new post - operation honeypot 01

6 files changed, 186 insertions, 13 deletions

diff --git a/_config.yml b/_config.yml
index 53bb2c6..049dc6c 100644
--- a/_config.yml
+++ b/_config.yml
@@ -31,6 +31,20 @@ code_dir: downloads/code
 i18n_dir: :lang
 skip_render:
 
+# Feed
+feed:
+  type: atom
+  path: atom.xml
+  limit: 20
+  hub:
+  content:
+  content_limit: 140
+  content_limit_delim: ' '
+  order_by: -date
+  icon: icon.png
+  autodiscovery: true
+  template:
+
 # Writing
 new_post_name: :title.md # File name of new posts
 default_layout: post
@@ -50,7 +64,7 @@ highlight:
   auto_detect: false
   tab_replace: ''
   wrap: true
-  hljs: false
+  hljs: true
 
 # Home page setting
 # path: Root path for your blogs index page. (default = '')
@@ -74,7 +88,7 @@ meta_generator: true
 ## Hexo uses Moment.js to parse and display date
 ## You can customize the date format as defined in
 ## http://momentjs.com/docs/#/displaying/format/
-date_format: YYYY-MM-DD
+date_format: YYYY.MM.DD
 time_format: HH:mm:ss
 ## Use post's date for updated date unless set in front-matter
 use_date_for_updated: false
diff --git a/package-lock.json b/package-lock.json
index 0f2263f..f6ef381 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -901,6 +901,15 @@
         "hexo-pagination": "1.0.0"
       }
     },
+    "hexo-generator-feed": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/hexo-generator-feed/-/hexo-generator-feed-2.2.0.tgz",
+      "integrity": "sha512-/jFMSyofFmp75P67sN9QesEW/wAFstmNfM+zXOOh+D5ZJe0RqXokczEetloqjCU1CX1EzKI3tRr/EoBZ6igQzg==",
+      "requires": {
+        "hexo-util": "^1.3.0",
+        "nunjucks": "^3.0.0"
+      }
+    },
     "hexo-generator-index": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/hexo-generator-index/-/hexo-generator-index-1.0.0.tgz",
@@ -1044,6 +1053,13 @@
             "highlight.js": "^9.13.1",
             "html-entities": "^1.2.1",
             "striptags": "^3.1.1"
+          },
+          "dependencies": {
+            "highlight.js": {
+              "version": "9.18.1",
+              "resolved": "https://registry.npmjs.org/highlight.js/-/highlight.js-9.18.1.tgz",
+              "integrity": "sha512-OrVKYz70LHsnCgmbXctv/bfuvntIKDz177h0Co37DQ5jamGZLVmoCVMtjMtNZY3X9DrCcKfklHPNeA0uPZhSJg=="
+            }
           }
         },
         "lower-case": {
@@ -1158,9 +1174,9 @@
       }
     },
     "hexo-tag-bootstrap": {
-      "version": "0.2.1",
-      "resolved": "https://registry.npmjs.org/hexo-tag-bootstrap/-/hexo-tag-bootstrap-0.2.1.tgz",
-      "integrity": "sha512-lOr+ZxfRed2eLzOMosU6jI5gyv1pg33nrRBUp6wZfloSkbE3I/TyK34Uf+kCBRxngDwn/kioqFwPY8kBCgsiZw=="
+      "version": "0.0.8",
+      "resolved": "https://registry.npmjs.org/hexo-tag-bootstrap/-/hexo-tag-bootstrap-0.0.8.tgz",
+      "integrity": "sha1-U+jwI9J4cZ7RG9Dzv2bBkvjow6A="
     },
     "hexo-util": {
       "version": "1.9.1",
@@ -1177,12 +1193,19 @@
         "punycode.js": "^2.1.0",
         "strip-indent": "^3.0.0",
         "striptags": "^3.1.1"
+      },
+      "dependencies": {
+        "highlight.js": {
+          "version": "9.18.1",
+          "resolved": "https://registry.npmjs.org/highlight.js/-/highlight.js-9.18.1.tgz",
+          "integrity": "sha512-OrVKYz70LHsnCgmbXctv/bfuvntIKDz177h0Co37DQ5jamGZLVmoCVMtjMtNZY3X9DrCcKfklHPNeA0uPZhSJg=="
+        }
       }
     },
     "highlight.js": {
-      "version": "9.18.1",
-      "resolved": "https://registry.npmjs.org/highlight.js/-/highlight.js-9.18.1.tgz",
-      "integrity": "sha512-OrVKYz70LHsnCgmbXctv/bfuvntIKDz177h0Co37DQ5jamGZLVmoCVMtjMtNZY3X9DrCcKfklHPNeA0uPZhSJg=="
+      "version": "10.1.1",
+      "resolved": "https://registry.npmjs.org/highlight.js/-/highlight.js-10.1.1.tgz",
+      "integrity": "sha512-b4L09127uVa+9vkMgPpdUQP78ickGbHEQTWeBrQFTJZ4/n2aihWOGS0ZoUqAwjVmfjhq/C76HRzkqwZhK4sBbg=="
     },
     "html-entities": {
       "version": "1.3.1",
diff --git a/package.json b/package.json
index 3836acb..21ebcc5 100644
--- a/package.json
+++ b/package.json
@@ -18,6 +18,7 @@
     "hexo-excerpt": "^1.1.6",
     "hexo-generator-archive": "^1.0.0",
     "hexo-generator-category": "^1.0.0",
+    "hexo-generator-feed": "^2.2.0",
     "hexo-generator-index": "^1.0.0",
     "hexo-generator-search": "^2.4.0",
     "hexo-generator-tag": "^1.0.0",
@@ -25,6 +26,7 @@
     "hexo-renderer-marked": "^2.0.0",
     "hexo-renderer-stylus": "^1.1.0",
     "hexo-server": "^1.0.0",
-    "hexo-tag-bootstrap": "^0.2.1"
+    "hexo-tag-bootstrap": "0.0.8",
+    "highlight.js": "^10.1.1"
   }
 }
diff --git a/source/_posts/2015-09-14-aseembly-hello-world.md b/source/_posts/2015-09-14-aseembly-hello-world.md
index 9870d78..1be7b7d 100644
--- a/source/_posts/2015-09-14-aseembly-hello-world.md
+++ b/source/_posts/2015-09-14-aseembly-hello-world.md
@@ -61,7 +61,7 @@ hello	db	"Hello, world!",0x0a
 len	equ	$ - hello
 ```
 
-In the first line of this code we are telling opening the new .data section. This is where we define any constant data our program uses. As a side note, any variables declared here cannot be changed when the program is running. The first variable we declare is hello, and we terminate the string with 0x0a, which will make the computer create a new line after the data. The next line sets the variable len equal to the address of the beginning of the line of the current instruction minus the location of hello, this will evaluate to the size of hello. 
+In the first line of this code we are telling opening the new .data section. This is where we define any constant data our program uses. As a side note, any variables declared here cannot be changed when the program is running. The first variable we declare is hello, and we terminate the string with 0x0a, which will make the computer create a new line after the data. The next line sets the variable len equal to the address of the beginning of the line of the current instruction minus the location of hello, this will evaluate to the size of hello.
 
 ## Outro
 
diff --git a/source/_posts/2020-07-18-operation-honeypot-01-ftp-recon.md b/source/_posts/2020-07-18-operation-honeypot-01-ftp-recon.md
new file mode 100644
index 0000000..048ef02
--- /dev/null
+++ b/source/_posts/2020-07-18-operation-honeypot-01-ftp-recon.md
@@ -0,0 +1,134 @@
+---
+title: Operation Honeypot - 01 FTP Recon
+date: 2020-07-18 12:18:50
+tags: security
+---
+
+## Pre-post Drivel
+
+This is the obligatory part of this post where I say, "wow, I have not posted for awhile, I'm going to do better" but in reality I program 8+ hours a day and a lot of times when I get home I'd much rather do something around the house or more creative. However, I do feel that having a good project I can incrementally work on that flexes some of the programming muscles I don't get to use in my day job will be immensely helpful to my development as a software engineer.
+
+So, to pick something that interests me and will keep me occupied for awhile? I have always been interested in the security side of programming, and what better way to really understand cutting edge security than making something that's very purpose is to see what people (mostly bots) are currently doing to exploit cloud applications. I am planning to implement most of this in Scala, which I do not use very often, so feel free to email me if you see some real rookie mistakes.
+
+## What is a Honeypot anyway?
+
+> hon·ey·pot
+> /ˈhənēˌpät/
+> noun
+> 1. a container in which honey is kept.
+>     "an earthenware honeypot"
+
+Well, not *that* kind of honeypot..
+
+The one I am talking about is a server which mimics real applications in hopes of catching someone attempting to exploit it and documenting the different methods they are using. There are plenty of open-source tools which accomplish this now and you can do something as simple as open [Netcat](http://netcat.sourceforge.net/) on port 80 and see what files people are requesting from your "web server".
+
+That really is, at its core, what a honeypot is. Obviously, things get more complicated. You want to make sure your system does not actually get hacked and you want to build complexity so that attackers can think they are interacting with the system while you record their every move. If they are trying to leverage a command or query a file you do not have, they'll probably just move onto another target and you'll miss out on discovering what their technique really was.  
+
+---
+
+## First Act - The Trap
+
+So now the question arises, "Which protocol should we mimic to entice attackers?" Well, at first I thought a simple web server would suffice, but that is really open-ended, what would the web page look like? How many endpoints am I going to allow? How do you reply to a request for each endpoint? To get the most attackers it makes sense to mimic popular web frameworks, but then which ones? Wordpress? This seems like something for another day, but what about FTP?
+
+The [File Transfer Protocol](https://en.wikipedia.org/wiki/File_Transfer_Protocol) is fairly simple, and has the potential to collect binaries from attackers that can later be analyzed. It's safe to assume that a bot could be attempting to login using the "anonymous" user, and upload binaries to the server. Or possibly just pull credential files from an unsecured FTP server. So really the main things we will need to implement would be file send/receive, and we can probably ignore (for now) most of the other modes and more advanced features which are also supported by different FTP servers.
+
+### FTP Primer
+
+We must become familiar with how an FTP server works before we are able to become the FTP server, or whatever Sun Tzu said. So let's find a public FTP server to connect to (you can stand up your own, but their are already configured ones online so why waste the effort?), one such server is `speedtest.tele2.net`. You can try using the `ftp` command which is probably pre-installed on you OS of choice, and see how that works. There is a very good [article on Wired](https://www.wired.com/2010/02/ftp_for_beginners/) that offers a primer on FTP that I would recommend if you aren't too familiar with the protocol.
+
+But we must venture deeper into the inner workings of FTP, so let's gloss over [RFC 959](https://tools.ietf.org/html/rfc959), maybe [RFC 1635](https://tools.ietf.org/html/rfc1635), and attempt to utilize the protocol by hand. I will connect to port 21 (the default for FTP) using Netcat and issue the commands myself.
+
+Here's the raw excerpt:
+
+```console
+dropkick@lugh:~$ nc speedtest.tele2.net 21
+220 (vsFTPd 3.0.3)
+USER anonymous
+331 Please specify the password.
+PASS password
+230 Login successful.
+PWD
+257 "/" is the current directory
+HELP
+214-The following commands are recognized.
+ ABOR ACCT ALLO APPE CDUP CWD  DELE EPRT EPSV FEAT HELP LIST MDTM MKD
+ MODE NLST NOOP OPTS PASS PASV PORT PWD  QUIT REIN REST RETR RMD  RNFR
+ RNTO SITE SIZE SMNT STAT STOR STOU STRU SYST TYPE USER XCUP XCWD XMKD
+ XPWD XRMD
+214 Help OK.
+QUIT
+221 Goodbye.
+```
+
+So what's actually happening,
+
+- - -
+- ME: Open the socket using Netcat.
+- SERVER: Replies with the version information and code 220
+  - According to [RFC 959](https://tools.ietf.org/html/rfc959) "220" means "Service ready for new user."
+- ME: USER anonymous
+  - We say we want to login as the "anonymous" user, which is default for a user with no account.
+- SERVER: 331 Please specify password
+- ME: PASS password
+  - Since we are using the "anonymous" account, all password will be accepted, usually you use your email address.
+- SERVER: 230 Login successful
+- ME: PWD
+  - This is just querying where on the server we currently are.
+-  SERVER: 257 "/" is the current directory
+- ME: QUIT
+- SERVER: 221 Goodbye.
+- - -
+
+The biggest thing to realize is that it is mostly the numbers that each reply starts with that adhere to a standard, and each are defined within [RFC 959](https://tools.ietf.org/html/rfc959). In other words, an FTP server that replies with `230 Howdy Porkchop` every time a user successfully authenticates to the server is completely fine.
