TFTP: Trivial File Transport Protocol
data carving layer 7 TFTP
Introduction
TFTP is a simple file transfer protocol with a basic idle repeat request procedure to assure ERROR control. This tutorial discusses the features of the plugin tftpDecode including its data carving capability.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow tcpStates tftpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: tftp_rrq.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing TFTP traffic!
tftpDecode
Let’s look at the plugin configuration first. As in all data carving capable plugins
the user can enable TFTP_SAVE to save and choose the extracted content under TFTP_F_PATH.
The other constants control the output of the TFTP commands and the length of file
names in the flow file.
tftpDecode
vi src/tftpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define TFTP_SAVE 0 // save content to TFTP_F_PATH
#define TFTP_CMD_AGGR 1 // Aggregate TFTP commands/errors
#define TFTP_BTFLD 0 // Bitfield coding of TFTP commands/errors
#define TFTP_MXNMLN 15 // maximal name length
#define TFTP_MAXCNM 4 // maximal length of command field
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
#define TFTP_RMDIR 1 // empty TFTP_F_PATH before starting (require TFTP_SAVE=1)
#define TFTP_F_PATH "/tmp/TFTPFILES/" // Path for extracted content
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...For the first test we leave everything as default and run t2 on the supplied pcap.
================================================================================ Tranalyzer 0.9.1 (Anteater), Cobra. PID: 40172, SID: 666 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.1 02: tcpStates, 0.9.1 03: tftpDecode, 0.9.1 04: txtSink, 0.9.1 [INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K) [INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K) Processing file: /home/user/data/tftp_rrq.pcap Link layer type: Ethernet [EN10MB/1] Snapshot length: 65535 (65.53 K) Dump start: 1367411051.972852000 sec (Wed 01 May 2013 12:24:11 GMT) Dump stop : 1367411052.258801000 sec (Wed 01 May 2013 12:24:12 GMT) Total dump duration: 0.285949000 sec Finished processing. Elapsed time: 0.001138493 sec Finished unloading flow memory. Time: 0.001172579 sec Percentage completed: 100.00% Number of processed packets: 99 Number of processed bytes: 29855 (29.86 K) Number of raw bytes: 29855 (29.86 K) Number of pad bytes: 686 Number of pcap bytes: 31463 (31.46 K) Number of IPv4 packets: 99 [100.00%] Number of A packets: 50 [50.51%] Number of B packets: 49 [49.49%] Number of A bytes: 26915 (26.91 K) [90.15%] Number of B bytes: 2940 (2.94 K) [9.85%] <A packet load>: 538.30 <B packet load>: 60.00 -------------------------------------------------------------------------------- tftpDecode: Aggregated tftpStat=0x2001 tftpDecode: Number of TFTP packets: 99 [100.00%] -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, avg: 3.00 Number of UDP packets: 99 [100.00%] Number of UDP bytes: 29855 (29.86 K) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 3 Number of processed IPv4 flows: 3 [100.00%] Number of processed A flows: 2 [66.67%] Number of processed B flows: 1 [33.33%] Number of request flows: 2 [66.67%] Number of reply flows: 1 [33.33%] Total A/B flow asymmetry: 0.33 Total req/rply flow asymmetry: 0.33 Number of processed A+B packets/A+B flows: 33.00 Number of processed A packets/A flows: 25.00 Number of processed B packets/ B flows: 49.00 Number of processed total packets/s: 346.22 Number of processed A+B packets/s: 346.22 Number of processed A packets/s: 174.86 Number of processed B packets/s: 171.36 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <Number of processed flows/s>: 10.49 <Bandwidth>: 816062 b/s (816.06 Kb/s) <Raw bandwidth>: 835254 b/s (835.25 Kb/s) Max number of flows in memory: 3 [0.00%] Memory usage: 0.03 GB [0.05%] Aggregated flowStat=0x0400000000004000 [INF] IPv4 flows
We have three flows, all TFTP. The aggregated tftpStat states that there is and additional
passive TFTP flow.
The tftpStat column with value 0x2001 is to be interpreted as follows:
bit | tftpStat | Description
=============================================================================
0 | 0x0001 | TFTP flow found
13 | 0x2000 | TFTP passive
Looking at the flow file, the column tftpPFlow links the dependent flow, so flow 1 is linked
with its passive flow 2 and vice versa. A similar feature like the plugin ftpDecode. It helps
finding dependent flows. You see the list of commands and the downloaded file name: rfc1350.txt
as octet.
tcol ~/results/tftp_rrq_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags tftpStat tftpPFlow tftpNumOpcode tftpOpcode tftpNumParam tftpParam tftpNumErr tftpErrC
A 1 0x0400000000004000 1367411051.972852000 1367411051.972852000 0.000000000 1 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 "Private network" 50618 192.168.0.10 07 "Private network" 69 17 0x00 0x2001 2 1 RRQ 2 "rfc1350.txt";"octet" 0
A 2 0x0400000000004000 1367411052.077243000 1367411052.256145000 0.178902000 1 3 eth:ipv4:udp 00:50:8d:d7:8b:43 00:0b:be:18:9a:40 0x0800 192.168.0.10 07 "Private network" 3445 192.168.0.253 07 "Private network" 50618 17 0x00 0x2001 1 1 DTA 0 0
B 2 0x0400000000004001 1367411052.081790000 1367411052.258801000 0.177011000 1 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 "Private network" 50618 192.168.0.10 07 "Private network" 3445 17 0x00 0x2001 1 1 ACK 0 0The packet file shows the tftpStat and the commands including the whole l7Content. You realize the nature
of TFTP idle repeat request protocol, every packet is answered with an ACK. If you load the plugin basicStats
you will notice this behavior in the flow statistics. I leave that to the reader.
tcol ~/results/tftp_rrq_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags tftpStat tftpOpcode l7Content
1 1 0x0400000000004000 1367411051.972852000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 Private network 50618 192.168.0.10 07 Private network 69 17 0x00 0x1001 RRQ ..rfc1350.txt.octet.
2 2 0x0400000000004000 1367411052.077243000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:udp 00:50:8d:d7:8b:43 00:0b:be:18:9a:40 0x0800 192.168.0.10 07 Private network 3445 192.168.0.253 07 Private network 50618 17 0x00 0x2001 DTA ....\n\n\n\n\n\nNetwork Working Group K. Sollins\nRequest For Comments: 1350 MIT\nSTD: 33 July 1992\nObsoletes: RFC 783\n\n\n THE TFTP PROTOCOL (REVISION 2)\n\nStatus of this Memo\n\n This RFC specifies an IAB standards track protocol for the Internet\n community, and requests discussion and suggestions for improvements.\n Please refer to the current edition of the "IA
3 2 0x0400000000004001 1367411052.081790000 0.000000000 0.004547000 0.000000000 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 Private network 50618 192.168.0.10 07 Private network 3445 17 0x00 0x2001 ACK ....
4 2 0x0400000000004000 1367411052.086300000 0.009057000 0.004510000 0.009057000 3 eth:ipv4:udp 00:50:8d:d7:8b:43 00:0b:be:18:9a:40 0x0800 192.168.0.10 07 Private network 3445 192.168.0.253 07 Private network 50618 17 0x00 0x2001 DTA ....B Official Protocol\n Standards" for the standardization state and status of this protocol.\n Distribution of this memo is unlimited.\n\nSummary\n\n TFTP is a very simple protocol used to transfer files. It is from\n this that its name comes, Trivial File Transfer Protocol or TFTP.\n Each nonterminal packet is acknowledged separately. This document\n describes the protocol and its types of packets. The document also\n explains the reasons behind some of the design decisions.\n\nAcknowlegements\n\n The
5 2 0x0400000000004001 1367411052.088961000 0.007171000 0.002661000 0.007171000 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 Private network 50618 192.168.0.10 07 Private network 3445 17 0x00 0x2001 ACK ....
6 2 0x0400000000004000 1367411052.088995000 0.002695000 0.000034000 0.011752000 3 eth:ipv4:udp 00:50:8d:d7:8b:43 00:0b:be:18:9a:40 0x0800 192.168.0.10 07 Private network 3445 192.168.0.253 07 Private network 50618 17 0x00 0x2001 DTA ....protocol was originally designed by Noel Chiappa, and was\n redesigned by him, Bob Baldwin and Dave Clark, with comments from\n Steve Szymanski. The current revision of the document includes\n modifications stemming from discussions with and suggestions from\n Larry Allen, Noel Chiappa, Dave Clark, Geoff Cooper, Mike Greenwald,\n Liza Martin, David Reed, Craig Milo Rogers (of USC-ISI), Kathy\n Yellick, and the author. The acknowledgement and retransmission\n scheme was inspired by TCP, and the erro
7 2 0x0400000000004001 1367411052.091646000 0.002685000 0.002651000 0.009856000 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 Private network 50618 192.168.0.10 07 Private network 3445 17 0x00 0x2001 ACK ....
