FTP: File Transport Protocol
Introduction
This tutorial discusses the plugin ftpDecode. FTP is the oldest file transfer protocol and not encrypted. So we can scrutinize and extract all content. It is sometimes even used today, you won’t believe it.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow tcpStates ftpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: ftp-dpic.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing FTP traffic!
ftpDecode
Let’s look at the plugin configuration first:
ftpDecode
vi src/ftpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define FTP_SAVE 0 // save content to FTP_F_PATH
#define FTP_CMD_AGGR 1 // Aggregate FTP commands/response codes
#define FTP_BTFLD 0 // Bitfield coding of FTP commands
#define FTP_UXNMLN 10 // maximal username length
#define FTP_PXNMLN 15 // maximal password length
#define FTP_MXNMLN 50 // maximal name length
#define FTP_MAXCPFI 10 // Maximal number of pfi
#define FTP_MAXUNM 5 // Maximal number of users
#define FTP_MAXPNM 5 // Maximal number of passwords
#define FTP_MAXCNM 20 // Maximal number of parameters
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
#define FTP_RMDIR 1 // empty FTP_F_PATH before starting (require FTP_SAVE=1)
#define FTP_F_PATH "/tmp/FTPFILES/" // Path for extracted content
#define FTP_NONAME "nudel" // No name file name
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...
...This plugin is data carving capable, so it extracts the content of the flows including
user names and passwords. The latter are also printed in the flow file.
If FTP_SAVE=1 all the content including commands, up and downloads are extracted
under the path FTP_F_PATH. If no file name is found, e.g. if you only recorded the
B flow, then the FTP_NONAME is used. Note that FTP_RMDIR=1 defines that
the file directory is deleted for each new t2 execution. So if you want to keep earlier
files, switch it to 0. Here we keep the default value.
The lengths of the extracted usernames and passwords can be configured as the form of the FTP command flow output. We leave it in human readable and aggregated and leave data carving off.
So execute t2 on the supplied pcap including packet mode.
================================================================================ Tranalyzer 0.9.1 (Anteater), Cobra. PID: 38929, SID: 666 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.1 02: tcpStates, 0.9.1 03: ftpDecode, 0.9.1 04: txtSink, 0.9.1 [INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K) [INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K) Processing file: /home/user/data/ftp-dpic.pcap Link layer type: Ethernet [EN10MB/1] Snapshot length: 65535 (65.53 K) Dump start: 1168195766.739929000 sec (Sun 07 Jan 2007 18:49:26 GMT) Dump stop : 1168195799.748737000 sec (Sun 07 Jan 2007 18:49:59 GMT) Total dump duration: 33.008808000 sec Finished processing. Elapsed time: 0.003258257 sec Finished unloading flow memory. Time: 0.003345977 sec Percentage completed: 100.00% Number of processed packets: 92 Number of processed bytes: 69464 (69.46 K) Number of raw bytes: 69464 (69.46 K) Number of pad bytes: 26 Number of pcap bytes: 70960 (70.96 K) Number of IPv4 packets: 92 [100.00%] Number of A packets: 37 [40.22%] Number of B packets: 55 [59.78%] Number of A bytes: 2096 (2.10 K) [3.02%] Number of B bytes: 67368 (67.37 K) [96.98%] <A packet load>: 56.65 <B packet load>: 1224.87 (1.22 K) -------------------------------------------------------------------------------- tcpStates: Aggregated tcpStatesAFlags=0xc3 ftpDecode: Aggregated ftpStat=0x0b ftpDecode: Number of FTP control packets: 20 [21.74%] ftpDecode: Number of FTP-DATA packets: 69 [75.00%] -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, avg: 3.00 Number of TCP packets: 92 [100.00%] Number of TCP bytes: 69464 (69.46 K) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 8 Number of processed IPv4 flows: 8 [100.00%] Number of processed A flows: 4 [50.00%] Number of processed B flows: 4 [50.00%] Number of request flows: 4 [50.00%] Number of reply flows: 4 [50.00%] Total A/B flow asymmetry: 0.00 Total req/rply flow asymmetry: 0.00 Number of processed A+B packets/A+B flows: 11.50 Number of processed A packets/A flows: 9.25 Number of processed B packets/ B flows: 13.75 Number of processed total packets/s: 2.79 Number of processed A+B packets/s: 2.79 Number of processed A packets/s: 1.12 Number of processed B packets/s: 1.67 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <Number of processed flows/s>: 0.24 <Bandwidth>: 16829 b/s (16.83 Kb/s) <Raw bandwidth>: 16835 b/s (16.84 Kb/s) Max number of flows in memory: 6 [0.00%] Memory usage: 0.04 GB [0.07%] Aggregated flowStat=0x0400000000004000 [INF] IPv4 flows
The end report states that we have 8 flows with 20 control and 69 data packets.
Looking at the aggregated ftpStat reveals that we have a passive and active FTP
flow.
The ftpStat column with value 0x0b is to be interpreted as follows:
bit | ftpStat | Description
=============================================================================
0 | 0x01 | FTP control port found
1 | 0x02 | FTP passive parent flow
3 | 0x08 | FTP active parent flow
So a promising error free download, lets look at the flow file now. Unfortunately we have no user name and passwords
in the pcap, so try it with your own, you will see them in ftpUser and ftpPass. Flow 1 being denoted by ftpStat=0x09{.awk}
contains four commands: TYPE;PASV;SIZE;RETR, hence there is a download initiated. The B flow shows the aggregated
return codes, 226 indicates a successful download. A list of codes can be found in ftpDecode.h.
ftpCDFindex denotes the link between the command flow with its spawned data flow 2 for the user initiated A flow 1.
B flow 1 did not spawn any data flow, so the A flow 1 is linked.
The data flow 2 denotes flow 1 as its parent. The column ftpCP shows all command parameters of all ftp flows.
In flow 2 we see the name of the downloaded file.
tcol ~/results/ftp-dpic_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags ftpStat ftpCDFindex ftpCC ftpRC ftpNumUser ftpUser ftpNumPass ftpPass ftpNumCP ftpCP ftpPLen
A 2 0x0400000000004000 1168195766.764244000 1168195766.976730000 0.212486000 1 3 eth:ipv4:tcp 00:16:36:a9:08:20 00:01:5c:22:a5:82 0x0800 67.180.72.76 us "Comcast Cable Communications" 4076 128.121.136.217 us "NTT America" 30012 6 0x42 0x02 1 0 0 1 "/funwithbill/Microsoft-1978.jpg" 64170
B 2 0x0400000000004001 1168195766.782725000 1168195766.965575000 0.182850000 1 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us "NTT America" 30012 67.180.72.76 us "Comcast Cable Communications" 4076 6 0x02 0x02 1 0 0 1 "/funwithbill/Microsoft-1978.jpg" 64170
A 1 0x0400000000004000 1168195766.739929000 1168195799.748737000 33.008808000 1 3 eth:ipv4:tcp 00:16:36:a9:08:20 00:01:5c:22:a5:82 0x0800 67.180.72.76 us "Comcast Cable Communications" 4075 128.121.136.217 us "NTT America" 21 6 0x43 0x09 2 TYPE;PASV;SIZE;RETR 0 0 2 "I";"/funwithbill/Microsoft-1978.jpg" 0
B 1 0x0400000000004001 1168195766.751652000 1168195767.017088000 0.265436000 1 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us "NTT America" 21 67.180.72.76 us "Comcast Cable Communications" 4075 6 0x03 0x09 2 200;227;213;150;226 0 0 1 "/funwithbill/Microsoft-1978.jpg" 64170
A 3 0x0400000000004000 1168195798.794148000 1168195798.808733000 0.014585000 1 3 eth:ipv4:tcp 00:16:36:a9:08:20 00:01:5c:22:a5:82 0x0800 67.180.72.76 us "Comcast Cable Communications" 4072 128.121.136.217 us "NTT America" 21 6 0x83 0x01 0 0 0 0
B 3 0x0400000000004001 1168195798.808082000 1168195798.808646000 0.000564000 1 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us "NTT America" 21 67.180.72.76 us "Comcast Cable Communications" 4072 6 0x03 0x01 0 0 0 0
A 4 0x0400000000004000 1168195799.515059000 1168195799.527966000 0.012907000 1 3 eth:ipv4:tcp 00:16:36:a9:08:20 00:01:5c:22:a5:82 0x0800 67.180.72.76 us "Comcast Cable Communications" 4071 128.121.136.217 us "NTT America" 21 6 0x83 0x01 0 0 0 0
B 4 0x0400000000004001 1168195799.527449000 1168195799.527938000 0.000489000 1 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us "NTT America" 21 67.180.72.76 us "Comcast Cable Communications" 4071 6 0x03 0x01The packet file shows the ftp status for each packet and the content, which matches the extracted command and parameter columns in the flow file. Here you can see also the text for the ftp return codes for the control flow. You can see the content being downloaded in flow 2.
head -n 14 ~/results/ftp-dpic_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags ftpStat l7Content
1 1 0x0400000000004000 1168195766.739929000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:tcp 00:16:36:a9:08:20 00:01:5c:22:a5:82 0x0800 67.180.72.76 us Comcast Cable Communications 4075 128.121.136.217 us NTT America 21 6 0x01 0x01 TYPE I\r\n
2 1 0x0400000000004001 1168195766.751652000 0.000000000 0.011722944 0.000000000 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us NTT America 21 67.180.72.76 us Comcast Cable Communications 4075 6 0x01 0x01 200 Type set to I\r\n
3 1 0x0400000000004000 1168195766.752010000 0.012081000 0.000358016 0.012081000 3 eth:ipv4:tcp 00:16:36:a9:08:20 00:01:5c:22:a5:82 0x0800 67.180.72.76 us Comcast Cable Communications 4075 128.121.136.217 us NTT America 21 6 0x01 0x01 PASV\r\n
4 1 0x0400000000004001 1168195766.764051000 0.012399000 0.012041024 0.012399000 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us NTT America 21 67.180.72.76 us Comcast Cable Communications 4075 6 0x01 0x09 227 Entering Passive Mode (128,121,136,217,117,60).\r\n
5 2 0x0400000000004000 1168195766.764244000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:tcp 00:16:36:a9:08:20 00:01:5c:22:a5:82 0x0800 67.180.72.76 us Comcast Cable Communications 4076 128.121.136.217 us NTT America 30012 6 0x00 0x00
6 2 0x0400000000004001 1168195766.782725000 0.000000000 0.018481024 0.000000000 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us NTT America 30012 67.180.72.76 us Comcast Cable Communications 4076 6 0x00 0x00
7 2 0x0400000000004000 1168195766.782811000 0.018567000 0.000086016 0.018567000 3 eth:ipv4:tcp 00:16:36:a9:08:20 00:01:5c:22:a5:82 0x0800 67.180.72.76 us Comcast Cable Communications 4076 128.121.136.217 us NTT America 30012 6 0x00 0x00
8 1 0x0400000000004000 1168195766.782932000 0.030922000 0.018880960 0.043003000 3 eth:ipv4:tcp 00:16:36:a9:08:20 00:01:5c:22:a5:82 0x0800 67.180.72.76 us Comcast Cable Communications 4075 128.121.136.217 us NTT America 21 6 0x01 0x09 SIZE /funwithbill/Microsoft-1978.jpg\r\n
9 1 0x0400000000004001 1168195766.806945000 0.042894000 0.024013056 0.055293000 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us NTT America 21 67.180.72.76 us Comcast Cable Communications 4075 6 0x01 0x09 213 64170\r\n
10 1 0x0400000000004000 1168195766.807113000 0.024181000 0.000168000 0.067184000 3 eth:ipv4:tcp 00:16:36:a9:08:20 00:01:5c:22:a5:82 0x0800 67.180.72.76 us Comcast Cable Communications 4075 128.121.136.217 us NTT America 21 6 0x01 0x09 RETR /funwithbill/Microsoft-1978.jpg\r\n
11 1 0x0400000000004001 1168195766.818968000 0.012023000 0.011854976 0.067316000 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us NTT America 21 67.180.72.76 us Comcast Cable Communications 4075 6 0x01 0x09 150 Opening BINARY mode data connection for /funwithbill/Microsoft-1978.jpg (64170 bytes)\r\n
