Operation Honeypot - 01 FTP Recon
This is the obligatory part of this post where I say, “wow, I haven’t posted for a while, I’m going to do better” but in reality, I program 8+ hours a day and a lot of times when I get home I’d much rather get some time away from the computer. However, I do feel that having a good project I can slowly work on in my free time with some technologies I don’t normally use could be fun and help expand my skillset.
I have always been interested in the security side of programming, and what better way to understand cutting edge security than to make something that’s very purpose is to see what people (mostly bots) are currently doing to exploit cloud applications. I am planning to implement most of this in Scala, which I do not use very often, so feel free to email me if you see some real rookie mistakes.
- a container in which honey is kept.
“an earthenware honeypot”
Well, not that kind of honeypot…
The one I am talking about is a server that mimics real applications in hopes of catching someone attempting to exploit it and logging the different methods that are used. There are plenty of open-source tools that accomplish this now and you can do something as simple as open Netcat on port 80 and see what files a hacker is requesting from your “webserver”.
That is, at its core, what a honeypot is. Obviously, things can get more complicated. You will want to make sure your system doesn’t get hacked and you want your fake application to have complex enough features so a hacker is tricked into thinking they’re exploiting a real system and that they’re getting the expected results back. If they are trying to leverage a command or query a file you do not have or support, they’ll probably just move onto another target and you’ll miss out on discovering what their technique was.
So now the question arises, “which protocol should we mimic to entice attackers?” Well, at first I thought a simple web server would suffice, but that is open-ended. What would the web page look like? How many endpoints am I going to allow? How do you reply to a request for each endpoint? To get the most attackers it makes sense to mimic popular web frameworks, but then which ones? WordPress? This seems like something for another day, but what about FTP?
The File Transfer Protocol is fairly simple and has the potential to collect binaries from attackers that can later be analyzed. We only need to support sending and receiving functionality, and we can probably ignore (for now) most of the other modes and more advanced features which are also supported by different FTP servers.
We must know how an FTP server works before we can become the FTP server, or whatever Sun Tzu said. So let’s find a public FTP server to connect to (you can stand up your own, but there are already configured ones online so why waste the effort?), one such server is
speedtest.tele2.net. You can try using the
ftp command which is probably pre-installed on your OS of choice, and see how that works. There is a very good article on Wired that offers a primer on FTP that I would recommend if you aren’t too familiar with the protocol.
But we must venture deeper into the inner workings of FTP, so let’s gloss over RFC 959, maybe RFC 1635, and attempt to utilize the protocol by hand. I will connect to port 21 (the default for FTP) using Netcat and issue the commands myself.
Here’s the raw excerpt:
So what’s happening,
- ME: Open the socket using Netcat.
- SERVER: Replies with the version information and code 220
- According to RFC 959 “220” means “Service ready for new user.”
- ME: USER anonymous
- We say we want to login as the “anonymous” user, which is the default for a user with no account.
- SERVER: 331 Please specify password
- ME: PASS password
- Since we are using the “anonymous” account, all passwords will be accepted, usually, you use your email address.
- SERVER: 230 Login successful
- ME: PWD
- This is just querying where on the server we currently are.
- SERVER: 257 “/“ is the current directory
- ME: QUIT
- SERVER: 221 Goodbye.
The biggest thing to realize is that it is mostly the numbers that each reply starts with that adhere to a standard, and each are defined within RFC 959. In other words, an FTP server that replies with
230 Howdy Porkchop every time a user successfully authenticates to the server is completely fine.
There’s one last bit of functionality we will need to add to properly mimic an FTP server, and that is data transfer. The previous interaction with the server consisted of only interacting with the control port, to do data transfer we either have to listen on a separate port and tell the server to connect to us (active mode) or tell the FTP server to listen on another port and we will connect to that (passive mode). Passive mode is much more common, however, I will demonstrate using an active connection.
Much of the above looks the same besides the
PORT 3,19,50,38,28,165 command. This is telling the server that I will be listening on
220.127.116.11:7333 for the transfer, the format being h1,h2,h3,h4,p1,p2, where each is an 8-bit segment, the first h1 through h4 are the bits of the IP address, p1 and p2 are the 16 bits of the port number (“0001 1100 1010 0101” in binary is 7333).
Meanwhile in a second terminal, I have opened a connection with Netcat listening on port 7333, this is what it received:
As you can see, the data was transferred successfully. This could have been a file and it would have worked similarly. If this was a passive connection we would have instead issued the
PASV command to the server in the first terminal and it would have replied with a similarly formatted address which we would have connected to in the second terminal. For our honeypot, we will have to implement both of these modes to maximize our ability to receive malicious files.
Now that we have a deeper understanding of how the protocol works, we can begin implementing this functionality in a way that will fool these hackers into giving us their exploits while keeping ourselves safe from an actual attack, but that is something for another post. So stay tuned for more on Operation Honeypot.