zgrab2/modules/ftp/scanner.go
Houlton McGuinn f9dcf9f703
Add error handling for FTP TLS handshake (#314)
Co-authored-by: Houlton McGuinn <houlton@censys.io>
2021-06-07 23:17:59 -04:00

287 lines
8.5 KiB
Go

// Package ftp contains the zgrab2 Module implementation for FTP(S).
//
// Setting the --authtls flag will cause the scanner to attempt a upgrade the
// connection to TLS. Settings for the TLS handshake / probe can be set with
// the standard TLSFlags.
//
// The scan performs a banner grab and (optionally) a TLS handshake.
//
// The output is the banner, any responses to the AUTH TLS/AUTH SSL commands,
// and any TLS logs.
package ftp
import (
"fmt"
"net"
"regexp"
"strings"
log "github.com/sirupsen/logrus"
"github.com/zmap/zgrab2"
)
// ScanResults is the output of the scan.
// Identical to the original from zgrab, with the addition of TLSLog.
type ScanResults struct {
// Banner is the initial data banner sent by the server.
Banner string `json:"banner,omitempty"`
// AuthTLSResp is the response to the AUTH TLS command.
// Only present if the FTPAuthTLS flag is set.
AuthTLSResp string `json:"auth_tls,omitempty"`
// AuthSSLResp is the response to the AUTH SSL command.
// Only present if the FTPAuthTLS flag is set and AUTH TLS failed.
AuthSSLResp string `json:"auth_ssl,omitempty"`
// ImplicitTLS is true if the connection is wrapped in TLS, as opposed
// to via AUTH TLS or AUTH SSL.
ImplicitTLS bool `json:"implicit_tls,omitempty"`
// TLSLog is the standard shared TLS handshake log.
// Only present if the FTPAuthTLS flag is set.
TLSLog *zgrab2.TLSLog `json:"tls,omitempty"`
}
// Flags are the FTP-specific command-line flags. Taken from the original zgrab.
// (TODO: should FTPAuthTLS be on by default?).
type Flags struct {
zgrab2.BaseFlags
zgrab2.TLSFlags
Verbose bool `long:"verbose" description:"More verbose logging, include debug fields in the scan results"`
FTPAuthTLS bool `long:"authtls" description:"Collect FTPS certificates in addition to FTP banners"`
ImplicitTLS bool `long:"implicit-tls" description:"Attempt to connect via a TLS wrapped connection"`
}
// Module implements the zgrab2.Module interface.
type Module struct {
}
// Scanner implements the zgrab2.Scanner interface, and holds the state
// for a single scan.
type Scanner struct {
config *Flags
}
// Connection holds the state for a single connection to the FTP server.
type Connection struct {
// buffer is a temporary buffer for sending commands -- so, never interleave
// sendCommand calls on a given connection
buffer [10000]byte
config *Flags
results ScanResults
conn net.Conn
}
// RegisterModule registers the ftp zgrab2 module.
func RegisterModule() {
var module Module
_, err := zgrab2.AddCommand("ftp", "FTP", module.Description(), 21, &module)
if err != nil {
log.Fatal(err)
}
}
// NewFlags returns the default flags object to be filled in with the
// command-line arguments.
func (m *Module) NewFlags() interface{} {
return new(Flags)
}
// NewScanner returns a new Scanner instance.
func (m *Module) NewScanner() zgrab2.Scanner {
return new(Scanner)
}
// Description returns an overview of this module.
func (m *Module) Description() string {
return "Grab an FTP banner"
}
// Validate flags
func (f *Flags) Validate(args []string) (err error) {
if f.FTPAuthTLS && f.ImplicitTLS {
err = fmt.Errorf("Cannot specify both '--authtls' and '--implicit-tls' together")
}
return
}
// Help returns this module's help string.
func (f *Flags) Help() string {
return ""
}
// Protocol returns the protocol identifer for the scanner.
func (s *Scanner) Protocol() string {
return "ftp"
}
// Init initializes the Scanner instance with the flags from the command
// line.
func (s *Scanner) Init(flags zgrab2.ScanFlags) error {
f, _ := flags.(*Flags)
s.config = f
return nil
}
// InitPerSender does nothing in this module.
func (s *Scanner) InitPerSender(senderID int) error {
return nil
}
// GetName returns the configured name for the Scanner.
func (s *Scanner) GetName() string {
return s.config.Name
}
// GetTrigger returns the Trigger defined in the Flags.
func (scanner *Scanner) GetTrigger() string {
return scanner.config.Trigger
}
// ftpEndRegex matches zero or more lines followed by a numeric FTP status code
// and linebreak, e.g. "200 OK\r\n"
var ftpEndRegex = regexp.MustCompile(`^(?:.*\r?\n)*([0-9]{3})( [^\r\n]*)?\r?\n$`)
// isOKResponse returns true iff and only if the given response code indicates
// success (e.g. 2XX)
func (ftp *Connection) isOKResponse(retCode string) bool {
// TODO: This is the current behavior; should it check that it isn't
// garbage that happens to start with 2 (e.g. it's only ASCII chars, the
// prefix is 2[0-9]+, etc)?
return strings.HasPrefix(retCode, "2")
}
// readResponse reads an FTP response chunk from the server.
