IRC bots automate the transmission from the private file storage to a shared file storage and also sends emails to the top line couriers this allows the encoders some anonymity

Private folders

Public folders

Pre-release folders owned by the Encoding/cracking groups. These folder are placed on the highest ranking top sites private folders

Film and software etc suppliers

Encoding and cracking groups

Staging topsites

Unranked topsites

What can be done?What can be done?

At presentAt present Home user are widely targeted for using client sharing Home user are widely targeted for using client sharing

toolstools Can this ever solve the problem?Can this ever solve the problem?

Why should we target the FTP servers Why should we target the FTP servers Its at the top of the chain and defending further down Its at the top of the chain and defending further down

the chain is not working (the American Motion Picture the chain is not working (the American Motion Picture Association estimates loses of “Association estimates loses of “$626 billion a year”)$626 billion a year”)

Targeting the home user is not going to stop the Targeting the home user is not going to stop the distribution or the problem as there will only be another distribution or the problem as there will only be another home user willing to take the risk of view a pirated copy home user willing to take the risk of view a pirated copy of a movie 6 month before its UK release dateof a movie 6 month before its UK release date

How can this problem be solved?How can this problem be solved?

If we look at real life issue such as If we look at real life issue such as drugs, arresting the user’s for take drugs, arresting the user’s for take the drugs is going to fill the judicial the drugs is going to fill the judicial system really quickly, however work system really quickly, however work back up the ladder to the importer back up the ladder to the importer stop the problem at the root, the stop the problem at the root, the same can be said of file sharingsame can be said of file sharing

Predictive detection response vs. Predictive detection response vs. post incident responsepost incident response

Predictive Predictive detection detection responseresponse

this does not mean this does not mean being able to see being able to see the futurethe future

This method can This method can be thought of as be thought of as working working undercoverundercover

Why it will Why it will hopefully slow hopefully slow down or even stop down or even stop the distribution of the distribution of illicit files illicit files

Post Incident Post Incident responseresponse this is what is this is what is

currently currently happening.happening.

This method can be This method can be thought of as a thought of as a standard crime standard crime fighting fighting methodology methodology

Why is it not stop Why is it not stop the distribution of the distribution of illicit files being illicit files being transferredtransferred

How Predictive detection response How Predictive detection response worksworks

Imagine seeing hundreds of people Imagine seeing hundreds of people coming and going from a building coming and going from a building that was deserted last week and still that was deserted last week and still looks as if it still should be deserted. looks as if it still should be deserted. The police would find this worthy of The police would find this worthy of investigation. investigation.

This is the same thought process for This is the same thought process for detecting illicit use of FTP serversdetecting illicit use of FTP servers

Internet NoiseInternet Noise

What is internet noise?What is internet noise? Most of the internet can be thought of as a battle field where the side Most of the internet can be thought of as a battle field where the side

made up of the system administrators and security personnel Vs the made up of the system administrators and security personnel Vs the hackers , crackers and the many other name’s for people that belong the hackers , crackers and the many other name’s for people that belong the underground world and some that what to belong to this world sometimes underground world and some that what to belong to this world sometimes referred to as “Script kiddies”referred to as “Script kiddies”

We can use this battle to cover some of the activities that the robots will We can use this battle to cover some of the activities that the robots will be doing.be doing.

PORT SCANNING PORT SCANNING this is a method of finding open ports on a target machine this is a this is a method of finding open ports on a target machine this is a

common practice for hacker etc looking for ways to exploit a system.common practice for hacker etc looking for ways to exploit a system. Most system’s that are connected to the internet will experience this Most system’s that are connected to the internet will experience this

from of attack and is commonly dismissed as a script kiddie attack.from of attack and is commonly dismissed as a script kiddie attack. A system can be port scanned hundreds or even thousands of times a A system can be port scanned hundreds or even thousands of times a

day by different user’s this will generate huge logs and it is in these day by different user’s this will generate huge logs and it is in these logs that it is hoped that activity of the robots can hidden in this mess logs that it is hoped that activity of the robots can hidden in this mess of logsof logs

Port scanning what is it?Port scanning what is it?

Port scanningPort scanning ““An attempt by hackers to find the weaknesses of a An attempt by hackers to find the weaknesses of a

computer or network by scanning or probing system computer or network by scanning or probing system ports via requests for information. It can be used by IT ports via requests for information. It can be used by IT professionals as a genuine tool to discover and correct professionals as a genuine tool to discover and correct security holes. But it can also be used maliciously to security holes. But it can also be used maliciously to detect and exploit weaknesses.” Ref:www.nve.vt.edu. detect and exploit weaknesses.” Ref:www.nve.vt.edu.

