If you do a little research on FTP security, you will find many articles saying that it is totally insecure because when you log in to your server via FTP to upload some files, it is actually sending the username and password in clear text, NOT encrypted. If you are getting your Internet connection from a direct modem or router, then you’re pretty much safe from this attack but if you get your Internet from a server in your local area network, it is possible for the server administrator to launch a packet sniffer to capture the login credentials when you connect to the FTP server.
I knew about this weakness long ago but today I just found out that not only your FTP login information can be captured but the files that you upload or download from FTP can also be capture and reconstructed! Let’s say you are uploading a sensitive WordPress configuration file wp-config.php. I can use a packet sniffer tool to sniff, capture and then automatically reconstruct the wp-config.php that you uploaded WITHOUT even logging in to your FTP server!
Here is a tool called NetworkMiner which is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer or packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate or reassemble transmitted files and certificates from PCAP files.
You would be surprised to know how easy it is to do it with NetworkMiner. Just download, extract and run NetworkMiner. I then selected the network adapter that I’ll be sniffing and click on the Start button to start sniffing. I connect to my server’s FTP and upload a file called CD-konboot-v1.1-2in1.zip. Now take a look at NetworkMiner. It managed to reassemble 2 files and one of it is CD-konboot-v1.1-2in1.zip. I just need to right click on the file and select either open file or open folder to access the file. If you look at the credentials tab, NetworkMiner also managed to capture the FTP username and password.
FTP security is weak, that’s why there is SFTP. SFTP, or Secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. Its functionally is similar to FTP, but because it uses a different protocol, you can’t use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.
There is another similar tool mainly used to capture and reassemble files uploaded or download from FTP called FTPXerox. It was written to demonstrate the fact that any “clear-text” file transfer protocol is susceptible to such attacks. It implements a full end-to-end TCP re-assembly engine that watches for FTP transfers. Once the engine detects an FTP file transfer, it grabs the file off the wire and stores it in a local file. It is quite intelligent in the sense, it can reconstruct exact file names and even grab binary files! FTPXerox is a very old tool released on year 2001 and it does NOT support PASV mode file transfers.
nice post budy…
One word….Wireshark
Craig – what kind of protection are you expecting? Unencrypted traffic can be easily monitored, end of story.
- use SFTP (this does NOT use FTP protocol and has nothing to do with normal FTP, despite the common belief). Problem: SFTP is not used for warez, it’s for secure transfer of files, like backups of Linux boxes. You need a shell account on any box you’d like to connect to via SFTP.
or
- use FTP over SSL/TLS (this does use FTP protocol, but is encrypted) and make sure you crypt both command and data channel if you do. Problem: This needs to be supported by the server which is often not the case.
This is very interesting and useful information. It seems that there is also an urgent need for information about how to obtain protection against this spying.
Does anybody have any suggestions?
Nice digging!
thanks so much for this … raymond..
Good find. This product needs some tools for configuration, i.e. where to store the captured files, or filters on what to capture or what to see, etc.
Anyone knows how to make laptop into line analyzer? I have a network printer that fails to scan-to-email and it drives me crazy as there is no log in the printer.
Maybe I need a second NIC like a PCMCIA card and connect the printer in and out of the laptop? But what to do next?
Thanks for this article Ray.