Network Traffic Analysis: vsftp.pcap

Executive Summary

Critical Finding: The analysis reveals a successful attempt at unauthorized access via FTP, resulting in the retrieval of sensitive system files.

The tcpdump output reveals a clear attempt at unauthorized access and potential exploitation of the target system. The attacker (172.17.0.1) is attempting to gain access via FTP and is actively probing for information.

Commands issued include:

cat /etc/passwd
cat /etc/shadow

The successful retrieval of /etc/shadow is a critical security breach, as this file contains hashed passwords. This indicates a compromised system or a successful brute-force/credential stuffing attack.

Identified Attack Vectors

1. Identities

Role	IP Address	MAC Address
Attacker	172.17.0.1	8e:de:56:b4:41:2b
Victim	172.17.0.2	da:4d:73:6b:0f:cc

2. Technical Details

Protocol: TCP, FTP
Ports: Destination Port 21 (FTP), Port 6200 (Secondary communication)
Attack Type: Information Disclosure / Credential Theft

3. Hacking Timeline (Oct 26, 2023)

14:57:38: ARP requests establish communication.
14:57:38: TCP SYN packet to Port 21 (Connection Established).
14:57:38 - 14:58:03: Command Execution:
- USER pVOE:)
- PASS 2p
- whoami (Privilege Check)
- cat /etc/passwd (User enumeration)
- cat /etc/shadow (Password hash theft)
- exit

Recommended Remediation

Immediate Actions

Isolate the System: Disconnect the affected machine (172.17.0.2) from the network immediately.
Credential Reset: Change all user passwords, specifically focusing on accounts found in /etc/shadow.
Log Review: examine system logs for lateral movement or persistence.

Security Hardening

Disable Plain FTP: Switch to SFTP (SSH) or FTPS to encrypt traffic. FTP transmits credentials in cleartext.
Firewall Rules: Restrict port 21/6200 access to authorized IPs only.
Least Privilege: Ensure FTP users are chrooted and cannot access system files like /etc/shadow.

Monitoring

Deploy IDS/IPS (like Suricata) to detect specific FTP command patterns.
Enable verbose logging on the FTP server.

Suricata Detection Rules

The following signatures can be deployed to detect this specific attack pattern.

Rule Set

alert ftp any any -> any 21 (msg:"FTP Command - Attempt to read /etc/passwd"; content:"cat /etc/passwd"; sid:1000001; rev:1;)

alert ftp any any -> any 21 (msg:"FTP Command - Attempt to read /etc/shadow"; content:"cat /etc/shadow"; sid:1000002; rev:1;)

alert ftp $HOME_NET any -> any 21 (msg:"FTP Command - Suspicious command execution"; content:"|whoami|"; sid:1000003; rev:1;)

alert ftp $HOME_NET any -> any 21 (msg:"FTP Command - Potential credential theft"; content:"cat /etc/"; sid:1000004; rev:1;)

alert tcp $HOME_NET any -> any 21 (msg:"FTP - Possible Brute Force"; flow:established,to_server; content:"USER "; depth:5; nocase; sid:1000005; rev:1;)

Rule Breakdown

$HOME_NET: Variable representing internal network.
flow:established,to_server: Inspects traffic inside an active connection sent to the server.
content: The specific ASCII string (payload) triggering the alert.
sid: Unique Signature ID.

Knowledge Check

Test your understanding of the analysis report.

1. What is the primary attack vector identified in this analysis?

SQL Injection Information Disclosure via FTP Cross-Site Scripting (XSS) SSH Brute Force

2. Which critical file containing hashed passwords did the attacker successfully retrieve?

/var/log/auth.log /etc/passwd /etc/shadow /home/user/passwords.txt

3. What is the IP address of the attacker?

172.17.0.2 192.168.1.1 127.0.0.1 172.17.0.1

4. Besides Port 21, what other port was observed in the communication?

80 443 6200 22

5. Which Suricata keyword is used to perform a case-insensitive search?

nocase insensitive depth flow