Get my own hostname in .net FTP Server implementation

Question

I am developing an app for malware analysis. It tracks all ftp request of a virus. So i am implementing my own ftp server and i have a dns server in my own pc redirecting all hosts to 127.0.0.1. The problem is that i want to know the host name of the ftp request. It can be any adrress because the dns server return 127.0.0.1. I am using .net and TcpClient. I resolve local and remote ip (127.0.0.1) but i dont know how to get the host name accessed by the malware. In http protocol the host name travels in the header, but i dont know how to get it in ftp protocol

Not exactly what you want but perhaps might help? http://stackoverflow.com/questions/716748/reverse-ip-domain-check — Żubrówka, Nov 03 '16 at 14:54
Just to be clear... you have your own FTP server, and you want to trap the requested hostname of a caller within .net? Is your FTP server within IIS? — HBomb, Nov 14 '16 at 19:00
@HBomb I made my own ftp server, and I made also my own DNS server, so I can control everything, the problem is that in dns server, i dont know wich protocol is requesting a name (ftp o http etc) and in ftp server i dont know the host requested — aperezfals, Nov 14 '16 at 20:21
What is your specific DNS server implementation? You will have to intercept the original host name before the reroute occurs, because its lost after that. I believe it is removed from the ethernet frame as well on reroute. — HBomb, Nov 14 '16 at 21:45

score 0 · Answer 1 · edited May 23 '17 at 11:53

0

FTP doesn't contain this information, nor does TCP which it is built on. HTTP specifically has this and other information we're used to with web development in the header portion of the packets. You have to collect this information at or prior to DNS resolution.

See: https://stackoverflow.com/a/12706928

Also, you would need TcpListener not TcpClient to listen for FTP requests.

edited May 23 '17 at 11:53

Community

1
1

answered Nov 14 '16 at 20:12

vee_ess

699
5
14

Can I know in the dns server wich protocol is requesting an Ip, so I can catch the host name? – aperezfals Nov 14 '16 at 20:24
Information outside of the domain is not passed during DNS resolution, here's a trace example - http://serverfault.com/a/173193 – vee_ess Nov 17 '16 at 03:26
I would suggest looking at FiddlerCore. I've only ever used Fiddler for intercepting HTTP, but I know it can be configured for FTP interception as well. FiddlerCore is its functionality as a .NET library. It operates as a proxy intercepting all traffic through WinINET. http://fiddler.wikidot.com/misc-information-page#toc1 – vee_ess Nov 17 '16 at 03:33

score 0 · Answer 2 · answered Nov 14 '16 at 22:13

While vee_ess is correct that neither FTP nor TCP contains this information, if the connection is occuring over the internet then the connection is technically TCP/IP... and the IP protocol does contain this information within the Ethernet frame.

What you have to do is read this information from the raw ethernet frame (and as vee_ess mentions, prior to DNS resolution).

Since this is tagged in .Net, I'm going to assume you want to stay in .Net. So I would recommend pCapDotNet.

http://pcapdotnet.codeplex.com/

This is a .Net wrapper for the winpcap tool, which will allow you to filter, intercept and read link layer packets. See the documentation here:

https://www.winpcap.org/docs/docs_412/html/main.html

It operates at the network device layer. This means that it will intercept packets essentially at the network adapter, which should be prior to your DNS server reading and rewriting the packet. You should then store the pair of the original sending IP, and the requested hostname from within the ethernet frame. Your DNS server will send back down the resolved IP address to the caller, and the caller will contact your FTP server directly via its IP.

At that point, you can compare the senders IP address to whatever was stored, and you now know what the original hostname requested was.

I tried this option. but the problem is that the computer is offline, without an ethernet cable for security reasons (malware analisys) and I dont know why the packages dont go out to the ethernet card, so i cant track them. Maybe it is because the address is 127.0.0.1. — aperezfals, Nov 15 '16 at 13:15
How can your DNS sever not have network connectivity? Are you saying your DNS and FTP implementations are on the exact same box? — HBomb, Nov 15 '16 at 19:45
My Dns server and my ftp server are both in the same computer, so, when a virus try to access any ftp address by it host name, the dns server response is 127.0.0.1 and the virus access to the local ftp server — aperezfals, Nov 15 '16 at 19:58
You cannot intercept the packet then, as it never leaves your network card. My advice is to have 3 boxes. 1 is the virus source, the second is the DNS, and the 3rd is your ftp. Then you connect them all via ethernet (but dont connect anything else, to keep the virus contained). You can then intercept the packets and get the host name as described above. — HBomb, Nov 15 '16 at 21:15

Get my own hostname in .net FTP Server implementation

2 Answers2