// It returns the full response, as well as the status code alone.
func (ftp *Connection) readResponse() (string, string, error) {
respLen, err := zgrab2.ReadUntilRegex(ftp.conn, ftp.buffer[:], ftpEndRegex)
if err != nil {
return "", "", err
}
ret := string(ftp.buffer[0:respLen])
retCode := ftpEndRegex.FindStringSubmatch(ret)[1]
return ret, retCode, nil
}
// GetFTPBanner reads the data sent by the server immediately after connecting.
// Returns true if and only if the server returns a success status code.
// Taken over from the original zgrab.
func (ftp *Connection) GetFTPBanner() (bool, error) {
banner, retCode, err := ftp.readResponse()
if err != nil {
return false, err
}
ftp.results.Banner = banner
return ftp.isOKResponse(retCode), nil
}
// sendCommand sends a command and waits for / reads / returns the response.
func (ftp *Connection) sendCommand(cmd string) (string, string, error) {
ftp.conn.Write([]byte(cmd + "\r\n"))
return ftp.readResponse()
}
// SetupFTPS returns true if and only if the server reported support for FTPS.
// First attempt AUTH TLS; if that fails, try AUTH SSL.
// Taken over from the original zgrab.
func (ftp *Connection) SetupFTPS() (bool, error) {
ret, retCode, err := ftp.sendCommand("AUTH TLS")
if err != nil {
return false, err
}
ftp.results.AuthTLSResp = ret
if ftp.isOKResponse(retCode) {
return true, nil
}
ret, retCode, err = ftp.sendCommand("AUTH SSL")
if err != nil {
return false, err
}
ftp.results.AuthSSLResp = ret
if ftp.isOKResponse(retCode) {
return true, nil
}
return false, nil
}
// GetFTPSCertificates attempts to perform a TLS handshake with the server so
// that the TLS certificates will end up in the TLSLog.
// First sends the AUTH TLS/AUTH SSL command to tell the server we want to
// do a TLS handshake. If that fails, break. Otherwise, perform the handshake.
// Taken over from the original zgrab.
func (ftp *Connection) GetFTPSCertificates() error {
ftpsReady, err := ftp.SetupFTPS()
if err != nil {
return err
}
if !ftpsReady {
return nil
}
var conn *zgrab2.TLSConnection
if conn, err = ftp.config.TLSFlags.GetTLSConnection(ftp.conn); err != nil {
return err
}
ftp.results.TLSLog = conn.GetLog()
if err = conn.Handshake(); err != nil {
// NOTE: With the default config of vsftp (without ssl_ciphers=HIGH),
// AUTH TLS succeeds, but the handshake fails, dumping
// "error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher"
// to the socket.
return err
}
ftp.conn = conn
return nil
}
// Scan performs the configured scan on the FTP server, as follows:
// * Read the banner into results.Banner (if it is not a 2XX response, bail)
// * If the FTPAuthTLS flag is not set, finish.
// * Send the AUTH TLS command to the server. If the response is not 2XX, then
// send the AUTH SSL command. If the response is not 2XX, then finish.
// * Perform ths TLS handshake / any configured TLS scans, populating
// results.TLSLog.
// * Return SCAN_SUCCESS, &results, nil
func (s *Scanner) Scan(t zgrab2.ScanTarget) (status zgrab2.ScanStatus, result interface{}, thrown error) {
var err error
conn, err := t.Open(&s.config.BaseFlags)
if err != nil {
return zgrab2.TryGetScanStatus(err), nil, err
}
cn := conn
defer func() {
cn.Close()
}()
results := ScanResults{}
if s.config.ImplicitTLS {
tlsConn, err := s.config.TLSFlags.GetTLSConnection(conn)
if err != nil {
return zgrab2.TryGetScanStatus(err), nil, err
}
results.ImplicitTLS = true
results.TLSLog = tlsConn.GetLog()
err = tlsConn.Handshake()
if err != nil {
return zgrab2.TryGetScanStatus(err), nil, err
}
cn = tlsConn
}
ftp := Connection{conn: cn, config: s.config, results: results}
is200Banner, err := ftp.GetFTPBanner()
if err != nil {
return zgrab2.TryGetScanStatus(err), &ftp.results, err
}
if s.config.FTPAuthTLS && is200Banner {
if err := ftp.GetFTPSCertificates(); err != nil {
return zgrab2.SCAN_APPLICATION_ERROR, &ftp.results, err
}
}
return zgrab2.SCAN_SUCCESS, &ftp.results, nil
}