12 2 0x0400000000004001 1168195766.827519000 0.044794000 0.044707968 0.044794000 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us NTT America 30012 67.180.72.76 us Comcast Cable Communications 4076 6 0x00 0x02 ......JFIF.....,.,.....C................\b.....\n...\b\f\n\f\f.\n..\r...\r..............\f.............C.......\t..\t.\r.\r......................................................\b......"....................................\b\t\n.....................}........!1A..Qa."q.2...\b#B...R..$3br.\t\n.....%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................\b\t\n.....................w.......!1..AQ.aq."2.\b.B....\t#3R..br.\n.$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz...........................................................................\f........?..E..+SP..(...(...(...(...(...(.....> .|'.-{Z.4...WN....KY<....|...x....4O..@......7>!.....R~..._.u...~...P..Q^.7.U...5x{....\rGP.R..M.!........Q'<..`...F._..?..\r....+...3u$V.Ms.2....(....2:Z+...*.kZ.b. ...Z..4V.i%.....H..fA..i\..C..}.....<Awm%.....,Q..+[.......|?/.$.`.......[.,.../..y.O3..4..W........eo....V..W..y,..,^_.....N....|G....K-7X.m.5[...O........2.......Rx.....gc....o._../CI..w?j./&H....f.
13 2 0x0400000000004001 1168195766.828740000 0.001221000 0.045928960 0.046015000 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us NTT America 30012 67.180.72.76 us Comcast Cable Communications 4076 6 0x00 0x02 2=..+.....O.x.].tM/W..W...-J.....Fc....5:Z+...w...S.,t}R.B.G.67............J.o..\n....!.....X..-.....H..y..\fq..E.w.VU..4..\f....V.Z4..j...O2)".|......\f..5..k..x\.}..T......(.....-j..Z...i.)w....^[\..H..H..V......:.Y...Y[Gwu..w:.v..G/....(..}......<...1.....~.I..e.......2.._..lyqbIq..^....:>.-...p.E..-k#"......./.x.-.\r^(..a.LV7q.k4...H..~.}+R.......C....G_.....O....E'..Z...V.......+..5c.[]x.G.9o...l$..U.~U...b...}.mq.G.ig.....s...&......+##...iZ...cm}es....^lWP..G,.Z....O.|..kK%.....\...Hm"...2..ryq..q..@.-..xc..j...<Quql-f.....O.I...+..)|...............m.5..Sk>.!.f..9%..?.k ......=....M......4.KT.....J.+[[....._._..O.W..?..........u...2....=".w?.z...h.s.~<.|.%.z..\r....\e[v?....".~.O.4xc....%...5H.o4..ol..S[7....G..~............jz........./b.....4..._*3..5............u(n....)o.../6Y".?0..ZB:Z+..Y.OD....;]..R.+.\bo..P..)c.A.......4.../\bh........Y....r\.e.I..|..i.......I...G?............hy...^3.y........?.|....>3........u..Ib.....Rc.....h?h{...K...S....*-9~...s../.....x............x.....d....t.V............\fK.....&\f...z..QZ...Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@....J.G.w.../.|q..Q...~..z....M.9%.m....4I.....C....M.....O.;.>...u.j:.....'W..'..H..\e../...w..#..X9.W.|g.1.............\.\.B=3V.Hm/b....2...T.9....+##..u......$..[..I.....Dj.......nzy^a.!.^..<.3Z~;.o.Y~<x_......E...Z-...s%....K.. ._............\t.v.....?..a...>...:~.q,.C7....d.G.......o.w..F._.i....<.,..F..=k.E.....M$....Q.....?\b<O....|P...N..............l....H"..X.U...%..
...The end report indicates extractable content. The flow file denotes name and status. Now we like to see it. Let’s data carve.
Data carving with ftpDecode
In order to enable the Data Carving mode FTP_SAVE has to be switched on.
Use t2conf and t2build to reconfigure and recompile ftpDecode and rerun
t2 on the pcap.
t2conf ftpDecode -D FTP_SAVE=1 && t2build ftpDecode
t2 -r ~/test_data/data/ftp-dpic.pcap -w ~/results... -------------------------------------------------------------------------------- tcpStates: Aggregated tcpStatesAFlags=0xc3 ftpDecode: Aggregated ftpStat=0x0f ftpDecode: Number of FTP control packets: 20 [21.74%] ftpDecode: Number of FTP-DATA packets: 69 [75.00%] ftpDecode: Number of files extracted: 1 -------------------------------------------------------------------------------- ...
We see that on content file was extracted and the status confirms that the file was properly extracted.
tawk -V ftpStat=0x0f
The ftpStat column with value 0x0f is to be interpreted as follows:
bit | ftpStat | Description
=============================================================================
0 | 0x01 | FTP control port found
1 | 0x02 | FTP passive parent flow
2 | 0x04 | FTP passive parent flow write finished
3 | 0x08 | FTP active parent flow
The flow file looks the same, except that the B flow 2 has the bit 0x04 set, indicating successful extraction.
tcol ~/results/ftp-dpic_flows.txt
By default the extracted files reside under the /tmp folder.
ls /tmp/FTPFILES/
ftp_flow_1_A.txt ftp_flow_1_B.txt _funwithbill_Microsoft-1978.jpg_2_B
The first two files are the command and response from flow 1, the third is our extracted file. T2 adds the file index and the flow direction to the file name. Let’s look into the files.
cat /tmp/FTPFILES/ftp_flow_1_A.txt
TYPE I
PASV
SIZE /funwithbill/Microsoft-1978.jpg
RETR /funwithbill/Microsoft-1978.jpgcat /tmp/FTPFILES/ftp_flow_1_B.txt
200 Type set to I
227 Entering Passive Mode (128,121,136,217,117,60).
213 64170
150 Opening BINARY mode data connection for /funwithbill/Microsoft-1978.jpg (64170 bytes)
226 Transfer complete.eog _funwithbill_Microsoft-1978.jpg_2_B
You know these murky guys, right?
We missed something from the tcpStates plugin in the end report:
tawk -V tcpStatesAFlags=0xc3
The tcpStatesAFlags column with value 0xc3 is to be interpreted as follows:
bit | tcpStatesAFlags | Description
=============================================================================
0 | 0x01 | Malformed connection establishment
1 | 0x02 | Malformed teardown
6 | 0x40 | Reset from sender
7 | 0x80 | Potential evil behavior (scan)
Bits 0, 1 and 6 can happen, sometimes computers are very impatient, especially when the OS of the guys above is involved. The evil behavior is an estimate, which is often a false positive, because of the tear down sequence, which might happen during scans.
In order to verify that load tcpFlags and tp0f, recompile, rerun t2
and look into the flow file again.
You will see that the OS Windows is indeed the originator of abnormal tear-downs in flow 1 and 2 and the evil bit in the Microsoft part of flow 3 and 4. That seems appropriate :-)
Additionally in tcpAnomaly flags scan behavior in flow 3 and 4.