8 2 0x0400000000004000 1367411052.091675000 0.002680000 0.000029000 0.014432000 3 eth:ipv4:udp 00:50:8d:d7:8b:43 00:0b:be:18:9a:40 0x0800 192.168.0.10 07 Private network 3445 192.168.0.253 07 Private network 50618 17 0x00 0x2001 DTA ....r mechanism was suggested by\n PARC's EFTP abort message.\n\n The May, 1992 revision to fix the "Sorcerer's Apprentice" protocol\n bug [4] and other minor document problems was done by Noel Chiappa.\n\n This research was supported by the Advanced Research Projects Agency\n of the Department of Defense and was monitored by the Office of Naval\n Research under contract number N00014-75-C-0661.\n\n1. Purpose\n\n TFTP is a simple protocol to transfer files, and therefore was named\n the Trivial File Transfer
9 2 0x0400000000004001 1367411052.094383000 0.002737000 0.002708000 0.012593000 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 Private network 50618 192.168.0.10 07 Private network 3445 17 0x00 0x2001 ACK ....
10 2 0x0400000000004000 1367411052.094416000 0.002741000 0.000033000 0.017173000 3 eth:ipv4:udp 00:50:8d:d7:8b:43 00:0b:be:18:9a:40 0x0800 192.168.0.10 07 Private network 3445 192.168.0.253 07 Private network 50618 17 0x00 0x2001 DTA .... Protocol or TFTP. It has been implemented\n on top of the Internet User Datagram protocol (UDP or Datagram) [2]\n\n\n\nSollins [Page 1]\n\f\nRFC 1350 TFTP Revision 2 July 1992\n\n\n so it may be used to move files between machines on different\n networks implementing UDP. (This should not exclude the possibility\n of implementing TFTP on top of other datagram protocols.) It is\n designed to be small and easy to imp
11 2 0x0400000000004001 1367411052.096993000 0.002610000 0.002577000 0.015203000 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 Private network 50618 192.168.0.10 07 Private network 3445 17 0x00 0x2001 ACK ....
12 2 0x0400000000004000 1367411052.097021000 0.002605000 0.000028000 0.019778000 3 eth:ipv4:udp 00:50:8d:d7:8b:43 00:0b:be:18:9a:40 0x0800 192.168.0.10 07 Private network 3445 192.168.0.253 07 Private network 50618 17 0x00 0x2001 DTA ....lement. Therefore, it lacks most\n of the features of a regular FTP. The only thing it can do is read\n and write files (or mail) from/to a remote server. It cannot list\n directories, and currently has no provisions for user authentication.\n In common with other Internet protocols, it passes 8 bit bytes of\n data.\n\n Three modes of transfer are currently supported: netascii (This is\n ascii as defined in "USA Standard Code for Information Interchange"\n [1] with the modifications specified in "
13 2 0x0400000000004001 1367411052.099703000 0.002710000 0.002682000 0.017913000 3 eth:ipv4:udp 00:0b:be:18:9a:40 00:50:8d:d7:8b:43 0x0800 192.168.0.253 07 Private network 50618 192.168.0.10 07 Private network 3445 17 0x00 0x2001 ACK ....
...Now let’s see what is in the downloaded file.
Data Carving with tftpDecode
In order to enable the Data Carving mode set TFTP_SAVE=1 recompile and
rerun the pcap.
t2conf tftpDecode -D TFTP_SAVE=1 && t2build tftpDecode
t2 -r ~/test_data/data/tftp/tftp_rrq.pcap -w ~/results/... -------------------------------------------------------------------------------- tftpDecode: Aggregated tftpStat=0x2001 tftpDecode: Number of TFTP packets: 99 [100.00%] tftpDecode: Number of files extracted: 1 -------------------------------------------------------------------------------- ...
Now the end report states that there is one file extracted.
By default the extracted content resides under the /tmp/ folder with the same naming
convention as ftpDecode, the findex and the flow direction added. So move to
TFTP_F_PATH and look into the file.
irfc1350.txt_1_A
cat /tmp/TFTPFILES/rfc1350.txt_1_A
...
Network Working Group K. Sollins
Request For Comments: 1350 MIT
STD: 33 July 1992
Obsoletes: RFC 783
THE TFTP PROTOCOL (REVISION 2)
Status of this Memo
This RFC specifies an IAB standards track protocol for the Internet
community, and requests discussion and suggestions for improvements.
Please refer to the current edition of the "IAB Official Protocol
Standards" for the standardization state and status of this protocol.
Distribution of this memo is unlimited.
...A RFC of the TFTP protocol. Try your own TFTP traffic. Maybe you find something more exciting.
Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf tftpDecode --reset && t2build tftpDecode
Have fun analyzing.