Monday, April 27, 2015

Analysis of scans.io - University of Michigan · Full IPv4 FTP Banner Grab

On this post I have downloaded from the "Internet-Wide Scan Data Repository" located at scans.io the data set from 4/17/2015 for "Full IPv4 FTP Banner Grab".  My intention of analyzing this information is only to analyze the headers.  I am curious what percentage of the headers have published exploits for them and the most common headers.

After downloading the file and extracting it to be the size of 5GB I then parsed it with the following command to only grab the FTP Banner.  Then I also parsed it to only give me the first line:

cat b70f5n9ffx49j6g8-zgrab-results-21-ftp-banner-full_ipv4-20150417T160718.json | sed 's/^.*response":"220//' | sed 's/"},"error.*$//' | grep -v "host" | sed 's/\\r\\n.*//' | sed 's/^$//' > ftp_banner_raw.txt

With the above information I did a count on the number of lines to identify the number of FTP servers in the dataset that either responded on port 21 or timed out trying to receive a response on port 21:

13,802,278 - Total FTP Banners

Then using the ftp_banner_raw.txt file I then sorted and counted the unique instances to find the most common headers.

cat ftp_banner_raw.txt | sort | uniq -c | sort -nr > sorted_ftp_banner_raw.txt

With the above command below I have placed the top 10 most common headers found in the dataset.  The information displayed is the number found, followed by the percentage of the total population that it is, and then the banner line:

2,370,756 (17.2%) ---------- Welcome to Pure-FTPd  ----------
1,195,904  (8.7%) Microsoft FTP Service
1,065,477  (7.7%)
 671,654  (4.9%) Ftp firmware update utility
 647,822  (4.7%) FTP Server ready.
 301,211  ProFTPD 1.3.3g Server
 277,210  FTP server ready.
 275,113  ProFTPD 1.3.4a Server
 269,944 -Microsoft FTP Service
 205,591  ProFTPD 1.3.5 Server

Now below here I am going to list the FTP banners that display a type and version that are out-of-date or possibly could be exploited by a publicly available exploit:

301,211  ProFTPD 1.3.3g Server  - Exploit Available
275,113  ProFTPD 1.3.4a Server  - 1.3.5 is the most up-to-date server version
131,333  FileZilla Server version 0.9.41 beta - Exploit Available
84,426  ProFTPD 1.3.4c Server - 1.3.5 is the most-up-to-date server version
81,101  ProFTPD 1.3.3a Server - Exploit Available
70,881  ProFTPD 1.3.1 Server - Exploit Available
62,940  FileZilla Server version 0.9.24 beta - Exploit Available
60,920  Serv-U FTP Server v6.2 for WinSock - Exploit Available
48,328  ProFTPD 1.3.3e Server - Exploit Available
39,463  ProFTPD 1.3.4d Server  - 1.3.5 is the most-up-to-date server version

With the above information I came up with the following number of vulnerable FTP servers due to an exploit that I accounted for.  Though there may be false-positives and my research could be flawed, I would bank on in reality this number is a lot higher:

1,155,716

Then if you divide that by the total number of FTP servers available you get the following percentage of FTP servers that are vulnerable to an available exploit:

8.4%

I again found this research very interesting.  Wow! The question I end with, how do we get this in the hands of the right-people to get these vulnerabilities fixed? How is it possible to fix over a million FTP servers?

No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...