t2build basicStats tcpFlags tp0f
t2 -r ~/test_data/data/ftp-dpic.pcap -w ~/results
tawk ‘bitsanyset($tcpAnomaly,0x2000)’ ~/results/ftp-dpic_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tp0fStat tp0fDis tp0fClName tp0fPrName tp0fVerName tcpFStat ipMindIPID ipMaxdIPID ipMinTTL ipMaxTTL ipTTLChg ipToS ipFlags ipOptCnt ipOptCpCl_Num ip6OptCntHH_D ip6OptHH_D tcpISeqN tcpPSeqCnt tcpSeqSntBytes tcpSeqFaultCnt tcpPAckCnt tcpFlwLssAckRcvdBytes tcpAckFaultCnt tcpBFlgtMx tcpInitWinSz tcpAveWinSz tcpMinWinSz tcpMaxWinSz tcpWinSzDwnCnt tcpWinSzUpCnt tcpWinSzChgDirCnt tcpWinSzThRt tcpFlags tcpAnomaly tcpOptPktCnt tcpOptCnt tcpOptions tcpMSS tcpWS tcpMPTBF tcpMPF tcpMPAID tcpMPDSSF tcpTmS tcpTmER tcpEcI tcpUtm tcpBtm tcpSSASAATrip tcpRTTAckTripMin tcpRTTAckTripMax tcpRTTAckTripAve tcpRTTAckTripJitAve tcpRTTSseqAA tcpRTTAckJitAve tcpStatesAFlags ftpStat ftpCDFindex ftpCC ftpRC ftpNumUser ftpUser ftpNumPass ftpPass ftpNumCP ftpCP ftpPLen
A 3 0x0400000000004000 1168195798.794148000 1168195798.808733000 0.014585000 1 3 eth:ipv4:tcp 00:16:36:a9:08:20 00:01:5c:22:a5:82 0x0800 67.180.72.76 us "Comcast Cable Communications" 4072 128.121.136.217 us "NTT America" 21 6 0x00 0 win Windows unknown 0x0011 1 1 128 128 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 214829931 2 0 0 2 0 0 0 16860 16860 16860 16860 0 0 0 0 0x0111 0x3000 0 0 0x00000000 0 0 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000000 0 0.01393402 0.01449805 0.01421603 0.009860906 0 0 0x83 0x01 0 0 0 0
B 3 0x0400000000004001 1168195798.808082000 1168195798.808646000 0.000564000 1 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us "NTT America" 21 67.180.72.76 us "Comcast Cable Communications" 4072 6 0x00 12 unix Linux unknown 0x0011 1 1 52 52 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 308530437 2 0 0 2 0 0 0 33580 33580 33580 33580 0 0 0 0 0x0111 0x2000 0 0 0x00000000 0 0 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000000 0 8.6976e-05 8.6976e-05 4.3488e-05 6.150132e-05 0.01425952 0.009861098 0x03 0x01 0 0 0 0
A 4 0x0400000000004000 1168195799.515059000 1168195799.527966000 0.012907000 1 3 eth:ipv4:tcp 00:16:36:a9:08:20 00:01:5c:22:a5:82 0x0800 67.180.72.76 us "Comcast Cable Communications" 4071 128.121.136.217 us "NTT America" 21 6 0x00 0 win Windows unknown 0x0011 1 1 128 128 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 2886500455 2 0 0 2 0 0 0 17218 17218 17218 17218 0 0 0 0 0x0111 0x3000 0 0 0x00000000 0 0 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000000 0 0.01238998 0.01287898 0.01263448 0.008767863 0 0 0x83 0x01 0 0 0 0
B 4 0x0400000000004001 1168195799.527449000 1168195799.527938000 0.000489000 1 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us "NTT America" 21 67.180.72.76 us "Comcast Cable Communications" 4071 6 0x00 12 unix Linux unknown 0x0011 1 1 52 52 0 0x00 0x0040 0 0x00_0x00000000 0_0 0x00000000_0x00000000 785817037 2 0 0 2 0 0 0 33580 33580 33580 33580 0 0 0 0 0x0111 0x2000 0 0 0x00000000 0 0 0x0000 0x00 0 0x00 0 0 0 0.000000 0.000000000 0 2.8032e-05 2.8032e-05 1.4016e-05 1.982162e-05 0.0126485 0.008767885 0x03 0x01 0 0 0 0So does the Anteater smell evil OS or behavior? Let’s look at flow 4 in detail:
