If you do a little research on FTP security, you will find many articles saying that it is totally insecure because when you log in to your server via FTP to upload some files, it is actually sending the username and password in clear text, NOT encrypted. If you are getting your Internet connection from a direct modem or router, then you’re pretty much safe from this attack but if you get your Internet from a server in your local area network, it is possible for the server administrator to launch a packet sniffer to capture the login credentials when you connect to the FTP server.
I knew about this weakness long ago but today I just found out that not only your FTP login information can be captured but the files that you upload or download from FTP can also be capture and reconstructed! Let’s say you are uploading a sensitive WordPress configuration file wp-config.php. I can use a packet sniffer tool to sniff, capture and then automatically reconstruct the wp-config.php that you uploaded WITHOUT even logging in to your FTP server!
Here is a tool called NetworkMiner which is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer or packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate or reassemble transmitted files and certificates from PCAP files.
You would be surprised to know how easy it is to do it with NetworkMiner. Just download, extract and run NetworkMiner. I then selected the network adapter that I’ll be sniffing and click on the Start button to start sniffing. I connect to my server’s FTP and upload a file called CD-konboot-v1.1-2in1.zip. Now take a look at NetworkMiner. It managed to reassemble 2 files and one of it is CD-konboot-v1.1-2in1.zip. I just need to right click on the file and select either open file or open folder to access the file. If you look at the credentials tab, NetworkMiner also managed to capture the FTP username and password.
FTP security is weak, that’s why there is SFTP. SFTP, or Secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. Its functionally is similar to FTP, but because it uses a different protocol, you can’t use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.
There is another similar tool mainly used to capture and reassemble files uploaded or download from FTP called FTPXerox. It was written to demonstrate the fact that any “clear-text” file transfer protocol is susceptible to such attacks. It implements a full end-to-end TCP re-assembly engine that watches for FTP transfers. Once the engine detects an FTP file transfer, it grabs the file off the wire and stores it in a local file. It is quite intelligent in the sense, it can reconstruct exact file names and even grab binary files! FTPXerox is a very old tool released on year 2001 and it does NOT support PASV mode file transfers.
Related posts: