FTP Attacks

In the realm of cybersecurity, staying one step ahead of potential threats is paramount. To do so, security professionals often engage in simulated exercises to understand how attackers operate and develop strategies for defense. In this blog post, we will delve into a hands-on lab activity that covers network discovery, FTP attacks, and network defense. We'll explore the tools and techniques used, analyze the findings, and understand how these experiences contribute to strengthening cybersecurity practices.

Part 1 – Network Discovery and Detection

ARP Protocol for Network Discovery: In this lab, we began by identifying the protocol used for network discovery, which turned out to be ARP (Address Resolution Protocol). ARP plays a crucial role in mapping IP addresses to MAC addresses within a local network. It's a fundamental step in understanding the devices on the network.

Threat Actor's IP Address: We discovered the IP address of the threat actor's system, which was 192.168.1.50. This information is vital for tracking and further analysis.

Devices on the Network: Network discovery revealed nine devices that were up and running. Understanding the active devices is essential for identifying potential vulnerabilities and unauthorized access.

Device Identification: We leveraged the MAC address to identify the threat actor's device. By using a MAC address lookup tool, we gained insights into the manufacturer of the device, aiding in potential attribution.

Filtering ARP Traffic: To focus specifically on ARP traffic originating from the threat actor's MAC address, we used a tshark command. This filter helps in isolating relevant network traffic for deeper analysis.

Part #2 – FTP Brute Force Attack & Detect

FTP Server and Version Identification: The lab involved simulating an FTP brute force attack. We first identified the FTP server in use, which was vsftpd 2.3.4. Understanding the FTP server version is crucial for assessing vulnerabilities.

Command: $ nmap --script ftp-brute -p 21 <ip-of-your-metasploitable>

Username Capture: Using tshark, we captured and analyzed the usernames sent during the brute force attack. This step is essential for understanding the attacker's tactics and potential targets.

Command: $ tshark -r ftpbruteforce.pcap -Y "ftp.request.command == USER"

Password Capture: Similar to usernames, we also captured and analyzed the passwords sent during the attack. This information helps in assessing the strength of passwords used and the attacker's persistence.

Command: $ tshark -r ftpbruteforce.pcap -Y "ftp.request.command == PASS"

Hunting the Attack: We utilized Kibana to search for patterns associated with the brute force attack. By focusing on failed FTP login attempts, we could pinpoint suspicious activities in the network.

Identifying the Most Frequently Sent Username: NetworkMiner was employed to identify the username sent most frequently, strongly indicating a brute force attack. Suspicious usernames, like "395," suggest systematic password guessing.

After analyzing the output, it's clear that numerous usernames were sent during the FTP brute force attack. What stands out is that "395" appears with the highest count, strongly implying that "395" is the username that the attacker sent most frequently.

However, it's crucial to emphasize that "395" doesn't seem like a legitimate username by any means. This raises suspicion that it might be a result of the brute force attack's attempt to try various usernames systematically. This finding strongly supports the hypothesis that our FTP server is indeed under a brute-force attack. The absence of a commonly used, legitimate username like "395" in normal operation further solidifies this suspicion.

Conclusion

Simulated exercises like this lab activity provide invaluable insights into real-world cybersecurity challenges. They help security professionals understand the tactics employed by threat actors, detect vulnerabilities, and develop strategies for defense.

By identifying network discovery protocols, uncovering attack patterns, and practicing exploitation detection, security practitioners can strengthen their organization's cybersecurity posture. Tools like Wireshark, Nmap, Metasploit, and Kibana are essential in these endeavors.

In a constantly evolving threat landscape, staying informed, practicing hands-on exercises, and leveraging the right tools are critical components of a robust cybersecurity strategy. This lab activity serves as a reminder that proactive defense is the key to mitigating security risks and protecting sensitive information.

Author:

Hasan Hashim

Cyber Security and Digital Forensics