FTP Traffic

Prompt

We found some interesting FTP traffic, analyze the network packet capture to identify what was transferred.

You can read this guide to learn more about computer networking.

FTP.pcap62.7KB

Tutorial Video

Walk-Through

Use Wireshark or, if provided, the web-based CloudShark tool to solve the challenge. FTP (File Transfer Protocol) is a basic protocol used to transfer files from one computer to another. All of the questions and answers are specific to FTP, so it is suggested that you learn more about FTP.

Questions 1 and 2 can be solved by right-clicking on the first packet in the capture and using the “Follow > TCP Stream” option. Doing so will yield the following results:

220-FileZilla Server 0.9.53 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
USER user1
331 Password required for user1
PASS cyberskyline
530 Login or password incorrect!
QUIT
221 Goodbye

If you are using CloudShark, you can select the first packet in the capture and then go to: “Analysis Tools > Follow Stream”.

From this view, you can see the username and password listed on the “USER” and “PASS” lines. You can find the server version on the first line of the stream.

Questions 4 - 6 can be solved by applying the filter: ftp.response.code == 230

This filter searches for the server response that indicates that a session has been successfully authenticated (code 230). Once filtered, following the TCP stream on the first packet will yield the following results:

220-FileZilla Server 0.9.53 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
USER user1
331 Password required for user1
PASS metropolis
230 Logged on
PORT 129,2,205,242,207,243
200 Port command successful
LIST
150 Opening data channel for directory listing of "/"
226 Successfully transferred "/"
DELE bank.cap
250 File deleted successfully
PORT 129,2,205,242,207,244
200 Port command successful
STOR compcodes.zip
150 Opening data channel for file upload to server of "/compcodes.zip"
226 Successfully transferred "/compcodes.zip"
QUIT
221 Goodbye

Question 7 can be solved by applying the ftp-data filter and using knowledge of the packet numbers from the previous section.

There are 4 different interactions that can be seen from the filtered packets. These can be most easily identified by the timing shown on the “Time” column. By default, the time column displays the time offset (in seconds) that the packet was recorded since the beginning of the packet capture. Packets that are very close (in the order of milliseconds) in time are likely a continuation of the same response, just split across multiple packets. By viewing the TCP stream, you can combine their contents into a single view. You can also look at the “Info” column to see the corresponding command associated with each packet.

You can see packet No. 17, at approx. 58 seconds into the capture. In the “Info” column, it shows a “LIST” command in parentheses. The LIST command provides a listing of the current directory. If you follow the TCP stream of this packet, you can see the contents of the directory when the command was run.

Below that packet, you can see packet No. 25 at approx. 92 seconds, which slows a “STOR” command in parentheses. These are many other subsequent packets that are milliseconds apart. The STOR command uploads the file and stores it on the FTP server and the packets in this stream are the pieces of data being uploaded.

Packet No. 65 at approx 152 seconds shows another listing of the current directory after the file was uploaded in the previous TCP stream. You can follow the TCP stream on this packet to see the new directory listing with the uploaded file included. From here, you can see the file size listed in one of the columns to get the answer to question 7.

image

Question 8 can be solved by again using the ftp.response.code == 230 filter.

However, this time the 2nd TCP stream should be followed. The 2nd stream is being looked at because it was previously determined that the first The first stream captures the interaction with the first user (who logged on) and the second stream captures the interaction with the second user (who was anonymous). This is a process of elimination - following the first stream reveals the user who uploaded the file, so we now need to keep looking to find the anonymous user. The 2nd stream will yield the following:

220-FileZilla Server 0.9.53 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
USER anonymous
331 Password required for anonymous
PASS 
230 Logged on
PORT 129,2,205,242,207,246
200 Port command successful
RETR security
550 File not found
PORT 129,2,205,242,207,247
200 Port command successful
RETR bank.cap
550 File not found
PORT 129,2,205,242,207,248
200 Port command successful
LIST
150 Opening data channel for directory listing of "/"
226 Successfully transferred "/"
PORT 129,2,205,242,207,249
200 Port command successful
RETR compcodes.zip
150 Opening data channel for file download from server of "/compcodes.zip"
226 Successfully transferred "/compcodes.zip"
PORT 129,2,205,242,207,250
200 Port command successful
STOR worm.txt
550 Permission denied
QUIT
221 Goodbye

Questions

What was the first username:password combination attempt made to log in to the server? ex. 'user:password'

What software is the FTP server running? (Name and version)

What is the first username:password combination that allows for successful authentication?

What is the first command the user executes on the ftp server?

What file is deleted from the ftp server?

What file is uploaded to the ftp server?

What is the filesize (in bytes) of the uploaded file?

What file does the anonymous user download?

©️ 2024 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.