2010-09-24 17:24:43 -06:00
|
|
|
Identifying Application Protocols
|
|
|
|
=================================
|
|
|
|
|
|
|
|
The three easiest protocols to identify are FTP, SMTP, and HTTP. These
|
|
|
|
also happen to be some of the most common protocols in use.
|
|
|
|
|
|
|
|
In these examples, lines either begin with `C:` (client) or `S:`
|
|
|
|
(server).
|
|
|
|
|
|
|
|
|
|
|
|
FTP (control channel only)
|
|
|
|
--------------------------
|
|
|
|
|
|
|
|
S: 220 ScumFTPD
|
|
|
|
C: USER anonymous
|
|
|
|
S: 331 Anonymous login ok, use email address as password
|
|
|
|
C: PASS joe@example.org
|
|
|
|
S: 230-Welcome to the FTP server.
|
|
|
|
S: 230 Anonymous access granted, restrictions apply.
|
|
|
|
C: PASV
|
|
|
|
S: 227 Entering Passive Mode (152,46,7,80,196,9).
|
|
|
|
C: LIST
|
|
|
|
S: 150 Opening ASCII mode data connection for file list
|
|
|
|
S: 226 Transfer complete
|
|
|
|
C: QUIT
|
|
|
|
S: 221 Goodbye
|
|
|
|
|
|
|
|
|
|
|
|
SMTP
|
|
|
|
----
|
|
|
|
|
|
|
|
S: 220 mail.example.com ESMTP MushMail 1.3
|
|
|
|
C: EHLO bub
|
|
|
|
S: 250-Hi there
|
|
|
|
S: 250-VRFY
|
|
|
|
S: 250 8BITMIME
|
|
|
|
C: MAIL FROM: bob@example.com
|
|
|
|
S: 250 Recipient address accepted
|
|
|
|
C: RCPT TO: alice@example.com
|
|
|
|
S: 250 Sender accepted
|
|
|
|
C: DATA
|
|
|
|
S: 354 End data with \n.\n
|
|
|
|
C: From: Santa Claus <santa@workshop.np>
|
|
|
|
C: To: Alice <alice@example.com>
|
|
|
|
C: Subject: ho ho ho
|
|
|
|
C:
|
|
|
|
C: You've been a good girl this year, Alice.
|
|
|
|
C: .
|
|
|
|
S: 250 Message accepted for delivery
|
|
|
|
C: QUIT
|
|
|
|
S: 221 Goodbye
|
|
|
|
|
|
|
|
|
|
|
|
Note here that the `MAIL FROM` is different from the `From:` header
|
|
|
|
field. `MAIL FROM` and `RCPT TO` are called the “envelope” and are what
|
|
|
|
the mail server looks at. The `From:` header field is merely advisory,
|
|
|
|
and can be trivially spoofed!
|
|
|
|
|
|
|
|
|
|
|
|
HTTP
|
|
|
|
----
|
|
|
|
|
|
|
|
C: GET /path/to/resource.html HTTP/1.1
|
|
|
|
C: Host: www.example.com
|
|
|
|
C: User-Agent: Mozilla/2.0 (Galeon 1.0; Unicos; 2.3)
|
|
|
|
C: Connection: Close
|
|
|
|
C:
|
|
|
|
S: HTTP/1.1 200 OK
|
|
|
|
S: Server: CERN httpd 1.2
|
|
|
|
S: Date: Fri, 22 May 2009 14:34:12 GMT
|
|
|
|
S: Last-Modified: Wed, 20 May 2009 10:33:42 GMT
|
|
|
|
S: Content-length: 20
|
|
|
|
S:
|
|
|
|
S: <title>hi</title>hi.
|
|
|
|
|
|
|
|
The first line of an HTTP connection consists of:
|
|
|
|
|
|
|
|
METHOD PATH VERSION
|
|
|
|
|
|
|
|
`PATH` is the path to the resource being requested. It usually begins
|
|
|
|
with `/`, but if the client is trying to use the server as an HTTP
|
|
|
|
proxy, it will be a full URL.
|
|
|
|
|
|
|
|
`VERSION` is the version of HTTP in use. It always begins with `HTTP/`
|
|
|
|
and ends with major and minor version numbers, separated by a period.
|
2010-10-29 00:07:03 -06:00
|
|
|
Many protocols are "HTTP-like", and provide a version beginning with
|
|
|
|
something other than `HTTP/'. Although they may look like HTTP, they
|
|
|
|
are not truly HTTP connections.
|
2010-09-24 17:24:43 -06:00
|
|
|
|
|
|
|
`METHOD` is typically either `GET`, `HEAD`, or `POST`, but may also be
|
|
|
|
`OPTIONS`, `PUT`, `DELETE`, `TRACE`, `CONNECT`, or any number of
|
|
|
|
extensions.
|
|
|
|
|
|
|
|
The `CONNECT` method is used to proxy traffic through the HTTP server.
|
|
|
|
Typically this is done by web browsers set up to use HTTP proxies for
|
|
|
|
HTTPS (HTTP over SSL), but is worth noting since it can also be used by
|
|
|
|
malware or to skirt firewall policies. For instance:
|
|
|
|
|
|
|
|
CONNECT us.undernet.org:6667 HTTP/1.0
|
|
|
|
|
|
|
|
Would open an IRC connection to the Undernet IRC network. If your
|
|
|
|
policies disallow connecting to IRC, this demonstrates a possibly
|
|
|
|
successful attempt to skirt firewall rules.
|
|
|
|
|
|
|
|
|
|
|
|
Question
|
|
|
|
========
|
|
|
|
|
2010-10-12 16:58:34 -06:00
|
|
|
Sometimes as an analyst, you only get the first few dozen bytes of a
|
|
|
|
conversation, and you may not even get an indication of whether the
|
|
|
|
client or server spoke first.
|
|
|
|
|
2010-10-29 00:07:03 -06:00
|
|
|
You have been given the first line sent in 16 different connections and
|
|
|
|
asked to determine which warrant further investigation. You need to
|
|
|
|
rule out things that are clearly not the first line of HTTP, SMTP, or
|
|
|
|
FTP.
|
|
|
|
|
|
|
|
The answer for this page is the list of protocols *not described on this
|
|
|
|
page*, ordered from lowest (1) to highest (F). The answer should be of
|
|
|
|
the form "1,2,3,7,8,A,B,C".
|
2010-09-24 17:24:43 -06:00
|
|
|
|
|
|
|
1: GET / HTTP/1.1
|
|
|
|
2: +OK example.com server ready
|
|
|
|
3: 220 mailrelay.example.com ESMTP Postfix 2.3.3/Bantu
|
|
|
|
4: QUERY: //SYSTEMS/5B669A24
|
|
|
|
5: POST /depts/research/beekeeping/survey.php?token=83927400 HTTP/1.1
|
|
|
|
6: NICK rutabaga
|
|
|
|
7: HEAD /content/images/ap-5823.jpg HTTP/1.0
|
|
|
|
8: -l jsmith
|
|
|
|
9: CONNECT example.com:996 HTTP/1.1
|
|
|
|
A: USER robot robot robot :robot
|
|
|
|
B: EHLO example.com
|
|
|
|
C: Subject: all-employee notice
|
|
|
|
D: * OK [CAPABILITY STARTTLS] example.com server Innova ready
|
|
|
|
E: TRACE / HTTP/1.1
|
|
|
|
F: GET / ICAP/1.1
|