Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Telnet (partially FTP) fails to handle TCP connection #158

Closed
t3chn0m4g3 opened this issue Mar 15, 2024 · 5 comments
Closed

Telnet (partially FTP) fails to handle TCP connection #158

t3chn0m4g3 opened this issue Mar 15, 2024 · 5 comments
Labels

Comments

@t3chn0m4g3
Copy link
Contributor

t3chn0m4g3 commented Mar 15, 2024

@glaslos The telnet, ftp handlers have issues. I can connect and ftp even logs, however telnet fails once the connection is closed. Testing was done with linux telnet and ftp clients.

{"time":"2024-03-15T16:57:53.820415172Z","level":"INFO","msg":"[smtp    ] Payload : \"HELO\"","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d"}
{"time":"2024-03-15T16:59:30.364890717Z","level":"INFO","msg":"[smtp    ] Payload : \"ehlo v\"","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d"}
{"time":"2024-03-15T16:59:30.391354919Z","level":"INFO","msg":"[smtp    ] Payload : \"Helo v\"","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d"}
{"time":"2024-03-15T16:59:30.419873864Z","level":"INFO","msg":"[smtp    ] Payload : \"Quit\"","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d"}
{"time":"2024-03-15T17:00:28.062610668Z","level":"ERROR","msg":"failed to handle TCP connection","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","error":"EOF","handler":"telnet"}
{"time":"2024-03-15T17:02:58.173663048Z","level":"ERROR","msg":"failed to handle TCP connection","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","error":"EOF","handler":"telnet"}
{"time":"2024-03-15T17:04:13.161281036Z","level":"ERROR","msg":"failed to handle TCP connection","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","error":"EOF","handler":"telnet"}
{"time":"2024-03-15T17:04:21.834132543Z","level":"ERROR","msg":"failed to handle TCP connection","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","error":"EOF","handler":"telnet"}
{"time":"2024-03-15T17:06:38.580027398Z","level":"INFO","msg":"ftp payload received","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","dest_port":"21","src_ip":"172.20.254.127","src_port":"59750","message":"\"USER test\\r\\n\"","handler":"ftp"}
{"time":"2024-03-15T17:06:39.769239203Z","level":"INFO","msg":"ftp payload received","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","dest_port":"21","src_ip":"172.20.254.127","src_port":"59750","message":"\"PASS test\\r\\n\"","handler":"ftp"}
{"time":"2024-03-15T17:06:39.774005479Z","level":"INFO","msg":"ftp payload received","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","dest_port":"21","src_ip":"172.20.254.127","src_port":"59750","message":"\"SYST\\r\\n\"","handler":"ftp"}
{"time":"2024-03-15T17:06:39.777393885Z","level":"INFO","msg":"ftp payload received","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","dest_port":"21","src_ip":"172.20.254.127","src_port":"59750","message":"\"FEAT\\r\\n\"","handler":"ftp"}
{"time":"2024-03-15T17:06:41.58332548Z","level":"INFO","msg":"ftp payload received","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","dest_port":"21","src_ip":"172.20.254.127","src_port":"59750","message":"\"QUIT\\r\\n\"","handler":"ftp"}
{"time":"2024-03-15T17:06:41.589578584Z","level":"ERROR","msg":"failed to handle TCP connection","sensorID":"7fa88dd9-2cbf-47eb-8034-b734e415107d","error":"EOF","handler":"ftp"}

I can see the following iptables rules added to PREROUTING:

:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i enp0s5 -p udp -m state ! --state RELATED,ESTABLISHED -m udp ! --dport 22 -j TPROXY --on-port 0 --on-ip 127.0.0.1 --tproxy-mark 0x0/0x0
-A PREROUTING -i enp0s5 -p tcp -m state ! --state RELATED,ESTABLISHED -m tcp ! --dport 22 -j TPROXY --on-port 5000 --on-ip 127.0.0.1 --tproxy-mark 0x0/0x0
-A PREROUTING -i enp0s5 -p udp -m state ! --state RELATED,ESTABLISHED -m udp ! --dport 22 -j TPROXY --on-port 5001 --on-ip 127.0.0.1 --tproxy-mark 0x0/0x0

my Dockerfile ( system.go overwrite only to get rid of open files info ):

FROM golang:1.21-alpine as builder
#
# Include dist
COPY dist/ /root/dist/
# 
# Setup apk
RUN apk -U --no-cache add \
		build-base \
		git \
                g++ \
		iptables-dev \
		libpcap-dev && \
#
# Setup go, glutton
    export GO111MODULE=on && \
    mkdir -p /opt/ && \
    cd /opt/ && \
    git clone https://github.com/mushorg/glutton && \
    cd /opt/glutton/ && \
    git checkout c1204c65ce32bfdc0e08fb2a9abe89b3b8eeed62 && \
    cp /root/dist/system.go . && \
    go mod download && \
    make build
#
FROM alpine:3.19
#
COPY --from=builder /opt/glutton/bin /opt/glutton/bin
COPY --from=builder /opt/glutton/config /opt/glutton/config
COPY --from=builder /opt/glutton/rules /opt/glutton/rules
#
RUN apk -U --no-cache add \
		iptables \
		iptables-dev \
		libnetfilter_queue-dev \
		libcap \
		libpcap-dev && \
		setcap cap_net_admin,cap_net_raw=+ep /opt/glutton/bin/server && \
		setcap cap_net_admin,cap_net_raw=+ep /sbin/xtables-nft-multi && \
		mkdir -p /var/log/glutton \
		         /opt/glutton/payloads && \
#
# Setup user, groups and configs
    addgroup -g 2000 glutton && \
    adduser -S -s /bin/ash -u 2000 -D -g 2000 glutton && \
#
# Clean up
    rm -rf /var/cache/apk/* \
           /root/*
#
# Start glutton 
WORKDIR /opt/glutton
USER glutton:glutton
CMD exec bin/server -d true -i $(/sbin/ip address show | /usr/bin/awk '/inet.*brd/{ print $NF; exit }') -l /var/log/glutton/glutton.log > /dev/null 2>&1

my docker-compose.yml:

version: '2.3'

services:

# glutton service
  glutton:
    build: .
    container_name: glutton
    restart: always
    tmpfs:
     - /var/lib/glutton:uid=2000,gid=2000
     - /run:uid=2000,gid=2000
    network_mode: "host"
    cap_add:
     - NET_ADMIN
     - NET_RAW
    image: "dtagdevsec/glutton:alpha"
    read_only: true
    volumes:
     - $HOME/tpotce/data/glutton/log:/var/log/glutton
     - $HOME/tpotce/data/glutton/payloads:/opt/glutton/payloads
@glaslos
Copy link
Member

glaslos commented May 7, 2024

Can you link to the Dockerfile? It can be a little updated since the requirements changed.
Also there shouldn't be a TPROXY --on-port 0 rule I think 🤔

@t3chn0m4g3
Copy link
Contributor Author

Sure.

@glaslos
Copy link
Member

glaslos commented May 7, 2024

I don't think updating your Docker image will resolve the problem. But we are both at last using very similar images and I can attempt to reproduce.

@t3chn0m4g3
Copy link
Contributor Author

Thanks, can review this in Copenhagen. Looking forward seeing your IRL again!

@glaslos
Copy link
Member

glaslos commented Dec 26, 2024

Should be fixed on the main branch.

@glaslos glaslos added the bug label Dec 27, 2024
@glaslos glaslos closed this as completed Jan 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants