When dealing with passive ftp instead of active ftp, I used to examine the network traffics manually especially to reconstruct all the data channels as it initials ephemeral ports(usually ports > 1024) for both client and server end dynamically and not like active ftp where fix port(20) is used at server side. After looking into how passive ftp actually works(for both over ipv4 and ipv6 and ftp server implementations), I decided to write a bash shell script to extract all the passive ftp data channel for the ftp flow from argus data. Again if you read my paper that I have used argus for botnet detection, this shell script will make use of argus client tools - ragrep again to extract all the necessary flow and its associated data channel. Here's the interesting result when I execute my script - argus-PASVFTP.sh.
IPv4 Illustration
shell>./argus-PASVFTP.sh
Input your argus data file, specify absolute path!
/home/geek00l/i-Pcaps/ipv4-ftp.arg
SrcAddr|Sport|DstAddr|Dport
192.168.0.24|49971|210.171.226.46|21
192.168.0.24|35839|210.171.226.46|21
Please specify source and destination IP and source PORT to locate associated passive ftp data channel .....
1. Source IP
192.168.0.24
2. Destination IP
210.171.226.46
3. Source Port
49971
Passive FTP Data Channel
61703
64897
Gotcha, here's the ftp data channel that being announced by ftp server for client to connect to - 61703 and 64897.
IPv6 Illustration
shell>./argus-PASVFTP.sh
Input your argus data file, specify absolute path!
/home/geek00l/i-Pcaps/ipv6.test.1.arg
SrcAddr|Sport|DstAddr|Dport
2001:5c0:925d:0:204:5aff:fe79:43a7|57339|2001:6c8:6:4::7|21
Please specify source and destination IP and source PORT to locate associated passive ftp data channel .....
1. Source IP
2001:5c0:925d:0:204:5aff:fe79:43a7
2. Destination IP
2001:6c8:6:4::7
3. Source Port
57339
Passive FTP Data Channel
64534
60801
60199
Works on ftp over IPv6 too, the ftp data channels are 64534, 60801 and 60199.
You can now running argus client tool(ra) to locate all the passive ftp flows by filtering those ports. Though I have only tested this script on FreeBSD and Gentoo Linux, it should work on other *nixes platform flawlessly as long as you have bash shell and argus clients installed. Again here I demonstrate the interesting example of using argus client tools.
Thanks to Richard for his ipv6 pcap file that he has sent me or else I won't be able to examine ftp over IPv6 lately.
I plan to include this script in the liveCD that we(me and chfl4gs) are developing actively, if any of you are interested to have fun with the script, feel free to let me know.
Enjoy (;])
Enjoy (;])
No comments:
Post a Comment