OCR of the Document

View the Document >>

Drew Springall, Zakir Durumeric, and J. Alex Halderman, University of Michigan, FTP: The Forgotten Cloud, July 28, 2016. Not classified.

FTP The Forgotten Cloud Drew Springall Zakir Durumeric and J Alex Halderman University of Michigan 1 FTP - File Transfer Protocol u Simple text-based protocol u View and traverse directory structure u Upload and download files 2 FTP Implementations EniniC at Local System Remote System C temp readme ws_f tp32 zip Rehesh Ll Dillnfo 1 ASCII Binaly 150 Opening ASCII mode data connection for r'bin Is Received 549 bytes in 0 1 secs 50 00 Kbps transfer succeeded 226 Transfer complete Cancel thions 961216 961216 960315 960604 960904 961216 960318 960222 FTP is Old 1970 2016 1998 Google 1995 Windows 95 1990 World Wide Web 1983 Apple IIe 1978 x86 chip 8086 1972 C Programming Language 1971 FTP 4 FTP Replacements 1970 2016 2007 Dropbox 2001 BitTorrent 1996 HTTP 1995 SSH SCP 1985 FTP TCP 1971 FTP 5 It's Still Here u 13 8M FTP Servers u 1 1M publically-accessible FTP servers u 600M visible files directories 6 Questions u What is the state of FTP in 2015 u Is sensitive data being shared on FTP u Is FTP being used by malicious actors u What vulnerabilities still exist in FTP 7 u FTP Protocol u Methodology u What is the state of FTP in 2015 u Is sensitive data being shared on FTP u Is FTP being used by malicious actors u What vulnerabilities still exist in FTP u Conclusions 8 FTP Commands u USER - Send username u PASS - Send password u CWD - Change Working Directory u PWD - Present Working Directory u PORT PASV - Create secondary TCP connection u LIST - Display directory contents u RETR - Retrieve file 9 FTP Replies u 3-digit response codes optional text message u 200 - OK u 331 - User OK send password u 5XX -- Error 10 Authentication Client Server USER username 331 Send password PASS password 200 User logged in 11 Anonymous Authentication Client Server USER anonymous 331 Send password PASS contact e-mail 200 User logged in 12 u FTP Protocol u Methodology u What is the state of FTP in 2015 u Is sensitive data being shared on FTP u Is FTP being used by malicious actors u What vulnerabilities still exist in FTP u Conclusions 13 Scanning Enumeration u ZMap Tool chain u Custom protocol scanner u Available at github com aaspring ftp-enumerator 14 Data Collection u Parse banner u Login via the anonymous user u Parse robots txt u Traverse the directory structure u Collect Features Help Status u Collect FTPS certificate if available 15 Ethical Considerations u Scanning best practices u Limited number and frequency of commands to each server u Not trying to guess usernames passwords u Not downloading files en masse 16 u FTP Protocol u Methodology u What is the state of the FTP in 2015 u Is sensitive data being shared on FTP u Is FTP being used by malicious actors u What vulnerabilities still exist in FTP u Conclusions 17 How prevalent is IPs scanned 3 684 755 175 85 79% of address space Open port 21 21 832 903 0 59% of scanned IPs FTP servers 13 789 641 63 16% of IPs with port open Anonymous FTP servers 1 123 326 8 15% of responsive FTP servers 18 Who has the most anonymous AS home pl S A AS46606 Uni ed Layer ASZ914 NTT America Inc A820013 CyrusOne LLC AS40676 Networks AS34011 domainfactory AS4134 Chinanet AS18978 Enzu Inc AS18779 EGIHosting AS4766 Korea Telecom IPs advertised 205 312 516 864 7 880 192 111 360 641 024 93 440 120 757 504 727 808 1 890 304 53 733 632 19 FTP servers 136 765 66 61% 246 470 47 69% 298 468 3 79% 64 790 58 18% 64 233 10 02% 21 153 22 64% 464 384 0 39% 73 541 10 11% 27 804 1 43% 211 479 0 39% Anonymous FTP servers 103 175 75 44% 44 273 17 96% 36 045 12 08% 30 772 47 50% 27 507 42 82% 19 077 90 19% 18 996 4 09% 17 510 23 81% 16 329 58 73% 16 222 7 67% What kind of devices use Server Classi cation All FTP Servers Anonymous FTP Servers Generic Server Hosted Server Embedded Server Unknown 5 957 969 43 21% 1 795 596 13 02% 1 786 656 12 95% 4 249 417 30 82% 20 704 276 62 66% 174 198 15 50% 93 484 8 32% 151 927 13 52% What embedded devices use WW MW Device Found Anonymous Device Found Anonymous QNAP Turbo NAS 57 655 1 637 2 84% DSL modem 152 520 49 ASUS wireless routers 52 938 5 891 11 13% DSL Modem 29 376 1 Synology NAS devices 43 159 2 942 6 82% AXIS Physical Security Device 20 002 58 Buffalo NAS storage 22 558 8 870 39 32% ZTE WiMax Router 14 245 0 ZyXEL MitraStar NAS 9 456 310 3 28% Speedport DSL Modern 13 677 0 RICOH Printers 8 696 7 606 87 47% Dreambox Set-top Box 12 298 0 LaCie storage 4 558 2 919 64 04% Uni ed Security Gateway 11 964 0 Lexmark Printers 3 908 3 896 99 69% Alcatel Router 10 383 0 Xerox Printers 3 130 2 906 92 84% DrayTek Network Devices 4 161 0 Dell Printers 2 555 2 515 98 43% Wi Routers 2 174 624 28 72% Lutron HomeWorks Processor 1 006 1 003 99 70% Seagate Storage devices 629 594 94 44% 21 u FTP Protocol u Methodology u What is the state of FTP in 2015 u Is sensitive data being shared on FTP u Is FTP being used by malicious actors u What vulnerabilities still exist in FTP u Conclusions 22 Obvious Examples -SSL_certificate_backup - SSL_certificate pem - SSL_priv_key pem - password txt 23 Non-Obvious Examples Ambiguous Non-English -backup - - June-Dec der - cer - key4 txt - pem 24 Difficulties u Personalized naming u Mix of languages u What to look for u How to measure 25 What data is being exposed Type File Servers Files Readable Non-readable Unk-readable Financial Information TurboTax Export 464 8 190 8 139 45 Quicken Data 440 7 702 7 652 241 Password Databases KeePass KeePassX 210 1 812 1 762 44 lPassword 1 1 24 23 1 Key Material SSH host private keys 819 1 597 139 31 Putty SSH client keys 82 128 98 30 priv pem les 701 1 397 1 335 60 shadow les 590 718 238 7 pst les 2 419 12 636 10 918 26 Irresponsible Devices Responsible Devices Chapter Access Files from Anywhere When you have set up users or groups with proper access privileges to the shared folders they can share their files with your Synology NAS from anywhere This chapter explains the ways to access the Synology NAS shared folders within the local network or over the Internet For more detailed instructions please see DSM Help 28 u FTP Protocol u Methodology u What is the state of FTP in 2015 u Is sensitive data being shared on FTP u Is FTP being used by malicious actors u What vulnerabilities still exist in FTP u Conclusions 29 World-Writable FTP u Anonymous user can upload file u Indicated by presence of a known file u w0000000t txt php sjutd txt hello world txt u 19 4K world-writable server lower bound 30 Server-side Scripting u 9M IPs have both FTP and HTTP server u 2 1M explicitly indicate PHP ASP NET engine u Remote Access Tools u 724 servers u UDP DDoS infrastructure u 1 792 servers u ftpchk3 multi-stage campaign u 1 264 servers 31 Other Assorted Campaigns u really cool software cracking'' advertisement u 2 095 servers u Candy-dropping malware u WaReZ u year month day time p u 4 868 servers 32 u FTP Protocol u Methodology u What is the state of FTP in 2015 u Is sensitive data being shared on FTP u Is FTP being used by malicious actors u What vulnerabilities still exist in FTP u Conclusions 33 Implementation Vulnerability CVSS Score Number IPs CVE-2015-3306 CVE-2013-4359 CVE-2012-6095 CVE-201 1-4130 CVE-2011-1137 10 0 5 0 1 2 9 0 5 0 300 931 24 420 1 098 629 646 072 646 072 CVE-201 1-1575 CVE-201 1-0418 5 8 4 0 3 305 3 309 CVE-2015- 1419 CVE-201 1-0762 5 0 4 0 658 767 125 090 Serv-U CVE-201 1-4800 9 0 244 060 PORT Bounce Client Server Victim PORT C1ient 200 OK TCP Connection 35 PORT Bounce Client Victim Server PORT Victim IP port 200 OK TCP Connection Success Failure 36 PORT Bounce 9 143K servers vulnerable 9 Including inside Firewall CERT Software Engineering Institute Carnegie Mellon University Work Areas Engage with Us Training About Us News Careers Information for Home Historical Advisories FTP Bounce Original issue date December 10 1997 Last revised July 26 2002 Updated links wu-ftpd SGI and HP information A complete revision history is at the end of this file 37 u FTP Protocol u Methodology u What is the state of FTP in 2015 u Is sensitive data being shared on FTP u Is FTP being used by malicious actors u What vulnerabilities still exist in FTP u Conclusions 38 Conclusions u Documentation and interfaces for consumer products need re-evaluation u Malicious actors are aware of and actively exploiting FTP access u FTP is still around still exposes information and still puts users at risk 39 FTP The Forgotten Cloud Drew Springall Zakir Durumeric and J Alex Halderman University of Michigan 40 STOP Data Transfer Active Client Passive Server Client Server PORT IP port PASV 200 OK 237 IP port TCP Connection TCP Connection 42 PORT Bounce Client Victim Server PORT Victim IP port 200 OK TCP Connection Success Failure RETR file File Contents 43 Responsible Devices Type of Exposure Sensitive Documents Photo Libraries Root File Systems Scripting Source All Generic 26 29% 39 98% 10 54% 72 51% 56 05% NAS 7 08% 12 35% 0 68% 1 74% 4 54% Embedded Router 20 16% 11 52% 1 30% 3 26% 6 31% Other 0 18% 0 01% 0 00% 2 36% 1 45% Hosting 0 12% 3 12% 0 00% 3 48% 3 00% Unk 45 54% 33 00% 87 34% 16 56% 28 67% Non-Academic Enumeration FTP indexer With all the words Search Searching 939 130 583 files 7019 32 TB in 15 270 FTP servers pdated 6 25 2016 NAPALM FTP Indexer lets you search and download files located on public FTP servers The most advanced FTP Search Engine service maintained by members Donate Bitcoin A About Faq Contact Us Terms of Use Privacy Policy Copyright 2002-2016 NAPALM Indexer 45 FTPS u STARTTLS-like encapsulation u AUTH SSL or AUTH TLS command u Control channel and Data channel 46 Classifying AS AS Type All FTP 78 Hosting 50 ISP 25 Academic 3 47 Anonymous FTP 42 29 ll 2 AS Distribution Anonymous FTP Servers - - - Wri gab el FTP Seryer 100 1 000 1 0000 ASes STOP #2 Seriously ST                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu