翻译作品一之Service Banner Fingerprinting in C
---nightcat
一.前言:
本人翻译系列文章,很担心里面出错的地方会误人,不过心里还是有去做一做的,我是通过自己的理解来翻译的,如果我的理解错误了,或许是我不理解的部分也不经意翻译了,那必然会给各位多多少少的误导,所以我在文章后面都附上原文。请想看对照原文来阅读!最主要是自己去理解,不要单看我一家之言。
二.正文:
服务banner的识别
1.0 介绍
这篇文章是对modular's tcpscan 文章系列的补充,覆盖了如何用 c 编程来进行服务banner的识别。同时也假设你已经理解了tcpscan系列文章 及 掌握了http和ftp的协议方面的知识。文章中给出的完整的原代码都是单独的,目的是想读者能简单的加这么原代码到自己的程序中去!所有的函数所要求的最小的库函数包括:
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
2.0 ssh/smtp 指纹识别
在开始编写代码的之前,先看看手工识别的banner指纹,让我们用目前为止最简单的服务sshd来进行指纹识别。因为要完成它,只要两步就可以。连接到目标主机,服务banner就自动回返回所要的信息给我们。
这个过程可以可视化为:
********************* *********************** ******************
* CONNECT TO DAEMON * ===> * DAEMON SHOWS BANNER * ===> * GET THE BANNER *
********************* *********************** ******************
先用telnet连接到ssh daemon 就可以得到返回的banner:
snow:~# telnet truncode.org 22
Trying 207.44.194.142...
Connected to truncode.org.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.1p1
^]
telnet> quit
Connection closed.
snow:~#
你可以看到当你连接到目标主机的,这个ssh daemon 会自动的返回banner的版本:"SSH-1.99-OpenSSH_3.1p1" . 这个过程是同样轻易的应用到smtp服务banner的判断.
现在你可以连接到目标主机的25端口:
snow:~# telnet euronet.nl 25
Trying 194.134.0.10...
Connected to euronet.nl.
Escape character is '^]'.
220 pop1.euronet.nl ESMTP Postfix
^]
telnet> quit
Connection closed.
snow:~#
没有什么其他的方法来识别这两种服务。因为这两个服务的识别都是一样的,我只讨论ssh daemon 识别函数的代码。 你可以指定端口为smtp.下面是一个识别ssh daomon 的代码实例:
char *grab_sshb(char *t_addr, int t_port) {
struct sockaddr_in rmtaddr; /* remote address structure *//*远程地址结构*/
char *buf_s; /* buffer string pointer *//*缓冲区字符串指针*/
char *bnr_s; /* banner string pointer *//*banner字符串指针*/
int sockfd; /* socket file descriptor *//*socket 文件描述符*/
buf_s = (char *)malloc(250);
//建立套接字
sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
rmtaddr.sin_family = AF_INET;
rmtaddr.sin_port = htons(t_port);
rmtaddr.sin_addr.s_addr = inet_addr(t_addr);
//连接
if(connect(sockfd, (struct sockaddr *)&rmtaddr,
sizeof(struct sockaddr)) != 0) { close(sockfd); return NULL; }
//接受字节
if(recv(sockfd, buf_s, 250, 0) <= 0) { close(sockfd); return NULL; }
bnr_s = (char *)malloc(strlen(buf_s)-1);
strncpy(bnr_s, buf_s, strlen(buf_s)-1);
close(sockfd);
free(buf_s);
return bnr_s;
}
这段原代码相当简洁,我们可以正确的返回和先前可视化一样的过程:连接到目标主机,接收目标主机返回的的banenr,复制查询的的banner ,最后关闭连接。
3.0 http/ftp 识别
这个技术稍微比ssh和smtp难点点,因为我们事实上要和服务器进行执行一些信息交互.一个显而易件的不同就是我们需要提供一些额外的字符来激发这项技术去工作.我们开始http服务识别,这个服务不能自动的呈现任何的东西在连接后。而需要送出一个请求:"HEAD / HTTP/1.0/n/n"命令到服务,"/n/n"的意思就是重复两次回车键.我们可以再次得到可视化的过程:
********************* **************** ***********************
* CONNECT TO SERVER * ===> * REQUEST HEAD * ===> * SERVER SENDS BANNER *
********************* **************** ***********************
||
//
*************** ******************
* FILTER DATA * <=== * GET THE BANNER *
*************** ******************
连接到telnet和接收banner.在代码的最后进行数据过滤,注意以下的过程:
snow:~# telnet www.euronet.nl 80
Trying 194.134.0.158...
Connected to www.euronet.nl.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 302 Found
Date: Fri, 21 Mar 2003 21:06:55 GMT
Server: Apache/1.3.26 (Unix)
Location: http://home.euronet.nl/
Connection: close
Content-Type: text/html; charset=iso-8859-1
Connection closed by foreign host.
snow:~#
你可以看到当发出了HEAD / HTTP/1.0命令后会返回很多的数据信息。事实上我们感兴趣的信息是"Server:"后面的部分。这是我们过滤代码所要实现的。这个代码将会执行以下的步骤:连接到目标主机的服务,送出命令,接收返回信息和过滤数据信息:
char *ltnet_httpb(char *t_addr, int t_port) {
struct sockaddr_in rmtaddr; /* remote address structure */
char *buf_s; /* buffer string pointer */
char *bnr_s; /* banner string pointer */
char *str_p; /* pointer to Server: part */
int sockfd; /* socket file descriptor */
int itr_s0; /* string iterate integer */
int itr_s1; /* string iterate integer */
buf_s = (char *)malloc(1000);
sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
rmtaddr.sin_family = AF_INET;
rmtaddr.sin_port = htons(t_port);
rmtaddr.sin_addr.s_addr = inet_addr(t_addr);
if(connect(sockfd, (struct sockaddr *)&rmtaddr,
sizeof(struct sockaddr)) != 0) { close(sockfd); return NULL; }
if(send(sockfd, "HEAD / HTTP/1.0/n/n", 17, 0) <= 0) {
close(sockfd); return NULL; }
if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; }
if((str_p = strstr(buf_s, "Server:")) == NULL) {
close(sockfd); return NULL; }
for(itr_s0 = 0; itr_s0 < strlen(str_p); itr_s0++) {
if(str_p[itr_s0] == '/n') break;
}
bnr_s = (char *)malloc(itr_s0 - 8);
for(itr_s1 = 0; itr_s1 < itr_s0; itr_s1++) {
if(str_p[itr_s1 + 8] == '/n') break;
bnr_s[itr_s1] = str_p[itr_s1 + 8];
}
close(sockfd);
free(buf_s);
return bnr_s;
}
请密切注意执行实际过滤的部分,首先这段代码找到"Server:" 行,返回一个指向这行的指针:
if((str_p = strstr(buf_s, "Server:")) == NULL) {
close(sockfd); return NULL; }
现在指针"str_p" 指向"Server:" 行的缓冲区的开始地址。下一步我们想去做的是得到实际banner前面是没有带"Server:"的字符行,从保存到"bnr_s".我们开始这个过程要先分配内存给"bnr_s"。
bnr_s = (char *)malloc(itr_s0 - 8);
请好好看看这一行,我们分配给"Server:" 行的字节数,减去8。这8个字节就是"Server: " 正是我们想删除掉的。接下来我们所做的是重复完全的字符串,复制它到"bnr_s"。现在"bnr_s"包含没有"Server: "字符的字符串。
我们转入ftp部分。我们讨论两种识别ftp服务banner的方法。第一个是很容易的,因为它仅仅混合ssh/smtp和http识别的方法。连接到目标主机,取得banner ,随后过滤它,这个可视化过程就好象:
********************* *********************** ******************
* CONNECT TO DAEMON * ===> * DAEMON SHOWS BANNER * ===> * GET THE BANNER *
********************* *********************** ******************
||
//
***************
* FILTER DATA *
***************
如果我们用telent来效仿这个过程,它看起来就想以下:
snow:~# telnet euronet.nl 21
Trying 194.134.0.10...
Connected to euronet.nl.
Escape character is '^]'.
220 gaia.euronet.nl FTP server (Version wu-2.4.2-academ (3) Fri Jun 23
20:47:26 MET DST 2000) ready.
