![]() Since TFTP is a plaintext protocol, it is easy to perform string matching against its contents to detect attempted data exfiltration. The main challenges in using TFTP for data exfiltration are the lack of encryption and TFTP traffic crossing network boundaries. Since responding to requests for files is a core function of a TFTP server, traffic doing so is unlikely to look suspicious. Data exfiltrationĪs a file transfer protocol, TFTP is an ideal choice for an attacker wanting to perform data exfiltration. TFTP can be used for data exfiltration once an attacker has compromised a network and found what they are looking for or for sending malware into a network. This means that its main malicious uses are for moving data into and out of the network. However, its lack of encryption and authentication make it extremely insecure. The stripped-down nature of TFTP makes it very efficient and good for situations like loading boot information because it requires little overhead and processing. ![]() The only difference is the opcode (2 for write). Since the client is driving this request, all that the server does is acknowledge the receipt of the initial request (Block 0) and all of the data sent after it.Īs shown above, the structure of a write request packet is essentially identical to that of a read request. The screenshot above shows the flow of a write request (PUT). This ensures proper packet ordering and packet receipt without the overhead of a TCP connection. Each TFTP data packet contains a block number and is acknowledged by the recipient. While TFTP uses UDP, it has TCP-like features built in. Its header specifies an opcode (3 for data packet) and the block number, and the body contains the requested data. The packet on the right shows the first data packet (packet 2). It includes the opcode (1 for read request), the desired filename and the type of content that it is requesting (octet). The image on the left is of the first packet in this sequence, a read request. This makes it difficult to filter for TFTP traffic in a live capture in Wireshark since the built-in ftp filter does not work and filtering for port 69 will only catch the initial request.Īs shown in the screenshots above, TFTP packets are designed to be extremely simple. As shown in the packet capture above, the first TFTP request is made to port 69 (the TFTP server), but after that, the TFTP server selects another high-number port to send its responses. It is interesting to note that TFTP is unusual in that it has a well-known port but doesn’t use it for all traffic. ![]() The screenshot above shows an example of a TFTP read request (GET) in Wireshark. Instead, it has two main options: file read requests and file write requests. TFTP is designed to be a stripped-down file transfer protocol without authentication or many of the features that FTP and other protocols offer. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |