School of Science and Technology
Download
Report
Transcript School of Science and Technology
A.M. Zeus-Brown BSc
School of Science and Technology
Outline
•
•
•
The File Transfer Protocol (FTP) is one of the oldest application
protocols on the internet and its use has been thought to be in
decline since the creation of the HyperText Transfer Protocol and the
World-Wide Web. Recently, however, copyright enforcement agencies have
identified a growth in FTP traffic and servers, associated with
organised groups distributing illegally copied copyright
material. This marks a change in the distribution mechanism, which has
largely depended on peer to peer networks such as Kazaa, E-Mule, and BitTorrent.
While it is possible to perform an “end to end'' trace on a peer to peer connection,
FTP provides a semi-anonymous middle point in the network whose content and
location may be difficult to determine. Furthermore, it is thought to be almost
impossible to determine the origins of data on the FTP server without physical or
authorized access to the machine.
This presentation describes how criminal gangs use FTP as a distribution
mechanism, and some early work on potential methods for remote investigation of
the servers.
School of Science and Technology
The Goal Of The Project
• The main goal is to produce a set of tools and procedure that
will allow the autonomous checking of FTP servers for illicit.
The tools should also check that the FTP server has not
been hi-jacked or installed remotely on the on an unsecured
system.
• The tools should be backed up by a set of procedures that
will make sure that all evidence is submersible in court and
should aid in the prosecution or defence in a court of law.
• It is also hoped that the tools will also be transferable to Peer
to Peer networks such as Kazza E-Mule and possibly other
networks such as USENET.
School of Science and Technology
What can be done?
• At present
– Home user are widely targeted for using client sharing tools
– Can this ever solve the problem?
• Why should we target the FTP servers
– Its at the top of the chain and defending further down the
chain is not working (the American Motion Picture
Association estimates loses of $626 billion a year).
– Targeting the home user is not going to stop the distribution
or the problem as there will only be another home user
willing to take the risk of view a pirated copy of a movie 6
months before its UK release date.
School of Science and Technology
Why FTP
•
•
•
•
Warez gang choose FTP for
Its speed
Easy of installation
Ability to takeover or illicitly set up a FTP server on a remote
location unknown to the hardware owner
• Why should we target the FTP servers
• It at the top of the chain and defending further down the
chain is not working (the American Motion Picture
Association estimates loses of “$626 billion a year”)
• Targeting the home user is not going to stop the distribution
or the problem as there will only be another home user
willing to take the risk of view a pirated copy of a movie 6
month before its uk release date
School of Science and Technology
Distro map
Film and software etc suppliers
Encoding and cracking groups
Pre-release folders owned by the Encoding/cracking groups. These folder are placed on the
highest ranking top sites private folders
Private folders
IRC BOTS
IRC BOTS
Public folders
IRC bots automate the
transmission from the private file
storage to a shared file storage
and also sends emails to the top
line couriers this allows the
encoders some anonymity
Ranked topsites
Couriers post on
Ranked topsites to
earn downloading
credits and web
cudos
Pay for ftp
Usenet
Couriers
Unranked topsites
Couriers post on
Unranked topsites
to earn downloading
credits and web
cudos
Couriers
Staging topsites
Couriers post on
staging sites to earn
downloading credits
and web cudos
Couriers
Couriers leaving files in shared folders
using the End user internet in order to
obtain more files from the End user
internet
End user internet
P2P Networks
Usenet
Open IRC channels
Websites
End user internet
School of Science and Technology
Simplified Distro map
The Distro (distribution) network is the way the illegal software
movies and other such material
Main software
crackers and ripper
Pay for FTP
Warez site
Other Free FTP
servers
Hardcopy CD/DVD
Burning warehouse's
E Market stall’s and
Real market stall
Distributor small organised gangs using
copyright material to fund other avenues
A visualisation from Ref: [Various
2006]
End home user
Kazza / e-mule and
other file sharing services
School of Science and Technology
How Predictive detection
response works
•
•
•
•
•
•
Imagine seeing hundreds of people coming and going from a building that
was deserted last week and still looks as if it still should be deserted. The
police would find this worthy of investigation.
This is the same thought process for detecting illicit use of FTP servers
The idea behind predictive detection is a simple one. It is that a cluster of
robot’s (small programs that are able to run programs and small test’s) will
be set to monitor internet/network section for FTP servers.
It is hoped that these robots would be hidden inside the noise that is
already there on the internet.
Once the robots find a target it will be logged for further monitoring which
will include finding what files are stored on the FTP server and the amount
of traffic.
If a robot finds that a certain type of FTP server is being used it should be
able to able to be aimed to search for this type of FTP server using the
response signature.
School of Science and Technology
Predictive detection response
vs. post incident response
Predictive detection response
Cut down the distribution of illicit marital
This could be liked to catching a criminal due
to having an undercover operative working
inside the gang.
This way could be a good way to capture the
head distributors and prevent the home/end
user becoming involved.
Most of the population of the world would say
that the real criminal is the distributors and
hackers that steal the material or produce it
and would be more lightly to help if they
knew that the funds from this source may
be funding other criminal activities
Post Incident response
The material gets distributed and then
server logs are checked to find out
what happened.
This is like investigating any theft in
the material world.
It can be a good way to catch the
home/end user, even though some
home/end user’s re-share this
content they are way down the
distribution network. It could be
likened to prosecuting the “fence”
for stealing the goods in the material
world
School of Science and Technology
What is internet noise?
•
•
•
•
•
•
Most of the internet can be thought of as a battle field where the sides are
made up of the system administrators and security personnel Vs the
hackers , crackers and the many other name’s for people that belong the
underground world and some that what to belong to this world sometimes
referred to as “Script kiddies”
We can use this battle to cover some of the activities that the tools will be
doing.
PORT SCANNING
This is a method of finding open ports on a target machine this is a
common practice for hacker etc looking for ways to exploit a system.
Most system’s that are connected to the internet will experience this from
of attack and is commonly dismissed as a script kiddie attack.
A system can be port scanned hundreds or even thousands of times a day
by different user’s this will generate huge logs and it is in these logs that it
is hoped that activity of the tools can hidden in this mess of logs.
School of Science and Technology
Port scanning what is it?
•
Port scanning
–
•
•
“An attempt by hackers to find the weaknesses of a computer or network by scanning or probing system ports
via requests for information. It can be used by IT professionals as a genuine tool to discover and correct
security holes. But it can also be used maliciously to detect and exploit weaknesses.” Ref:www.nve.vt.edu.
The above explanation is very ambiguous and really does not give us much information about
what a port scan is.
So I like to think of it like finding a hotel and trying the doors.
Easy to understand explanation
IP address = The address of a hotel.
Port number = A door to a room in the hotel.
Service = The guest in the room.
Open Port = Knocking on the door and getting and answer or an open door.
Closed Port = Knocking on the door and getting and not answer or a closed door.
Computer systems have the ability to communicate with each other they do this by using an IP address (the IP address can
be thought of as the address of a hotel Ref: Angus marshal).
However if each computer only had an IP address they would only be able to speak to one system at a time and use one
program at a time. As the internet and other networks clearly don’t work like this and it is because of something called ports
(Ports can be thought of as the individual doors in the hotel with a program or service running in each room. Ref:angus
marshal).
Computer system have over 65,000 ports there are common ports for services however this does not mean that the has to run
on this port for instance FTP server’s default port is 21 but it can be ran on any port that is free.
School of Science and Technology
What Traffic/Software Signature
matching
•
•
•
Signature matching is currently used by many anti virus, firewall and IDS
(Intrusion Detection Systems). It relies on a known set of rules that are
classed as normal behaviour.
This could be likened to watching intruder trying to brake in to a house the
normal rules set would state that any one trying to gain entry should either
use a key to open the door or knock on the door and wait for the door to be
answered and be let in. how ever if the intruder deviates from these
actions the chance are the person trying to gain entry is an intruder,
however this may not be the case it could be the home owner has
forgotten there keys. This is known as a false positive and can happen if
the rules are to strict
However this false positive situation should not affect performance of the
set of tools as it is only used to weight the order of investigation when the
system is set on the autonomous setting, however if the system is given a
target to investigate it by pass’s the weighting system and checks the
system and produces a report on the FTP server setup and contents of the
server
School of Science and Technology
Traffic Signature Analysis
A part of the tool set will be looking the traffic and
trying to make a signature pattern that will signify
when a FTP server is being attacked or a remote
system is being used to established an illicit FTP
server.
This method is very much like pattern matching that
is use in IDS (Intrusion Detection Systems) in that
the system will have a set of standard behaviour
signatures and anything that deviates for this
patterns will be flagged as needing to be monitored
School of Science and Technology
Software Signature matching
• This area of Research will be looked at the
possibilities of finding out the brand and version of
the FTP server installed and possibly the type of
installation.
• Once the signature has been found, the signature
will checked against other known illicit FTP
servers signatures and this will weight the need
for investigation.
• If the signature does not match any known
signature it will be flagged for signature
investigation.
School of Science and Technology
Current Stage Of Research
•
The Project is able to detect FTP Servers running on remote systems. The system
is a to use a polymorphic port scanner as to decrease the chances of detection.
This polymorphic port scanner in conjunction with the above mentioned internet
noise will be the main camouflage for this section of the tool.
System running the
tool set
Target systems
Secured system proxies
server with random IPS
The above diagram is the basic network layout for the system design the system running the tools will connect to a set of trusted and
secured proxy servers with rotating randomized IP address they will then port scan a one of the targets at random on a random port
using a random type of port scan for example;
Proxy server one scans port number 21 with a null port scan on target IP 192.19.162.8
Proxy server one scans port number 26 with an x-mass port scan on target IP 192.19.162.7
The system running the toolset will be able to set the system or systems to be targeted and then select the ports or port range. The
tool set then creates a table for each target to keep track of the information. The data will then be passed on to the FTP detection
module.
The FTP detection module is there to find FTP servers and then find the FTP server software signature.
This is the end of the detection stage and the further research will be on the monitoring and traffic pattern analysis
School of Science and Technology
Current Stage Of Research
• The system is able to read and clone the
directory structure for forensic purpose's
• The final problem to resolve is the pass
worded sites there are two possible ways
to solve these they are:– Brute force attacks
rd
– Network snooping (IE the 3 man attack)
School of Science and Technology
Summary of system ability
1. The system is able to take an ip range
and scan the network for FTP server’s
2. When an FTP server has been detected
the system is able to detect if the server
is pass worded if not its able to map the
server.
School of Science and Technology
Future Stages Of Research
• Look at other ways to by-pass the password
security on FTP servers
• Take what has been discovered about FTP
servers and transfer them to other internet
protocols
–
–
–
–
Http
msn chat etc
P2P (peer to peer)
USENET
School of Science and Technology
Ethics and other Issues
• Is it hacking?
• Who’s owns the Server? and who owns the hardware? Are
they the same person?
• What is the law in the country where the server is located?
• What, if any Data protection guidelines need to be followed?
• Will the evidence produced be of a standard that is useable
in a court of law?
• When should the FTP server be monitored?
• How will the information be stored so that if complies with the
DPA?
School of Science and Technology
Reference's
•
•
C Winter mpaa.org, Dark Tower - Top Piracy Pyramid.pdf, 1/2005
Various hackinthebox.tx, How to become a distrobuter, 1/2006
•
•
•
•
Angus Marshal – meeting between A. marshal and A. brown, 1/2006
Net sorcery www.networksorcery.comUDP, 1/2006
D. Fyodor www.insecure.org Nmap The art of port scanning, 06/1997
Uriel Maimon, Phrack 49, article 15 Port Scanning without the SYN flag ,
11/1996
D.Goldsmith Bugtraq post, the ident protocol (rfc1413 ), 1996
R siles WWW.honeynet.org, Scan 21, 06/2002
D Song http://www.monkey.org/~dugsong/talks/ids/ Intrusion Detection
101, 17/09/1999
•
•
•
School of Science and Technology