+
+### Advanced FTP
+
+There's one last bit of functionality we will need to add in order to properly mimic an FTP server, and that is data transfer. The previous interaction with the server consisted of only interacting with the control port, to do data transfer we either have to listen on a separate port and tell the server to connect to us (active mode), or tell the ftp server to listen on another port and we will connect to that (passive mode). Passive mode is much more common, however I will demonstrate using an active connection.
+
+```console
+dropkick@lugh:~$ nc speedtest.tele2.net 21
+220 (vsFTPd 3.0.3)
+USER anonymous
+331 Please specify the password.
+PASS password
+230 Login successful.
+PORT 3,19,50,38,28,165
+200 PORT command successful. Consider using PASV.
+LIST
+150 Here comes the directory listing.
+226 Directory send OK.
+QUIT
+221 Goodbye.
+```
+
+Much of the above looks the same besides the `PORT 3,19,50,38,28,165` command. This is telling the server that I will be listening on `3.19.50.38:7333` for the transfer, the format being h1,h2,h3,h4,p1,p2, where each is an 8-bit segment, the first h1 through h4 are the bits of the IP address, p1 and p2 are the 16 bits of the port number ("0001 1100 1010 0101" in binary is 7333).
+
+Meanwhile in a second terminal, I have opened a connection with Netcat listening on port 7333, this is what it received:
+
+```console
+dropkick@lugh:~$ nc -l -p 7333
+-rw-r--r--    1 0        0        1073741824000 Feb 19  2016 1000GB.zip
+-rw-r--r--    1 0        0        107374182400 Feb 19  2016 100GB.zip
+-rw-r--r--    1 0        0          102400 Feb 19  2016 100KB.zip
+-rw-r--r--    1 0        0        104857600 Feb 19  2016 100MB.zip
+-rw-r--r--    1 0        0        10737418240 Feb 19  2016 10GB.zip
+-rw-r--r--    1 0        0        10485760 Feb 19  2016 10MB.zip
+-rw-r--r--    1 0        0        1073741824 Feb 19  2016 1GB.zip
+-rw-r--r--    1 0        0            1024 Feb 19  2016 1KB.zip
+-rw-r--r--    1 0        0         1048576 Feb 19  2016 1MB.zip
+-rw-r--r--    1 0        0        209715200 Feb 19  2016 200MB.zip
+-rw-r--r--    1 0        0        20971520 Feb 19  2016 20MB.zip
+-rw-r--r--    1 0        0         2097152 Feb 19  2016 2MB.zip
+-rw-r--r--    1 0        0         3145728 Feb 19  2016 3MB.zip
+-rw-r--r--    1 0        0        524288000 Feb 19  2016 500MB.zip
+-rw-r--r--    1 0        0        52428800 Feb 19  2016 50MB.zip
+-rw-r--r--    1 0        0          524288 Feb 19  2016 512KB.zip
+-rw-r--r--    1 0        0         5242880 Feb 19  2016 5MB.zip
+drwxr-xr-x    2 103      105         65536 Jul 18 19:46 upload
+```
+
+As you can see, the data was transferred successfully. This could have been a file and it would have worked similarly. If this was a passive connection we would have instead issued the `PASV` command to the server in the first terminal and it would have replied with a similarly formatted address which we would have connected to in the second terminal. For our honeypot, we will have to implement both of these modes in order to maximize our ability to receive malicious files.
+
+### Until next time
+
+Now that we have a deeper understanding of how the protocol works, we can begin implementing this functionality in a way that will fool these hackers into giving us their exploits while keeping ourselves safe from an actual attack, but that is something for another post. So stay tuned for more on Operation Honeypot.
diff --git a/themes/hexo-theme-freemind.bithack/source/css/style.css b/themes/hexo-theme-freemind.bithack/source/css/style.css
index 23b968d..4b271fa 100644
--- a/themes/hexo-theme-freemind.bithack/source/css/style.css
+++ b/themes/hexo-theme-freemind.bithack/source/css/style.css
@@ -615,13 +615,13 @@ code {
 /*valine 评论系统样式*/

 

 

-  

+

 

 .v .vwrap{

 border: 2px solid rgb(255, 255, 255) !important;

 

 }

-  

+

 .v * {

     color: #e4e4e4!important;

 }

@@ -634,7 +634,7 @@ border: 2px solid rgb(255, 255, 255) !important;
 

 .v .vbtn{

     background: #000 !important;

-    

+

 }

 

 .post-meta-item-text::before, em::after {