^]
telnet> quit
Connection closed.
snow:~#
正如你看到的,它会直接的呈现banner(这不是所有情况下都会发生的)在"220" 后面,这个可能的仅仅是得到版本信息。正如http服务哪个所做的。下面的代码事实上只是我们之前所做的混合:
char *ltnet_ftpb(char *t_addr, int t_port) {
struct sockaddr_in rmtaddr; /* remote address structure */
char *buf_s; /* buffer string pointer */
char *bnr_s; /* banner string pointer */
char *str_p; /* pointer to Server: part */
int sockfd; /* socket file descriptor */
int itr_s0; /* string iterate integer */
int itr_s1; /* string iterate integer */
buf_s = (char *)malloc(250);
sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
rmtaddr.sin_family = AF_INET;
rmtaddr.sin_port = htons(t_port);
rmtaddr.sin_addr.s_addr = inet_addr(t_addr);
if(connect(sockfd, (struct sockaddr *)&rmtaddr,
sizeof(struct sockaddr)) != 0) { close(sockfd); return NULL; }
if(recv(sockfd, buf_s, 250, 0) <= 0) { close(sockfd); return NULL; }
if((str_p = strstr(buf_s, "220")) == NULL) { close(sockfd); return NULL; }
for(itr_s0 = 0; itr_s0 < strlen(str_p); itr_s0++) {
if(str_p[itr_s0] == '/n') break;
}
bnr_s = (char *)malloc(itr_s0 - 8);
for(itr_s1 = 0; itr_s1 < itr_s0; itr_s1++) {
if(str_p[itr_s1 + 4] == '/n') break;
bnr_s[itr_s1] = str_p[itr_s1 + 4];
}
close(sockfd);
free(buf_s);
return bnr_s;
}
虽然这个ftp识别的方法是十分的简洁,但不总是有效。除次外,有另外一种识别ftp服务的方法,
这项技术要求我们用匿名用户进去,这个方法要求服务能够允许匿名登陆。如果我们能以匿名的身份成功进入,我们能想ftp服务发出"SYST"命令,ftp服务将会送回系统类型。描述这个方法的图解可以可视化为:
********************* ******************* ******************
* CONNECT TO DAEMON * ===> * LOGIN TO SERVER * ===> * GET THE BANNER *
********************* ******************* ******************
||
//
***************
* FILTER DATA *
***************
如果我们用telnet来效仿,它看起来就象如下:
snow:~# telnet ftp.cdrom.com 21
Trying 208.217.74.248...
Connected to cdrom.wip.digitalriver.com.
Escape character is '^]'.
220 drftp.digitalriver.com NcFTPd Server (licensed copy) ready.
USER anonymous
331 Guest login ok, send your complete e-mail address as password.
PASS [email protected]
230-You are user #28 of 300 simultaneous users allowed.
230-
230 Logged in anonymously.
SYST
215 UNIX Type: L
尽管如此,这段代码没有出示与先前我们所做的有多大的差异,唯一的不同就是我们送出多重命令到服务("USER", "PASS" and "SYST"),在这个过程之后,我们再次过滤数据信息,下面是实现的代码:
char *ltnet_ftps(char *t_addr, int t_port) {
struct sockaddr_in rmtaddr; /* remote address structure */
char *buf_s; /* buffer string pointer */
char *bnr_s; /* banner string pointer */
char *str_p; /* pointer to Server: part */
int sockfd; /* socket file descriptor */
int itr_s0; /* string iterate integer */
int itr_s1; /* string iterate integer */
buf_s = (char *)malloc(1000);
sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
rmtaddr.sin_family = AF_INET;
rmtaddr.sin_port = htons(t_port);
rmtaddr.sin_addr.s_addr = inet_addr(t_addr);
if(connect(sockfd, (struct sockaddr *)&rmtaddr,
sizeof(struct sockaddr)) != 0) { close(sockfd); return NULL; }
if(send(sockfd, "USER anonymous/n", 15, 0) <= 0) {
close(sockfd); return NULL; }
if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; }
if(send(sockfd, "PASS [email protected]/n", 26, 0) <= 0) {
close(sockfd); return NULL; }
if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; }
if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; }
if(send(sockfd, "SYST/n", 5, 0) <= 0) { close(sockfd); return NULL; }
if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; }
if((str_p = strstr(buf_s, "UNIX Type:")) == NULL) {
close(sockfd); return NULL; }
for(itr_s0 = 0; itr_s0 < strlen(str_p); itr_s0++) {
if(str_p[itr_s0] == '/n') break;
}
bnr_s = (char *)malloc(itr_s0 - 8);
for(itr_s1 = 0; itr_s1 < itr_s0; itr_s1++) {
if(str_p[itr_s1 + 11] == '/n') break;
bnr_s[itr_s1] = str_p[itr_s1 + 11];
}
close(sockfd);
free(buf_s);
return bnr_s;
}
4.0 编辑更多的代码
当然有很多的方法你可以识别的。但是我希望这篇文章可以帮助你明白如何去开始。如果是打算去执行这段代码,你可能要整理一下,同时也要加入更多的错误检查!
copyright(c) 2003 truncode.org
三.附原文:
Service Banner Fingerprinting in C
_ _
| |_ ___ _ _ ___ ___ ___ _| |___
| _| _| | | | _| . | . | -_|
|_| |_| |___|_|_|___|___|___|___|
* truncode security development *
http://www.truncode.org
necrose <[email protected]>
0x01 INTRODUCTION
This paper is written as a supplement to modular's tcpscan series. This paper
covers how to write C programs that will perform Banner Fingerprinting. This
paper assumes that you have already understood the tcpscan series from modular,
and that you possess knowledge of the following protocols: HTTP and FTP. The
complete source code in this article consists of stand-alone functions with the
intention to allow the reader to implement them easily into his own programs.
All functions require the following minimal list of includes:
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
0x02 SSH/SMTP FINGERPRINTING
Before we start coding, we will have a look at the subject of manual banner
fingerprinting. Let uss start this one off with by far the easiest service to
fingerprint: SSHD. This is because we actually only have two things to
accomplish: connect to the SSH daemon at the target host and retrieve the
banner that will be automatically presented to us.
The process might be visually presented like so:
********************* *********************** ******************
* CONNECT TO DAEMON * ===> * DAEMON SHOWS BANNER * ===> * GET THE BANNER *
********************* *********************** ******************
Start by connecting with telnet to a SSH daemon and retrieve the banner:
snow:~# telnet truncode.org 22
Trying 207.44.194.142...
Connected to truncode.org.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.1p1
^]
telnet> quit
Connection closed.
snow:~#
As you can see after connecting to the target host, the SSH daemon will
automatically present the version banner: "SSH-1.99-OpenSSH_3.1p1". This
process is relatively easy and can also be applied as well to the SMTP
service banner.
Now we connect to port 25 on the target host:
snow:~# telnet euronet.nl 25
Trying 194.134.0.10...
Connected to euronet.nl.
Escape character is '^]'.
220 pop1.euronet.nl ESMTP Postfix
^]
telnet> quit
Connection closed.
snow:~#
Well there is not much to fingerprinting these two services. Since the process
for fingerprinting these services is identical, I will only discuss the code
for the SSH daemon fingerprint function. You can specify the port for SMTP. The
following is an example of code that will fingerprint the SSH daemon:
char *grab_sshb(char *t_addr, int t_port) {
struct sockaddr_in rmtaddr; /* remote address structure */
char *buf_s; /* buffer string pointer */
char *bnr_s; /* banner string pointer */
int sockfd; /* socket file descriptor */
buf_s = (char *)malloc(250);
sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
rmtaddr.sin_family = AF_INET;
rmtaddr.sin_port = htons(t_port);
rmtaddr.sin_addr.s_addr = inet_addr(t_addr);
if(connect(sockfd, (struct sockaddr *)&rmtaddr,
sizeof(struct sockaddr)) != 0) { close(sockfd); return NULL; }
if(recv(sockfd, buf_s, 250, 0) <= 0) { close(sockfd); return NULL; }
bnr_s = (char *)malloc(strlen(buf_s)-1);
strncpy(bnr_s, buf_s, strlen(buf_s)-1);
close(sockfd);
free(buf_s);
return bnr_s;
}
This source code is rather straight forward. We do exactly the same as
presented in the former visual process: connect to the target host and receive
the banner it sends, then copy the banner in question and close the connection.
0x03 HTTP/FTP FINGERPRINTING
This technique is slightly more difficult than SSH and SMTP because we actually
need to perform some interaction with the server. An obvious difference is that
we need to incite some minor string magic for this technique to work. We begin
with HTTP server fingerprinting. The server does not automatically present any
banner on connect. A request to the server is needed by sending the:
"HEAD / HTTP/1.0/n/n" command, where "/n/n" represents <ENTER> twice. We state
this again visually:
********************* **************** ***********************
* CONNECT TO SERVER * ===> * REQUEST HEAD * ===> * SERVER SENDS BANNER *
********************* **************** ***********************
||
//
*************** ******************
* FILTER DATA * <=== * GET THE BANNER *
*************** ******************
Connect with telnet and retreive the banner. The data filtering will only be
done with the final code. Pay attention to the following process:
snow:~# telnet www.euronet.nl 80
Trying 194.134.0.158...
Connected to www.euronet.nl.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 302 Found
Date: Fri, 21 Mar 2003 21:06:55 GMT
Server: Apache/1.3.26 (Unix)
Location: http://home.euronet.nl/
Connection: close
Content-Type: text/html; charset=iso-8859-1
Connection closed by foreign host.
snow:~#
As you can see the server returns a lot of data after the HEAD / HTTP/1.0
command. Actually the only data we are interested in is the banner behind the
"Server:". This is what our filter code will achieve. The code will perform the
following: connect to the server at the target host, send the command, receive
the server HEAD and filter the data:
char *ltnet_httpb(char *t_addr, int t_port) {
struct sockaddr_in rmtaddr; /* remote address structure */
char *buf_s; /* buffer string pointer */
char *bnr_s; /* banner string pointer */
char *str_p; /* pointer to Server: part */
int sockfd; /* socket file descriptor */
int itr_s0; /* string iterate integer */
int itr_s1; /* string iterate integer */
buf_s = (char *)malloc(1000);
sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
rmtaddr.sin_family = AF_INET;
rmtaddr.sin_port = htons(t_port);
rmtaddr.sin_addr.s_addr = inet_addr(t_addr);
if(connect(sockfd, (struct sockaddr *)&rmtaddr,
sizeof(struct sockaddr)) != 0) { close(sockfd); return NULL; }
if(send(sockfd, "HEAD / HTTP/1.0/n/n", 17, 0) <= 0) {
close(sockfd); return NULL; }
if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; }
if((str_p = strstr(buf_s, "Server:")) == NULL) {
close(sockfd); return NULL; }
for(itr_s0 = 0; itr_s0 < strlen(str_p); itr_s0++) {
if(str_p[itr_s0] == '/n') break;
}
bnr_s = (char *)malloc(itr_s0 - 8);
for(itr_s1 = 0; itr_s1 < itr_s0; itr_s1++) {
if(str_p[itr_s1 + 8] == '/n') break;
bnr_s[itr_s1] = str_p[itr_s1 + 8];
}
close(sockfd);
free(buf_s);
return bnr_s;
}
Take a close look at the section that performs the actual filtering. First the
code looks at the "Server:" line and returns a pointer to it:
if((str_p = strstr(buf_s, "Server:")) == NULL) {
close(sockfd); return NULL; }
Now "str_p" points to where the "Server:" line starts in the buffer. The next
thing we want to do is retrieve the actual banner without the "Server:" line in
front of it and put it into "bnr_s". We start this process my allocating memory
to "bnr_s"
bnr_s = (char *)malloc(itr_s0 - 8);
Please take a good look at this line. We allocate the amount of bytes on the
"Server:" line, minus 8. The 8 bytes represent: "Server: " which we want to
strip off. The next thing we do is iterate through the string and copy it to
"bnr_s". Now "bnr_s" contains the stripped "Server: " string.
We will move onto the FTP section now. We discuss two ways of fingerprinting
the FTP server. The first one is easy, because it's just a mix of the SSH/SMTP
and HTTP fingerprinting. Connect to to the target host, get the banner and then
filter it. This can be visually presented like so:
********************* *********************** ******************
* CONNECT TO DAEMON * ===> * DAEMON SHOWS BANNER * ===> * GET THE BANNER *
********************* *********************** ******************
||
//
***************
* FILTER DATA *
***************
If we emulate this process with telnet, it will look like the following:
snow:~# telnet euronet.nl 21
Trying 194.134.0.10...
Connected to euronet.nl.
Escape character is '^]'.
220 gaia.euronet.nl FTP server (Version wu-2.4.2-academ (3) Fri Jun 23
20:47:26 MET DST 2000) ready.
^]
telnet> quit
Connection closed.
snow:~#
As you can see it will directly present the banner (this is not what happens in
all cases) after the "220" and then it is possible to strip it down to the
version only, just like what was done with the HTTP server. The code is
actually just a mix of what we have done before:
char *ltnet_ftpb(char *t_addr, int t_port) {
struct sockaddr_in rmtaddr; /* remote address structure */
char *buf_s; /* buffer string pointer */
char *bnr_s; /* banner string pointer */
char *str_p; /* pointer to Server: part */
int sockfd; /* socket file descriptor */
int itr_s0; /* string iterate integer */
int itr_s1; /* string iterate integer */
buf_s = (char *)malloc(250);
sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
rmtaddr.sin_family = AF_INET;
rmtaddr.sin_port = htons(t_port);
rmtaddr.sin_addr.s_addr = inet_addr(t_addr);
if(connect(sockfd, (struct sockaddr *)&rmtaddr,
sizeof(struct sockaddr)) != 0) { close(sockfd); return NULL; }
if(recv(sockfd, buf_s, 250, 0) <= 0) { close(sockfd); return NULL; }
if((str_p = strstr(buf_s, "220")) == NULL) { close(sockfd); return NULL; }
for(itr_s0 = 0; itr_s0 < strlen(str_p); itr_s0++) {
if(str_p[itr_s0] == '/n') break;
}
bnr_s = (char *)malloc(itr_s0 - 8);
for(itr_s1 = 0; itr_s1 < itr_s0; itr_s1++) {
if(str_p[itr_s1 + 4] == '/n') break;
bnr_s[itr_s1] = str_p[itr_s1 + 4];
}
close(sockfd);
free(buf_s);
return bnr_s;
}
Although this way of FTP fingerprinting is fairly straight forward, it may not
always be effective. But there is another way of fingerprinting the FTP server,
a technique that requires us to login with the anonymous account. This method
requires the server to have the anonymous login enabled. If we can succesfully
log in as an anonymous user we can give the "SYST" command and the FTP server
will send back the system type. The scheme that represents this method is
presented visually like so:
********************* ******************* ******************
* CONNECT TO DAEMON * ===> * LOGIN TO SERVER * ===> * GET THE BANNER *
********************* ******************* ******************
||
//
***************
* FILTER DATA *
***************
If we emulate this with telnet, it will look like the following:
snow:~# telnet ftp.cdrom.com 21
Trying 208.217.74.248...
Connected to cdrom.wip.digitalriver.com.
Escape character is '^]'.
220 drftp.digitalriver.com NcFTPd Server (licensed copy) ready.
USER anonymous
331 Guest login ok, send your complete e-mail address as password.
PASS [email protected]
230-You are user #28 of 300 simultaneous users allowed.
230-
230 Logged in anonymously.
SYST
215 UNIX Type: L8
Still this code does not show a lot of difference compared to what we have done
before . The only difference is that we send multiple commands to the server
("USER", "PASS" and "SYST"). After that process we just filter the data again.
This is the code to achieve that:
char *ltnet_ftps(char *t_addr, int t_port) {
struct sockaddr_in rmtaddr; /* remote address structure */
char *buf_s; /* buffer string pointer */
char *bnr_s; /* banner string pointer */
char *str_p; /* pointer to Server: part */
int sockfd; /* socket file descriptor */
int itr_s0; /* string iterate integer */
int itr_s1; /* string iterate integer */
buf_s = (char *)malloc(1000);
sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
rmtaddr.sin_family = AF_INET;
rmtaddr.sin_port = htons(t_port);
rmtaddr.sin_addr.s_addr = inet_addr(t_addr);
if(connect(sockfd, (struct sockaddr *)&rmtaddr,
sizeof(struct sockaddr)) != 0) { close(sockfd); return NULL; }
if(send(sockfd, "USER anonymous/n", 15, 0) <= 0) {
close(sockfd); return NULL; }
if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; }
if(send(sockfd, "PASS [email protected]/n", 26, 0) <= 0) {
close(sockfd); return NULL; }
if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; }
if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; }
if(send(sockfd, "SYST/n", 5, 0) <= 0) { close(sockfd); return NULL; }
if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; }
if((str_p = strstr(buf_s, "UNIX Type:")) == NULL) {
close(sockfd); return NULL; }
for(itr_s0 = 0; itr_s0 < strlen(str_p); itr_s0++) {
if(str_p[itr_s0] == '/n') break;
}
bnr_s = (char *)malloc(itr_s0 - 8);
for(itr_s1 = 0; itr_s1 < itr_s0; itr_s1++) {
if(str_p[itr_s1 + 11] == '/n') break;
bnr_s[itr_s1] = str_p[itr_s1 + 11];
}
close(sockfd);
free(buf_s);
return bnr_s;
}
0x04 WEAVE MORE CODE
Of course there is a lot more you can fingerprint, but I hope this paper has
helped to show you how you might begin. If you are going to implement the code
in this paper, you might clean it up and add some error checking.
copyright(c) 2003 truncode.org