I’m taking a Computer Networks course this semester, and for my final project, my partner and I are trying to create signatures for FTP, HTTP, and Skype packets.
The big idea: we want to create some signatures, and then “replay” those signatures against some arbitrary IP and port. If we get a response, we analyze the response to see if it matches what we expect from the signature. If it matches, chances are we’ve determined what kind of server is behind that IP/Port.
FTP and HTTP are the trivial ones. Skype is going to be quite a bit harder.
Anyhow, here is what I’ve found out about FTP…
FTP runs over a TCP connection, so if you’ve got Telnet, then you’ve got a basic FTP client. Traditionally, FTP servers run on port 21 – but really you could put one on whichever port you feel like.
So, I’m going to try to futz around with the Mozilla public FTP server, and show you what I get.
First, I’ll connect to the FTP server with Telnet, like so:
mike@faceplant-linux:~$ telnet ftp.mozilla.org 21
Here’s what comes back:
Connected to dm-ftp01.mozilla.org.
Escape character is '^]'.
220- ftp.mozilla.org / archive.mozilla.org - files are in /pub/mozilla.org
220- Notice: This server is the only place to obtain nightly builds and needs to
220- remain available to developers and testers. High bandwidth servers that
220- contain the public release files are available at ftp://releases.mozilla.org/
220- If you need to link to a public release, please link to the release server,
220- not here. Thanks!
220- Attempts to download high traffic release files from this server will get a
220- "550 Permission denied." response.
If I type in anything and press RETURN, the server responds with:
530 Please login with USER and PASS.
Since I don’t have an account, I’ll just use the basic anonymous one:
The server responds back with:
331 Please specify the password.
I don’t have a password, so I’ll just try a blank one…
and blam, I get a ton of stuff back:
230- ftp.mozilla.org / archive.mozilla.org - files are in /pub/mozilla.org
230- Notice: This server is the only place to obtain nightly builds and needs to
230- remain available to developers and testers. High bandwidth servers that
230- contain the public release files are available at ftp://releases.mozilla.org/
230- If you need to link to a public release, please link to the release server,
230- not here. Thanks!
230- Attempts to download high traffic release files from this server will get a
230- "550 Permission denied." response.
230 Login successful.
Hey alright, I’m in! Er…where exactly am I, though? I type in PWD, and the server responds with “/”. So I’m in the root. Nice.
So what’s in the root directory, anyhow? I type in LIST. Here’s what I get back:
425 Use PORT or PASV first.
And here’s where it gets interesting. This Telnet session I’ve got here is like a control window. But if I want any actual data from the server, I’m going to need to either open up one of my ports (and do some port-forwarding on my router) to receive it (PORT), or connect to another port that the FTP server can pipe data through (with PASV).
I’d rather not go through all of the trouble of port-forwarding, so I’m going to choose the latter. I type in PASV. The server responds with:
227 Entering Passive Mode (63,245,208,138,225,55)
So what does that big string of numbers mean? The first 4 are the IP address I’m to connect to (220.127.116.11). The last two tell me what PORT to connect to. The formula to determine the port number is N1*256 + N2. N1, in this case, is 225. N2 is 55. So 225*256 + 55 is 57655.
So I open another Telnet in a separate window, connect to 18.104.22.168 on port 57655, and get….
Yep, just a blank. I’ve made the connection, but I haven’t asked for any data, so there’s nothing for the connection to say.
However, if I type LIST again in the command window, I get
150 Here comes the directory listing.
226 Directory send OK.
sent into the control window, and
-rw-r--r-- 1 ftp ftp 528 Nov 01 2007 README
-rw-r--r-- 1 ftp ftp 560 Sep 28 2007 index.html
drwxr-xr-x 34 ftp ftp 4096 Nov 24 23:32 pub
Connection closed by foreign host.
pumped into my data window. Notice that the connection closed in the data window. That means that, for every bit of data I want, I either need to redo the whole PASV thing, or supply a PORT that the server can connect to. Bleh.
Let’s see what else I can do. I type in “CWD pub” to change to the pub directory. Using PASV and LIST, I get the following from another data window:
drwxrwxr-x 3 ftp ftp 4096 Jun 05 2002 OJI
-rw-rw-r-- 1 ftp ftp 1144 Jul 03 2001 README
drwxr-xr-x 5561 ftp ftp 430080 Nov 24 22:14 addons
drwxr-xr-x 2 ftp ftp 4096 Jul 05 2005 artwork
drwxr-xr-x 2 ftp ftp 4096 Jun 13 2008 bouncer
drwxrwxr-x 5 ftp ftp 4096 Apr 20 2009 calendar
drwxrwxr-x 6 ftp ftp 4096 Aug 11 2008 camino
drwxr-xr-x 16 ftp ftp 4096 Oct 16 2006 cck
drwxrwxr-x 3 ftp ftp 4096 Jul 10 2004 chimera
drwxrwxr-x 12 ftp ftp 4096 Aug 31 2001 data
drwxrwxr-x 8 ftp ftp 4096 Jun 19 2007 directory
drwxr-xr-x 4 ftp ftp 4096 May 17 2005 diskimages
drwxrwxr-x 4 ftp ftp 4096 Jul 26 2008 extensions
drwxrwxr-x 4 ftp ftp 4096 May 16 2003 firebird
drwxrwxr-x 5 ftp ftp 4096 Aug 12 2008 firefox
drwxrwxr-x 3 ftp ftp 4096 Aug 07 1999 grendel
drwxrwxr-x 5 ftp ftp 4096 Mar 22 2009 js
drwxrwxr-x 4 ftp ftp 4096 Oct 22 2004 l10n-kits
drwxrwxr-x 2 ftp ftp 4096 Nov 24 20:28 labs
-rw-r--r-- 1 ftp ftp 1868178 Sep 17 2003 ls-lR
-rw-rw-r-- 1 ftp ftp 169159 Sep 17 2003 ls-lR.gz
drwxr-sr-x 4 ftp ftp 4096 Sep 15 2005 minimo
drwxrwsr-x 12 ftp ftp 4096 Nov 11 06:09 mobile
drwxrwxr-x 15 ftp ftp 4096 Jan 04 2008 mozilla
lrwxrwxrwx 1 ftp ftp 1 Sep 15 2006 mozilla.org -> .
drwxrwxr-x 2 ftp ftp 4096 Aug 25 1998 msgsdk
drwxrwxr-x 5 ftp ftp 4096 Jul 09 2002 nspr
drwxrwxr-x 4 ftp ftp 4096 Sep 23 2002 phoenix
drwxrwxr-x 3 ftp ftp 4096 Aug 03 2000 profiles
drwxrwxr-x 6 ftp ftp 4096 Aug 12 2008 seamonkey
drwxrwxr-x 5 ftp ftp 4096 May 04 2006 security
drwxr-xr-x 5 ftp ftp 4096 Aug 13 2008 static-analysis
drwxrwxr-x 8 ftp ftp 4096 Sep 24 19:03 thunderbird
drwxrwsr-x 4 ftp ftp 20480 Nov 19 02:26 webtools
drwxrwxr-x 6 ftp ftp 4096 Aug 11 2008 xulrunner
drwxr-xr-x 2 ftp ftp 4096 Sep 12 05:51 zz
Connection closed by foreign host.
Nice. Alright, now let’s see if I can download one of those files. I’m going to try to download README. Using PASV, I create a new data window, and then I type:
And, after a little wait, my data window gets:
Welcome to ftp.mozilla.org!
This is the main distribution point of software and developer tools
related to the Mozilla project. For more information, see our home
page (http://www.mozilla.org/) Go here to download Netscape Communicator:
A list of ftp.mozilla.org's mirror sites can be found at:
This site contains source code that is subject to the U.S. Export
Administration Regulations and other U.S. law, and may not be exported
or re-exported to certain countries (currently Afghanistan (Taliban
controlled areas), Cuba, Iran, Iraq, Libya, North Korea, Sudan and
Syria) or to persons or entities prohibited from receiving U.S.
exports (including Denied Parties, entities on the Bureau of Export
Administration Entity List, and Specially Designated Nationals).
If you plan to mirror our site read our crypto FAQ. Send mail to
email@example.com to be added to our mirrors list.
We do not guarantee that any source code or executable code
available from the mozilla.org domain is Year 2000 compliant.
Connection closed by foreign host.
Awesome! I think I have enough information to come up with some kind of signature.
What, you think I figured all this stuff out alone? No way – I had some help: