school of science and technology a.m. zeus-brown bsc

School of Science and Technology

A.M. Zeus-Brown BSc


OutlineOutline• The File Transfer Protocol (FTP) is one of the oldest applicationThe File Transfer Protocol (FTP) is one of the oldest application

protocols on the internet and its use has been thought to be inprotocols on the internet and its use has been thought to be indecline since the creation of the HyperText Transfer Protocol and thedecline since the creation of the HyperText Transfer Protocol and theWorld-Wide Web. Recently, however, copyright enforcement agencies haveWorld-Wide Web. Recently, however, copyright enforcement agencies haveidentified a growth in FTP traffic and servers, associated withidentified a growth in FTP traffic and servers, associated withorganised groups distributing illegally copied copyrightorganised groups distributing illegally copied copyrightmaterial. This marks a change in the distribution mechanism, which hasmaterial. This marks a change in the distribution mechanism, which haslargely depended on peer to peer networks such as Kazaa, E-Mule, and BitTorrent.largely depended on peer to peer networks such as Kazaa, E-Mule, and BitTorrent.

• While it is possible to perform an “end to end'' trace on a peer to peer connection, While it is possible to perform an “end to end'' trace on a peer to peer connection, FTP provides a semi-anonymous middle point in the network whose content and FTP provides a semi-anonymous middle point in the network whose content and location may be difficult to determine. Furthermore, it is thought to be almost location may be difficult to determine. Furthermore, it is thought to be almost impossible to determine the origins of data on the FTP server without physical or impossible to determine the origins of data on the FTP server without physical or authorized access to the machine.authorized access to the machine.

• This presentation describes how criminal gangs use FTP as a distribution This presentation describes how criminal gangs use FTP as a distribution mechanism, and some early work on potential methods for remote investigation of mechanism, and some early work on potential methods for remote investigation of the servers.the servers.


The Goal Of The ProjectThe Goal Of The Project

• The main goal is to produce a set of tools and procedure that will allow the autonomous checking of FTP servers for illicit. The tools should also check that the FTP server has not been hi-jacked or installed remotely on the on an unsecured system.

• The tools should be backed up by a set of procedures that will make sure that all evidence is submersible in court and should aid in the prosecution or defence in a court of law.

• It is also hoped that the tools will also be transferable to Peer

to Peer networks such as Kazza E-Mule and possibly other networks such as USENET.


What can be done?What can be done?

• At presentAt present– Home user are widely targeted for using client sharing toolsHome user are widely targeted for using client sharing tools– Can this ever solve the problem?Can this ever solve the problem?

• Why should we target the FTP servers Why should we target the FTP servers – Its at the top of the chain and defending further down the Its at the top of the chain and defending further down the

chain is not working (the American Motion Picture chain is not working (the American Motion Picture Association estimates loses of Association estimates loses of $626 billion a year).$626 billion a year).

– Targeting the home user is not going to stop the distribution Targeting the home user is not going to stop the distribution or the problem as there will only be another home user or the problem as there will only be another home user willing to take the risk of view a pirated copy of a movie 6 willing to take the risk of view a pirated copy of a movie 6 months before its UK release date.months before its UK release date.


Why FTPWhy FTP

• Warez gang choose FTP for Warez gang choose FTP for • Its speedIts speed• Easy of installationEasy of installation• Ability to takeover or illicitly set up a FTP server on a remote Ability to takeover or illicitly set up a FTP server on a remote

location unknown to the hardware ownerlocation unknown to the hardware owner• Why should we target the FTP servers Why should we target the FTP servers • It at the top of the chain and defending further down the It at the top of the chain and defending further down the

chain is not working (the American Motion Picture chain is not working (the American Motion Picture Association estimates loses of “Association estimates loses of “$626 billion a year”)$626 billion a year”)

• Targeting the home user is not going to stop the distribution Targeting the home user is not going to stop the distribution or the problem as there will only be another home user or the problem as there will only be another home user willing to take the risk of view a pirated copy of a movie 6 willing to take the risk of view a pirated copy of a movie 6 month before its uk release datemonth before its uk release date


Distro mapDistro map

P2P Networks Usenet

Open IRC channels Websites

End user internet

End user internet

Couriers

Couriers

Couriers

Couriers post on staging sites to earn downloading credits and web cudos

Couriers leaving files in shared folders using the End user internet in order to obtain more files from the End user internet

IRC BOTS IRC BOTS

Ranked topsites

Couriers post on Unranked topsites to earn downloading credits and web cudos

Couriers post on Ranked topsites to earn downloading credits and web cudos

Pay for ftp Usenet

IRC bots automate the transmission from the private file storage to a shared file storage and also sends emails to the top line couriers this allows the encoders some anonymity

Private folders

Public folders

Pre-release folders owned by the Encoding/cracking groups. These folder are placed on the highest ranking top sites private folders

Film and software etc suppliers

Encoding and cracking groups

Staging topsites

Unranked topsites


Simplified Distro mapSimplified Distro map

The Distro (distribution) network is the way the illegal software movies and other such material

A visualisation from Ref: [Various 2006]

Main software crackers and ripper

Pay for FTP Warez site

Other Free FTP servers

Distributor small organised gangs using copyright material to fund other

avenues

Kazza / e-mule and other file sharing services

Hardcopy CD/DVD Burning warehouse's

E Market stall’s and Real market stall

End home user


How Predictive detection How Predictive detection response worksresponse works

• Imagine seeing hundreds of people coming and going from a building that Imagine seeing hundreds of people coming and going from a building that was deserted last week and still looks as if it still should be deserted. The was deserted last week and still looks as if it still should be deserted. The police would find this worthy of investigation. police would find this worthy of investigation.

• This is the same thought process for detecting illicit use of FTP serversThis is the same thought process for detecting illicit use of FTP servers• The idea behind predictive detection is a simple one. It is that a cluster of The idea behind predictive detection is a simple one. It is that a cluster of

robot’s (small programs that are able to run programs and small test’s) will robot’s (small programs that are able to run programs and small test’s) will be set to monitor internet/network section for FTP servers. be set to monitor internet/network section for FTP servers.

• It is hoped that these robots would be hidden inside the noise that is It is hoped that these robots would be hidden inside the noise that is already there on the internet.already there on the internet.

• Once the robots find a target it will be logged for further monitoring which Once the robots find a target it will be logged for further monitoring which will include finding what files are stored on the FTP server and the amount will include finding what files are stored on the FTP server and the amount of traffic.of traffic.

• If a robot finds that a certain type of FTP server is being used it should be If a robot finds that a certain type of FTP server is being used it should be able to able to be aimed to search for this type of FTP server using the able to able to be aimed to search for this type of FTP server using the response signature.response signature.


Predictive detection response Predictive detection response vs. post incident responsevs. post incident response

Predictive detection Predictive detection responseresponse

Cut down the distribution of illicit marital Cut down the distribution of illicit marital This could be liked to catching a criminal due This could be liked to catching a criminal due

to having an undercover operative working to having an undercover operative working inside the gang.inside the gang.

This way could be a good way to capture the This way could be a good way to capture the head distributors and prevent the home/end head distributors and prevent the home/end user becoming involved.user becoming involved.

Most of the population of the world would say Most of the population of the world would say that the real criminal is the distributors and that the real criminal is the distributors and hackers that steal the material or produce it hackers that steal the material or produce it and would be more lightly to help if they and would be more lightly to help if they knew that the funds from this source may knew that the funds from this source may be funding other criminal activitiesbe funding other criminal activities

Post Incident responsePost Incident response

The material gets distributed and then The material gets distributed and then server logs are checked to find out server logs are checked to find out what happened.what happened.

This is like investigating any theft in This is like investigating any theft in the material world.the material world.

It can be a good way to catch the It can be a good way to catch the home/end user, even though some home/end user, even though some home/end user’s re-share this home/end user’s re-share this content they are way down the content they are way down the distribution network. It could be distribution network. It could be likened to prosecuting the “fence” likened to prosecuting the “fence” for stealing the goods in the material for stealing the goods in the material worldworld


What is internet noise?What is internet noise?• Most of the internet can be thought of as a battle field where the sides are Most of the internet can be thought of as a battle field where the sides are

made up of the system administrators and security personnel Vs the made up of the system administrators and security personnel Vs the hackers , crackers and the many other name’s for people that belong the hackers , crackers and the many other name’s for people that belong the underground world and some that what to belong to this world sometimes underground world and some that what to belong to this world sometimes referred to as “Script kiddies”referred to as “Script kiddies”

• We can use this battle to cover some of the activities that the tools will be We can use this battle to cover some of the activities that the tools will be doing.doing.

• PORT SCANNING PORT SCANNING • This is a method of finding open ports on a target machine this is a This is a method of finding open ports on a target machine this is a

common practice for hacker etc looking for ways to exploit a system.common practice for hacker etc looking for ways to exploit a system.• Most system’s that are connected to the internet will experience this from Most system’s that are connected to the internet will experience this from

of attack and is commonly dismissed as a script kiddie attack.of attack and is commonly dismissed as a script kiddie attack.• A system can be port scanned hundreds or even thousands of times a day A system can be port scanned hundreds or even thousands of times a day

by different user’s this will generate huge logs and it is in these logs that it by different user’s this will generate huge logs and it is in these logs that it is hoped that activity of the tools can hidden in this mess of logs.is hoped that activity of the tools can hidden in this mess of logs.


Port scanning what is it?Port scanning what is it?• Port scanningPort scanning

– ““An attempt by hackers to find the weaknesses of a computer or network by scanning or probing system ports An attempt by hackers to find the weaknesses of a computer or network by scanning or probing system ports via requests for information. It can be used by IT professionals as a genuine tool to discover and correct via requests for information. It can be used by IT professionals as a genuine tool to discover and correct security holes. But it can also be used maliciously to detect and exploit weaknesses.” Ref:www.nve.vt.edu. security holes. But it can also be used maliciously to detect and exploit weaknesses.” Ref:www.nve.vt.edu.

• The above explanation is very ambiguous and really does not give us much information about The above explanation is very ambiguous and really does not give us much information about what a port scan is. what a port scan is.

• So I like to think of it like finding a hotel and trying the doors.So I like to think of it like finding a hotel and trying the doors.

Easy to understand explanationEasy to understand explanationIP addressIP address = The address of a hotel. = The address of a hotel.Port numberPort number = A door to a room in the hotel. = A door to a room in the hotel.Service = The guest in the room.Service = The guest in the room.Open PortOpen Port = Knocking on the door and getting and answer or an open door. = Knocking on the door and getting and answer or an open door.Closed PortClosed Port = Knocking on the door and getting and not answer or a closed door. = Knocking on the door and getting and not answer or a closed door.

Computer systems have the ability to communicate with each other they do this by using an IP address (the IP address can be thought of as the address of a hotel Ref: Angus marshal).However if each computer only had an IP address they would only be able to speak to one system at a time and use one program at a time. As the internet and other networks clearly don’t work like this and it is because of something called ports (Ports can be thought of as the individual doors in the hotel with a program or service running in each room. Ref:angus marshal).Computer system have over 65,000 ports there are common ports for services however this does not mean that the has to run on this port for instance FTP server’s default port is 21 but it can be ran on any port that is free.


What Traffic/Software Signature What Traffic/Software Signature matching matching

• Signature matching is currently used by many anti virus, firewall and IDS Signature matching is currently used by many anti virus, firewall and IDS (Intrusion Detection Systems). It relies on a known set of rules that are (Intrusion Detection Systems). It relies on a known set of rules that are classed as normal behaviour. classed as normal behaviour.

• This could be likened to watching intruder trying to brake in to a house the This could be likened to watching intruder trying to brake in to a house the normal rules set would state that any one trying to gain entry should either normal rules set would state that any one trying to gain entry should either use a key to open the door or knock on the door and wait for the door to be use a key to open the door or knock on the door and wait for the door to be answered and be let in. how ever if the intruder deviates from these answered and be let in. how ever if the intruder deviates from these actions the chance are the person trying to gain entry is an intruder, actions the chance are the person trying to gain entry is an intruder, however this may not be the case it could be the home owner has however this may not be the case it could be the home owner has forgotten there keys. This is known as a false positive and can happen if forgotten there keys. This is known as a false positive and can happen if the rules are to strictthe rules are to strict

• However this false positive situation should not affect performance of the However this false positive situation should not affect performance of the set of tools as it is only used to weight the order of investigation when the set of tools as it is only used to weight the order of investigation when the system is set on the autonomous setting, however if the system is given a system is set on the autonomous setting, however if the system is given a target to investigate it by pass’s the weighting system and checks the target to investigate it by pass’s the weighting system and checks the system and produces a report on the FTP server setup and contents of the system and produces a report on the FTP server setup and contents of the serverserver


Traffic Signature Analysis Traffic Signature Analysis

A part of the tool set will be looking the traffic and A part of the tool set will be looking the traffic and trying to make a signature pattern that will signify trying to make a signature pattern that will signify when a FTP server is being attacked or a remote when a FTP server is being attacked or a remote system is being used to established an illicit FTP system is being used to established an illicit FTP server.server.This method is very much like pattern matching that This method is very much like pattern matching that is use in IDS (Intrusion Detection Systems) in that is use in IDS (Intrusion Detection Systems) in that the system will have a set of standard behaviour the system will have a set of standard behaviour signatures and anything that deviates for this signatures and anything that deviates for this patterns will be flagged as needing to be monitoredpatterns will be flagged as needing to be monitored


Software Signature matchingSoftware Signature matching

• This area of Research will be looked at the This area of Research will be looked at the possibilities of finding out the brand and version of possibilities of finding out the brand and version of the FTP server installed and possibly the type of the FTP server installed and possibly the type of installation. installation.

• Once the signature has been found, the signature Once the signature has been found, the signature will checked against other known illicit FTP will checked against other known illicit FTP servers signatures and this will weight the need servers signatures and this will weight the need for investigation. for investigation.

• If the signature does not match any known If the signature does not match any known signature it will be flagged for signature signature it will be flagged for signature investigation.investigation.


Current Stage Of ResearchCurrent Stage Of Research• The Project is able to detect FTP Servers running on remote systems. The system The Project is able to detect FTP Servers running on remote systems. The system

is a to use a polymorphic port scanner as to decrease the chances of detection. is a to use a polymorphic port scanner as to decrease the chances of detection. This polymorphic port scanner in conjunction with the above mentioned internet This polymorphic port scanner in conjunction with the above mentioned internet noise will be the main camouflage for this section of the tool.noise will be the main camouflage for this section of the tool.

Target systems

Secured system proxies server with random IPS

System running the tool set

The above diagram is the basic network layout for the system design the system running the tools will connect to a set of trusted and The above diagram is the basic network layout for the system design the system running the tools will connect to a set of trusted and secured proxy servers with rotating randomized IP address they will then port scan a one of the targets at random on a random port secured proxy servers with rotating randomized IP address they will then port scan a one of the targets at random on a random port using a random type of port scan for example; using a random type of port scan for example;

Proxy server one scans port number 21 with a null port scan on target IP 192.19.162.8Proxy server one scans port number 21 with a null port scan on target IP 192.19.162.8Proxy server one scans port number 26 with an x-mass port scan on target IP 192.19.162.7Proxy server one scans port number 26 with an x-mass port scan on target IP 192.19.162.7

The system running the toolset will be able to set the system or systems to be targeted and then select the ports or port range. The tool The system running the toolset will be able to set the system or systems to be targeted and then select the ports or port range. The tool set then creates a table for each target to keep track of the information. The data will then be passed on to the FTP detection module. set then creates a table for each target to keep track of the information. The data will then be passed on to the FTP detection module. The FTP detection module is there to find FTP servers and then find the FTP server software signature.The FTP detection module is there to find FTP servers and then find the FTP server software signature.This is the end of the detection stage and the further research will be on the monitoring and traffic pattern analysisThis is the end of the detection stage and the further research will be on the monitoring and traffic pattern analysis


Current Stage Of ResearchCurrent Stage Of Research

• The system is able to read and clone the directory structure for forensic purpose's

• The final problem to resolve is the pass worded sites there are two possible ways to solve these they are:-– Brute force attacks

– Network snooping (IE the 3rd man attack)


Summary of system abilitySummary of system ability

1. The system is able to take an ip range and scan the network for FTP server’s

2. When an FTP server has been detected the system is able to detect if the server is pass worded if not its able to map the server.


Future Stages Of ResearchFuture Stages Of Research

• Look at other ways to by-pass the password security on FTP servers

• Take what has been discovered about FTP servers and transfer them to other internet protocols – Http– msn chat etc– P2P (peer to peer)– USENET


Ethics and other IssuesEthics and other Issues

• Is it hacking?Is it hacking?• Who’s owns the Server? and who owns the hardware? Are Who’s owns the Server? and who owns the hardware? Are

they the same person?they the same person?• What is the law in the country where the server is located?What is the law in the country where the server is located?• What, if any Data protection guidelines need to be followed?What, if any Data protection guidelines need to be followed?• Will the evidence produced be of a standard that is useable Will the evidence produced be of a standard that is useable

in a court of law?in a court of law?• When should the FTP server be monitored?When should the FTP server be monitored?• How will the information be stored so that if complies with the How will the information be stored so that if complies with the

DPA?DPA?


Reference'sReference's• C Winter C Winter mpaa.org, mpaa.org, Dark Tower - Top Piracy Pyramid.pdf, 1/2005Dark Tower - Top Piracy Pyramid.pdf, 1/2005• Various hackinthebox.tx, How to become a distrobuter, 1/2006Various hackinthebox.tx, How to become a distrobuter, 1/2006

• Angus Marshal – meeting between A. marshal and A. brown, 1/2006Angus Marshal – meeting between A. marshal and A. brown, 1/2006• Net sorcery www.networksorcery.comUDP, 1/2006Net sorcery www.networksorcery.comUDP, 1/2006• D. Fyodor www.insecure.org Nmap The art of port scanning, 06/1997D. Fyodor www.insecure.org Nmap The art of port scanning, 06/1997• Uriel Maimon, Phrack 49, article 15 Port Scanning without the SYN flag , Uriel Maimon, Phrack 49, article 15 Port Scanning without the SYN flag ,

11/199611/1996• D.Goldsmith Bugtraq post, the ident protocol (rfc1413 ), 1996D.Goldsmith Bugtraq post, the ident protocol (rfc1413 ), 1996• R siles WWW.honeynet.org, Scan 21, 06/2002R siles WWW.honeynet.org, Scan 21, 06/2002• D Song http://www.monkey.org/~dugsong/talks/ids/ D Song http://www.monkey.org/~dugsong/talks/ids/ Intrusion Detection Intrusion Detection

101, 17/09/1999101, 17/09/1999

school of science and technology a.m. zeus-brown bsc

Documents