In the previous post we look at analyzing Telnet. Let's now look at the FTP protocol. Since in the post on DNS I elaborated on the fields which makes up the header of the IPv6 protocol, I will refrain from doing so again. Some information missing in this post may be found it earlier posts in this series
root@securitynik:~/securitynik#tshark -r ipv6-ftp.pcap -n -c 3
1 0.000000 fd33:e581:65d4:0:a000:27ff:fe28:1d5 -> fd33:e581:65d4:0:a000:27ff:fe21:1a75 TCP 94 53024 > 21 [SYN] Seq=0 Win=28800 Len=0 MSS=1440 SACK_PERM=1 TSval=303844 TSecr=0 WS=128
2 0.001874 fd33:e581:65d4:0:a000:27ff:fe21:1a75 -> fd33:e581:65d4:0:a000:27ff:fe28:1d5 TCP 94 21 > 53024 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1440 WS=256 SACK_PERM=1 TSval=102405 TSecr=303844
3 0.001921 fd33:e581:65d4:0:a000:27ff:fe28:1d5 -> fd33:e581:65d4:0:a000:27ff:fe21:1a75 TCP 86 53024 > 21 [ACK] Seq=1 Ack=1 Win=28800 Len=0 TSval=303845 TSecr=102405
The 3 packets above represents the typical TCP 3-Way handshake. Nothing here different from what we would have seen in our IPv4 TCP 3-way handshake
4 0.024868 fd33:e581:65d4:0:a000:27ff:fe21:1a75 -> fd33:e581:65d4:0:a000:27ff:fe28:1d5 FTP 113 Response: 220 Microsoft FTP Service
In packet 4 above we see the server at source "fd33:e581:65d4:0:a000:27ff:fe21:1a75" sending its FTP banner
5 0.025134 fd33:e581:65d4:0:a000:27ff:fe28:1d5 -> fd33:e581:65d4:0:a000:27ff:fe21:1a75 TCP 86 53024 > 21 [ACK] Seq=1 Ack=28 Win=28800 Len=0 TSval=303850 TSecr=102406
In packet 5 above we see the client at "fd33:e581:65d4:0:a000:27ff:fe28:1d5" acknowledges the server's communication.
Once again, let's cut through the clutter and see what we get from the TCP stream 0
root@securitynik:~/securitynik# tshark -r ipv6-ftp.pcap -z "follow,tcp,ascii,0" | more
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 253.51.229.129:21
Node 1: 253.51.229.129:53024
27
220 Microsoft FTP Service
20
USER administrator
23
331 Password required
15
PASS Testing1
21
230 User logged in.
6
SYST
16
215 Windows_NT
52
EPRT |2|fd33:e581:65d4:0:a000:27ff:fe28:1d5|49829|
30
200 EPRT command successful.
6
LIST
54
125 Data connection already open; Transfer starting.
24
226 Transfer complete.
5
PWD
31
257 "/" is current directory.
6
QUIT
14
221 Goodbye.
As can be seen above, the knowledge we have from analyzing FTP on IPv4 can be easily transferable to IPv6
This ends this series on beginning IPv6. If you think there is something I missed, stated incorrectly or just needed further elaboration, please feel free to leave a comment.
No comments:
Post a Comment