The above explanation is very ambiguous and The above explanation is very ambiguous and really does not give us much information what a really does not give us much information what a port scan is. port scan is.

So I like to think of it like finding a hotel and So I like to think of it like finding a hotel and trying the doorstrying the doors

Easy to understand explanationEasy to understand explanation

IP address = The address of a hotelIP address = The address of a hotel Port number = A door to a room in the Port number = A door to a room in the

hotelhotel Service = the guest in the roomService = the guest in the room Open Port = knocking on the door and Open Port = knocking on the door and

getting and answer or an open doorgetting and answer or an open door Closed Port = knocking on the door Closed Port = knocking on the door

and getting and not answer or a closed and getting and not answer or a closed doordoor

Finding a hostFinding a host

ICMP echo ICMP echo scanning:scanning: This is not strictly This is not strictly

cased as port cased as port scanning, as ICMP scanning, as ICMP does not have a does not have a port construct. port construct.

This is a way of This is a way of finding the internal finding the internal network IP network IP address’s address’s

UDP ICMPUDP ICMP port unreachable scanning:port unreachable scanning:

This method is the 1st method dicribed here that uses the UDP and not the TCP protocol the This method is the 1st method dicribed here that uses the UDP and not the TCP protocol the UDP protocol is a much simpler protocol, however this does not many that port scanning is UDP protocol is a much simpler protocol, however this does not many that port scanning is easier when using it, infact if anything it can be said that it proves more difficult. This is due to easier when using it, infact if anything it can be said that it proves more difficult. This is due to the fact that the open ports do not have to send responses to the probe and closed port simply the fact that the open ports do not have to send responses to the probe and closed port simply don’t have to send error reports. However most servers do send an ICMP_PORT_UNREACH don’t have to send error reports. However most servers do send an ICMP_PORT_UNREACH error when the UDP port is closed. There for if no response is received it is a possible indicator error when the UDP port is closed. There for if no response is received it is a possible indicator that the port is open. However both UDP packets and the ICMP errors are guaranteed to be that the port is open. However both UDP packets and the ICMP errors are guaranteed to be received. This means that UDP scanners must implement the repeated transmission of packets received. This means that UDP scanners must implement the repeated transmission of packets that seem to be lost, the retransmission cuts down the number of false positives. However this that seem to be lost, the retransmission cuts down the number of false positives. However this means that the time taken to scan a system is greatly increased. In-fact some system such as means that the time taken to scan a system is greatly increased. In-fact some system such as the Linux kernel limits the number of unreachable message to 80 every 4 seconds if this is the Linux kernel limits the number of unreachable message to 80 every 4 seconds if this is exceeded a 0.25 second penalty is added of each message. Root access is also required to exceeded a 0.25 second penalty is added of each message. Root access is also required to access the raw ICMP sockets for reading the erroraccess the raw ICMP sockets for reading the error

FTP bounce attackFTP bounce attack:: proposes of this research is proving to have some interesting implications. It uses one of the proposes of this research is proving to have some interesting implications. It uses one of the

features detailed in ftp protocol (RFC 959) the feature that is of most interest is the support for features detailed in ftp protocol (RFC 959) the feature that is of most interest is the support for Proxy ftp connection. Proxy ftp connection.

Looking for port responses 150 and 226 for open ports and 425 for closedLooking for port responses 150 and 226 for open ports and 425 for closed

TCP Port ScanningTCP Port Scanning

TCP = Transmission Control Protocol TCP = Transmission Control Protocol This is the most common protocol used for This is the most common protocol used for

port scanning port scanning It is found in most tools that “script kiddies” It is found in most tools that “script kiddies”

useuse

TCP PacketsTCP Packets The diagram is a TCP packet; the highlighted

areas are the different parts of the packet which we will manipulate to determine if a port is open or not.

The following descriptions explain what each of these flags are and their purpose.

• SYN (Synchronize) A SYN flag is required to initialize the sequence

numbers in TCP. • ACK (Acknowledge)

The ACK flag is used to acknowledge that the data was received.

• RST (Reset) Reset is used to abort both ends of connection

immediately. • FIN (Finish)

Using the FIN flag is very similar to using the RST flag to disconnect a client. The difference with this flag is that after a FIN is sent and is accepted, the client replies back with an ACK .

• URG (Urgent) The URG Flag tells the receiving system to

quickly process the data. • PSH (Push)

A PSH flag causes the sender to promptly forward all the data up to a certain point as defined.

TCP connect() scanningTCP connect() scanning:: This from of port scanning is This from of port scanning is

the most basic from of TCP the most basic from of TCP port scanning it uses the port scanning it uses the connect() system call connect() system call provided by the operating provided by the operating system to open connections system to open connections to every listening port on to every listening port on the target machine. If the the target machine. If the port is in listening mode the port is in listening mode the connect() call will be connect() call will be successful else it will report successful else it will report the the port is unreachable. the the port is unreachable. The main advantage of this The main advantage of this is that it does not need any is that it does not need any special privileges and it is a special privileges and it is a very quick way of testing a very quick way of testing a port.port.

TCP SYN scanningTCP SYN scanning: :

This type of scanning is This type of scanning is normally referred to as part or normally referred to as part or half open scanning, this is half open scanning, this is because the port is never fully because the port is never fully opened. This is done by opened. This is done by sending a Syn packet as if to sending a Syn packet as if to open a port then wait for the open a port then wait for the Syn/Ack or the Rst. The Rst Syn/Ack or the Rst. The Rst response means the port is response means the port is none responsive and the none responsive and the Syn/Ack response will indicate Syn/Ack response will indicate a listening port, as soon as the a listening port, as soon as the Syn/Ack response is received Syn/Ack response is received you send the Rst this will kill you send the Rst this will kill the connection process. The the connection process. The main advantage of this type of main advantage of this type of port scanning is that a lot of port scanning is that a lot of system will not record the scan system will not record the scan as an attack however the as an attack however the system must be running under system must be running under root access privileges to build root access privileges to build the custom packetthe custom packet

TCP FIN scanningTCP FIN scanning : : This is the most covert method of This is the most covert method of

TCP port scanning as Syn packet’s TCP port scanning as Syn packet’s can be detected via firewalls and can be detected via firewalls and programs such as Synlogger and programs such as Synlogger and Courtney. However FIN packet Courtney. However FIN packet may be able to pass through may be able to pass through undetected. This method of undetected. This method of scanning was 1st detailed by Ref scanning was 1st detailed by Ref Uriel maimon. The idea of this Uriel maimon. The idea of this method is that most UNIX system method is that most UNIX system closed ports will tend to reply to a closed ports will tend to reply to a FIN packet with the Rst and open FIN packet with the Rst and open ports by default ignore the FIN ports by default ignore the FIN packets. However the major down packets. However the major down side to this is that some system side to this is that some system mostly Microsoft and they will mostly Microsoft and they will send Rst response what ever the send Rst response what ever the state of the port which means state of the port which means Microsoft system are not Microsoft system are not susceptible to this from of port susceptible to this from of port scan. However this means it can scan. However this means it can be useful to tell the difference be useful to tell the difference between operating systems.between operating systems.

TCP XMAS Scan This technique sets all the

flags in a TCP packet . If the attacker does not receive anything, then the port is believed to be open. If a RST bit is received, then we assume the port is closed.

This technique is not always reliable. If we tried to scan a computer which does not exist, we would not receive a RST bit and thus would assume that all of the ports we just scanned are open.

Again, this technique is particularly stealthy; however, the results are not reliable.

TCP NULL Scan This technique sends no

flags to a port to determine if the port is open If a system responds with a RST, then we assume the port is closed.

The problem with this technique is that some operating systems do not fully comply with RFC 793 (www.rfc-archive.org), which describes how TCP should work, such as Windows, Cisco, BSDI, HP/UX, MVS and IRIX. These Operating Systems send a RST bit whether the port is open or closed.

Fragmentation scanning:Fragmentation scanning: This method is the only method that is This method is the only method that is

capable of by-passing or increase the capable of by-passing or increase the difficulty of detection of the port scan. This difficulty of detection of the port scan. This is done by splitting up the probing TCP is done by splitting up the probing TCP header over a few packets, however some header over a few packets, however some programs many have trouble handling the programs many have trouble handling the smaller size packets that can vary in size.smaller size packets that can vary in size.

However this does require a device called However this does require a device called a frag-routera frag-router

TCP reverse ident TCP reverse ident scanning:scanning:

This method was disclosed by Ref: D. Goldsmith, it is that the This method was disclosed by Ref: D. Goldsmith, it is that the IDENTD protocol allows for the disclosure of the username of any IDENTD protocol allows for the disclosure of the username of any process connected via TCP, the fault with this comes from the process connected via TCP, the fault with this comes from the fact that it can be done by either party in the connection. fact that it can be done by either party in the connection.

This means that it is possible to connect to a service and fully This means that it is possible to connect to a service and fully open the port then use the Identd to find out if the server is open the port then use the Identd to find out if the server is running as root. This can be achieved very easily with the use of running as root. This can be achieved very easily with the use of a program known as nmap.a program known as nmap.

What next?What next?

So once we have a list of IP address’s So once we have a list of IP address’s with the corresponding open ports. with the corresponding open ports. What can be done next.What can be done next.

Calling for the header and checking Calling for the header and checking known common used portsknown common used ports

Anonymous connection to ftp Anonymous connection to ftp

Next StageNext Stage

The next stage of research will The next stage of research will include include FTP server software identification FTP server software identification Pattern analyses of trafficPattern analyses of traffic Pattern analyses of AttacksPattern analyses of Attacks Storage examinationStorage examination

The goal of the prototypeThe goal of the prototype The 1The 1stst stage in developing the idea is to check to see if anything other than a stage in developing the idea is to check to see if anything other than a

basic port scanning as basic port scanners will just report that the port is open basic port scanning as basic port scanners will just report that the port is open but it will not report the service that is running on it.but it will not report the service that is running on it.

The 1The 1stst prototype is written in Perl and looks at port 21 over a range of IP prototype is written in Perl and looks at port 21 over a range of IP Address’s it shows that it is possible to check to see if a port is hosting an FTP Address’s it shows that it is possible to check to see if a port is hosting an FTP server and if that FTP server allows anonymous logins server and if that FTP server allows anonymous logins

The second stage of the prototyping involved changing the program from a static The second stage of the prototyping involved changing the program from a static port to a flexible port range. this stage just looked for open port.port to a flexible port range. this stage just looked for open port.

The next stage was to take the information from the second prototype. Then The next stage was to take the information from the second prototype. Then request the header response or other useful information that can be gained from request the header response or other useful information that can be gained from the open portsthe open ports

This is the current stage of the prototype it is looking more than possible that This is the current stage of the prototype it is looking more than possible that this sort of program can be adapted to run over a distributed platform allowing this sort of program can be adapted to run over a distributed platform allowing for further stealth ability.for further stealth ability.

The final GoalThe final Goal The final goal is to produce a tool or set of tools and the procedures of the The final goal is to produce a tool or set of tools and the procedures of the

remote investigation of FTP serversremote investigation of FTP servers The ftp servers that allow anonymous login could then be checked for files of The ftp servers that allow anonymous login could then be checked for files of

illicit nature.illicit nature. With further development the possible transference to other File transfer With further development the possible transference to other File transfer

protocols.protocols.

Ethics and other IssuesEthics and other Issues

Is it hacking ?Is it hacking ? What is the law in the country where the server is What is the law in the country where the server is

located.located. What, if any Data protection guide lines need to What, if any Data protection guide lines need to

be followedbe followed Will the evidence produced be of a standard that Will the evidence produced be of a standard that

is useable in a court of lawis useable in a court of law

Who’s server is itWho’s server is it

It is becoming a growing trade to Hi-It is becoming a growing trade to Hi-jack hardware and services jack hardware and services

This means that it is also needed to This means that it is also needed to establish who owns what and who establish who owns what and who did whatdid what

Reference'sReference's C Winter C Winter mpaa.org, mpaa.org, Dark Tower - Top Piracy Pyramid.pdf, 1/2005Dark Tower - Top Piracy Pyramid.pdf, 1/2005 Various hackinthebox.tx, How to become a distrobuter, 1/2006Various hackinthebox.tx, How to become a distrobuter, 1/2006

Angus Marshal – meeting between A. marshal and A. brown, 1/2006Angus Marshal – meeting between A. marshal and A. brown, 1/2006 Net sorcery www.networksorcery.comUDP, 1/2006Net sorcery www.networksorcery.comUDP, 1/2006 D. Fyodor www.insecure.org Nmap The art of port scanning, 06/1997D. Fyodor www.insecure.org Nmap The art of port scanning, 06/1997 Uriel Maimon, Phrack 49, article 15 Port Scanning without the SYN flag , 11/1996Uriel Maimon, Phrack 49, article 15 Port Scanning without the SYN flag , 11/1996 D.Goldsmith Bugtraq post, the ident protocol (rfc1413 ), 1996D.Goldsmith Bugtraq post, the ident protocol (rfc1413 ), 1996 R siles R siles WWW.honeynet.orgWWW.honeynet.org, Scan 21, 06/2002, Scan 21, 06/2002 D Song D Song http://www.monkey.org/~dugsong/talks/ids/http://www.monkey.org/~dugsong/talks/ids/ Intrusion Detection 101, 17/09/1999Intrusion Detection 101, 17/09/1999

Thank youThank you

Thank you for your Thank you for your time and does any time and does any

one have any one have any questions?questions?