moth/packages/net-re/3/index.mdwn

137 lines
4.2 KiB
Plaintext
Raw Normal View History

Identifying Application Protocols
=================================
The three easiest protocols to identify are FTP, SMTP, and HTTP. These
also happen to be some of the most common protocols in use.
In these examples, lines either begin with `C:` (client) or `S:`
(server).
FTP (control channel only)
--------------------------
S: 220 ScumFTPD
C: USER anonymous
S: 331 Anonymous login ok, use email address as password
C: PASS joe@example.org
S: 230-Welcome to the FTP server.
S: 230 Anonymous access granted, restrictions apply.
C: PASV
S: 227 Entering Passive Mode (152,46,7,80,196,9).
C: LIST
S: 150 Opening ASCII mode data connection for file list
S: 226 Transfer complete
C: QUIT
S: 221 Goodbye
SMTP
----
S: 220 mail.example.com ESMTP MushMail 1.3
C: EHLO bub
S: 250-Hi there
S: 250-VRFY
S: 250 8BITMIME
C: MAIL FROM: bob@example.com
S: 250 Recipient address accepted
C: RCPT TO: alice@example.com
S: 250 Sender accepted
C: DATA
S: 354 End data with \n.\n
C: From: Santa Claus <santa@workshop.np>
C: To: Alice <alice@example.com>
C: Subject: ho ho ho
C:
C: You've been a good girl this year, Alice.
C: .
S: 250 Message accepted for delivery
C: QUIT
S: 221 Goodbye
Note here that the `MAIL FROM` is different from the `From:` header
field. `MAIL FROM` and `RCPT TO` are called the “envelope” and are what
the mail server looks at. The `From:` header field is merely advisory,
and can be trivially spoofed!
HTTP
----
C: GET /path/to/resource.html HTTP/1.1
C: Host: www.example.com
C: User-Agent: Mozilla/2.0 (Galeon 1.0; Unicos; 2.3)
C: Connection: Close
C:
S: HTTP/1.1 200 OK
S: Server: CERN httpd 1.2
S: Date: Fri, 22 May 2009 14:34:12 GMT
S: Last-Modified: Wed, 20 May 2009 10:33:42 GMT
S: Content-length: 20
S:
S: <title>hi</title>hi.
The first line of an HTTP connection consists of:
METHOD PATH VERSION
`PATH` is the path to the resource being requested. It usually begins
with `/`, but if the client is trying to use the server as an HTTP
proxy, it will be a full URL.
`VERSION` is the version of HTTP in use. It always begins with `HTTP/`
and ends with major and minor version numbers, separated by a period.
2010-10-29 00:07:03 -06:00
Many protocols are "HTTP-like", and provide a version beginning with
something other than `HTTP/'. Although they may look like HTTP, they
are not truly HTTP connections.
`METHOD` is typically either `GET`, `HEAD`, or `POST`, but may also be
`OPTIONS`, `PUT`, `DELETE`, `TRACE`, `CONNECT`, or any number of
extensions.
The `CONNECT` method is used to proxy traffic through the HTTP server.
Typically this is done by web browsers set up to use HTTP proxies for
HTTPS (HTTP over SSL), but is worth noting since it can also be used by
malware or to skirt firewall policies. For instance:
CONNECT us.undernet.org:6667 HTTP/1.0
Would open an IRC connection to the Undernet IRC network. If your
policies disallow connecting to IRC, this demonstrates a possibly
successful attempt to skirt firewall rules.
Question
========
2010-10-12 16:58:34 -06:00
Sometimes as an analyst, you only get the first few dozen bytes of a
conversation, and you may not even get an indication of whether the
client or server spoke first.
2010-10-29 00:07:03 -06:00
You have been given the first line sent in 16 different connections and
asked to determine which warrant further investigation. You need to
rule out things that are clearly not the first line of HTTP, SMTP, or
FTP.
The answer for this page is the list of protocols *not described on this
page*, ordered from lowest (1) to highest (F). The answer should be of
the form "1,2,3,7,8,A,B,C".
1: GET / HTTP/1.1
2: +OK example.com server ready
3: 220 mailrelay.example.com ESMTP Postfix 2.3.3/Bantu
4: QUERY: //SYSTEMS/5B669A24
5: POST /depts/research/beekeeping/survey.php?token=83927400 HTTP/1.1
6: NICK rutabaga
7: HEAD /content/images/ap-5823.jpg HTTP/1.0
8: -l jsmith
9: CONNECT example.com:996 HTTP/1.1
A: USER robot robot robot :robot
B: EHLO example.com
C: Subject: all-employee notice
D: * OK [CAPABILITY STARTTLS] example.com server Innova ready
E: TRACE / HTTP/1.1
F: GET / ICAP/1.1