Network Forensics
Unit 2 - Network Forensics (FTP, SSH and SSL/TLS)
Last Update Unknown
FTP Protocol
FTP Response Codes
| Code and Response |
|---|
| 125 Data connection already open, transfer starting |
| 150 File status okay, about to open data connection. |
| 200 Command okay. |
| 202 Command not implemented. |
| 211 System status, or system help reply. |
| 212 Directory status. |
| 226 Closing data connection. Requested file action successful (file transfer, abort, etc.). |
| 227 Entering Passive Mode |
| 230 User logged in, proceed. |
| 250 Requested file action okay, completed. |
| 331 User name okay, need password. |
| 332 Need account for login. |
| 350 Requested file action pending further information. |
| 421 Service not available, closing control connection. |
| 425 Can't open data connection. |
| 426 Connection closed, transfer aborted. |
FTP Command List
| FTP Command | Command Syntax | Description of Command |
|---|---|---|
| ! | ! [command [args]] | Preceding a command with the exclamation point will cause the command to execute on the local system instead of the remote system. |
| append | append <localfile> [remotefile] | Appends a local file to a file on the remote computer using the current file type setting. |
| ascii | ascii | Sets the file transfer type to ASCII. In ASCII mode, character conversions to and from the network standard character set are performed. |
| bell | bell | Toggles an audible sound to occur after each file transfer command is completed. By default, this command is toggled off. |
| binary | binary | Sets the file transfer type to binary. In binary mode, files are transferred in one-byte units. |
| bye | bye | Ends the ftp session on the remote computer, and then exits. |
| cd | cd <remotedirectory> | Changes the working directory on the remote computer. |
| close | close | Ends the ftp session with the remote server and remains at the ftp> prompt. |
| debug | debug | Toggles Debugging mode. By default, Debugging mode is turned off. If Debugging mode is turned on, you'll see each command sent to the remote computer, preceeded by the > character. |
| delete | delete <remotefile> | Deletes files on remote computers. |
| dir | dir [<remotedirectory>] [<localfile>] | Displays a list of directory files and subdirectories on a remote computer.
dir -C = lists the files in wide format. dir -1 = Lists the files in bare format in alphabetic order. dir -r = Lists directory in reverse alphabetic order. dir -R = Lists all files in current directory and sub directories. dir -S = Lists files in bare format in alphabetic order. |
| disconnect | disconnect | Disconnects from the remote computer and remains at the ftp> prompt. |
| get | get <remotefile> [<localfile>] | Copies a remote file to the local computer using the current file transfer type. |
| glob | glob | Toggles allowing wildcard expansion for local file names. By default, globbing (wildcard expansion) is turned on. If globbing is turned on, you'll be able to use the asterisk (*) and question mark (?) as wildcard characters in local file or path names. |
| hash | hash | Toggles number sign (#) printing for each transferred data block. By default, the hash command is turned off. The size of a data block is 2048 bytes. |
| help | help [command] | Accesses the Help screen and displays information about the command if the command is typed after help. |
| lcd | lcd [<directory>] | Changes the working directory on the local computer. By default, the working directory is the directory in which the ftp command was started. |
| literal | literal <argument> [ ] | Sends verbatim arguments to the remote ftp server. A single ftp reply code is returned. |
| ls | ls [<remotedirectory>] [<localfile>] | Displays an abbreviated list of files and subdirectories from the remote computer. |
| mget | mget <remotefile>[ ] | Copies remote files to the local computer using the current file transfer type. |
| mdelete | mdelete <remotefile>[...] | Deletes files on the remote computer. |
| mdir | mdir <remotefile>[...] <localfile> | Displays a directory list of files and subdirectories in a remote directory.