tawk 'hdr() || flow(4)' ~/results/ftp-dpic_packets.txt | tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tp0fStat tp0fDis tp0fPrName tp0fVerName ipToS ipID ipIDDiff ipFrag ipTTL ipHdrChkSum ipCalChkSum l4HdrChkSum l4CalChkSum ipFlags ip6HHOptLen ip6HHOpts ip6DOptLen ip6DOpts ipOptLen ipOpts seq ack seqMax seqDiff ackDiff seqLen ackLen seqFlowLen ackFlowLen tcpMLen tcpBFlgt tcpFStat tcpFlags tcpAnomaly tcpWin tcpWS tcpMSS tcpTmS tcpTmER tcpMPTyp tcpMPF tcpMPAID tcpMPDSSF tcpOptLen tcpOpts tcpStatesAFlags ftpStat l7Content
88 4 0x0400000000004000 1168195799.515059000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:tcp 00:16:36:a9:08:20 00:01:5c:22:a5:82 0x0800 67.180.72.76 us Comcast Cable Communications 4071 128.121.136.217 us NTT America 21 6 0x00 0 Windows unknown 0x00 34267 0 0x4000 128 0xdfa1 0xdfa1 0xce2a 0xce2a 0x0040 0 0 0 2886500455 785817037 2886500455 0 0 0 0 0 0 0 0 0x0010 0x0111 0x0000 17218 0 0 0 0 0 0x00 0 0x00 0 0x01 0x01
89 4 0x0400000000004001 1168195799.527449000 0.000000000 0.012389984 0.000000000 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us NTT America 21 67.180.72.76 us Comcast Cable Communications 4071 6 0x00 12 Linux unknown 0x00 20400 0 0x4000 52 0x61cd 0x61cd 0x8e40 0x8e40 0x0040 0 0 0 785817037 2886500456 785817037 0 0 0 0 0 0 0 0 0x0010 0x0010 0x0000 33580 0 0 0 0 0 0x00 0 0x00 0 0x01 0x01
90 4 0x0400000000004001 1168195799.527938000 0.000489000 0.012878976 0.000489000 3 eth:ipv4:tcp 00:01:5c:22:a5:82 00:16:36:a9:08:20 0x0800 128.121.136.217 us NTT America 21 67.180.72.76 us Comcast Cable Communications 4071 6 0x00 12 Linux unknown 0x00 20401 1 0x4000 52 0x61cc 0x61cc 0x8e3f 0x8e3f 0x0040 0 0 0 785817037 2886500456 785817037 0 0 0 0 0 0 0 0 0x0011 0x0111 0x0000 33580 0 0 0 0 0 0x00 0 0x00 0 0x01 0x01
91 4 0x0400000000004000 1168195799.527966000 0.012907000 0.000028032 0.012907000 3 eth:ipv4:tcp 00:16:36:a9:08:20 00:01:5c:22:a5:82 0x0800 67.180.72.76 us Comcast Cable Communications 4071 128.121.136.217 us NTT America 21 6 0x00 0 Windows unknown 0x00 34268 1 0x4000 128 0xdfa0 0xdfa0 0xce29 0xce29 0x0040 0 0 0 2886500456 785817038 2886500456 1 1 0 0 0 0 0 0 0x0011 0x0010 0x0000 17218 0 0 0 0 0 0x00 0 0x00 0 0x01 0x01tcpAnomaly = 0x0000 in the packet file. WTF?
So why the flags in the flow file?
On flow terminate the tcpStates collects all information about the compliance of the RFC TCP state-machine. If it sees certain aberration, it compares it also with facts known from scans, and if all fits it flags it as EVIL. Now, that can go wrong, as you saw here, because sometimes programmers do not comply with standards. Even tcpFlags tripped.
Look at packet 88,90
tawk -V tcpFlags=0x0111The tcpFlags column with value 0x0111 is to be interpreted as follows: bit | tcpFlags | Description ============================================================================= 0 | 0x0001 | FIN: No more data, finish connection 4 | 0x0010 | ACK: Acknowledgement field value valid 8 | 0x0100 | FIN_ACK: Acknowledgement of FIN
That is an unusual termination, normally you have only a FIN first. Now look at column tp0fPrName, now you know. Microsoft never sticks to RFC. So false alarm, or another Microsoft detector.
Conclusion
So always watch your 6 and look into the packet file if in doubt. Try your own FTP traffic. And don’t forget to reset the plugin configuration for the next tutorial.
t2conf ftpDecode --reset && t2build ftpDecode
Have fun with FTP!