To display a directory listing of dir1 and dir2 on the screen, type: mdir dir1 dir2 - To save the combined directory listing of dir1 and dir2 in a local file called dirlist.txt, type: mdir dir1 dir2 dirlist.txt |
| mkdir | mkdir <directory> | Creates a directory on the remote computer. |
| mls | mls <remotefile>[ ] <localfile> | Displays an abbreviated list of files and subdirectories in a remote directory. |
| mput | mput <localfile>[ ] | Copies local files to the remote computer using the current file transfer type. |
| open | open <computer> [<port>] | Connects to the specified ftp server. |
| prompt | prompt | Toggles Prompt mode on and off. By default, Prompt mode is turned on. If Prompt mode is turned on, the ftp command prompts during multiple file transfers to allow you to selectively retrieve or store files. |
| put | put <localfile> [<remotefile>] | Copies a local file to the remote computer using the current file transfer type. |
| pwd | pwd | Displays the current remote computer directory. |
| quit | quit | Ends the ftp session with the remote computer, and then exits. |
| quote | quote <argument>[ ] | Send a string to an FTP server and issue commands that the FTP client doesn't implement. (Same as 'literal' command) |
| recv | recv <remotefile> [<localfile>] | Copies a remote file to the local computer using the current file transfer type. |
| remotehelp | remotehelp [<command>] | Displays help for remote commands. |
| rename | rename <filename> <newfilename> | Renames remote files. |
| rmdir | rmdir <directory> | Deletes a remote directory. |
| send | send <localfile> [<remotefile>] | Copies a local file to the remote computer using the current file transfer type. |
| status | status | Displays the current status of ftp connections. |
| trace | trace | Toggles packet tracing. This command also displays the series of internal FTP function calls when running a ftp command. |
| type | type [<typename>] | Sets or displays the file transfer type. The ftp command supports both ASCII (default) and binary image
file transfer types:
|
| user | user <username> [<password>] [<account>] | Specifies a user to the remote computer. |
| verbose | verbose | Toggles Verbose mode. By default, Verbose mode is turned on. When Verbose mode is on, all ftp command responses are displayed. When a file transfer is completed, statistics regarding the efficiency of the transfer are also displayed. |
FTP Commands and Responses
| Command | Response |
|---|---|
| USER Administrator | 331 Password required for Administrator. |
| PASS napier | 230 User Administrator logged in. |
| SYST | 215 Windows_NT |
| PWD | 275 "/" is current directory. |
| PASV | 227 Entering Passive Mode (192,168,75,132,4,22). |
| LIST | 125 Data connection already open; Transfer starting. 226 Transfer complete. |
| CWD / | 250 CWD command successful. |
| PASV | 227 Entering Passive Mode (192,168,75,132,4,23). |
| TYPE A | 200 Type set to A. |
| PASV | 227 Entering Passive Mode (192,168,75,132,4,24). |
| STOR db1.csv | 125 Data connection already open; Transfer starting. 226 Transfer complete. |
SSH Protocol
- SSH allows confidential and authenticated remote access to a computer.
- SSH is assigned port 22 in both TCP and UDP.
- SSH Traffic is fully encrypted.
- SSH uses asymmetric cryptography to establish a shared secret key and then symmetric cryptography for bulk encryption with that key.
- Inspection with SSH proxy servers.
Differentiate successful VS failed login attempts
- Flow length: A successful authentication attempt will result in a longer session than a failed
- Packet size: SSH servers have set responses for successful and failed authentications. Observing the length of the SSH packets can show whether authentication succeeded or failed.
- Packet timing: Packets that require user interaction will take longer than automated ones, making them easier to detect.
Look for unusual numbers of SSH login attempts, whether or not they are successful, to determine breach of user account(s).
Remote access scanning
- SSH scanning from an external machine
- Use the ssh filter in Wireshark to filtering the results for external requesting IP addresses.
- Legitimate SSH requests should either originate from inside the network or from known, trusted IP addresses.
- SSH scanning from an internal machine
- This can be detected based upon unusual SSH access patterns, like a high amount of traffic originating from a single machine or requests from a machine to other systems that it does not usually contact.
Reverse shell
- A “default allow” policy for outbound traffic is common used - SSH connections from internal machines to external ones will be permitted.
- If a malware is installed on an internal machine, it can “call out” to an external malicious server with an SSH session.
- Detect a revere shell looking for outbound traffic on port 22 and encrypted traffic on unusual ports
SSL/TLS Protocol
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
- Protects connections between servers and clients
- Is application agnostic
Use network anomaly detection tools
- Monitor traffic flow for network anomalies
- Need to know what constitutes normal activity.
- For example, connections between machines that do not normally connect, either internally or between an inside machine and an unknown outside system are inherently suspicious.
- Products: IBM's QRadar, Juniper Sky Advanced Threat Protection, Snort IPS, Cisco's Encrypted Traffic Analytics, etc.
Use SSL/TLS proxy servers
- Manage 2 connections for every conversation
- Accept the encrypted connection on one network interface, decrypts the traffic, performs some operation, then re-encrypt and send the traffic to the destination
- Security operations, such as malware scanning and blocking prohibited sites.
- Take lot of processing power