10 September 2010

Grab an FTP username and password using Wireshark

As IT professionals there are just some tools that you will need sooner or later.  One of these is a protocol analyser.  I start off using Microsoft's netmon.  It is fine for doing some basic troubleshooting but when there is a much better tool to use and it is free, you would have to be a die hard fan to continue using it.

I just posted an article on publishing secure FTP-ES and in there I make reference to standard ftp being insecure and that anyone can sniff the packets and gain your user name and password.

Getting Started
First up you will need Wireshark get it directly form the site http://www.wireshark.org/ There are also some great tutorials and FAQ etc there.

Then you will need a client machine and a server machine.  I installed Wireshark on the client machine.

When you first open Wireshark you get this screen.

Click on Capture options

The capture options screen will appear.  From here click on the capture Filter Button

We want to limit the capture to data to and from the FTP server so we specify the capture filter string.

Click on OK and click on start to start the capture.

I am just going to use the windows command line ftp client to connect to the ftp server.

  • I connect to the ftp IP address
  • Then I specify my user name  as mysecrectusername
  • I then get prompted for a password.
  • I type in my password and hit enter

The login attempt fails but we are interested in the transmitted data.

Analysing the Captured data packets
If you switch back to your Wireshark screen now you will see that there has been some captured packets. Hit the "Stop the running capture" button from the toolbar.

You should now see something like this

Wireshark has now listed all the traffic to and from the specified IP.  We can clean it up nicely because we know we are only interested in FTP traffic. So in the filter field we can specify FTP and click apply

If you look at the Info column (far right) you can see that this correlates to the command line ftp session from earlier.  Significantly you can also read - in (plain text) the password I used.

Yes - That easy.

What else can we learn form this trace?

Let's dive into some more info.  Select one of the lines. you will see that the bottom two panes listing the detailed information.

If we work our way up from the bottom we are working our way down the OSI layers.

Lets start the the FTP application layer

Here we learn what the password is.

If we skip through to Ethernet we see something that could be useful.

The MAC addresses reveal that the MACs are From Microsoft and From VMWare this tells me that the destination is a VMWARE virtual server and the the source is a Microsoft HyperV Virtual Machine

You would also have noticed that as you click on the various "levels" different items are highlighted in the bottom window.  This is the different parts of the actual data packet that you are looking at.

This is a very simple little tutorial but it would hopefully have touched on enough bits of both Wireshark and TCP/IP to prompt you to investigate further.

Incidentally if we tried this with the FTP-ES server  this is what we would have gotten:  Traffic is still recognised as FTP but where previously everything is open to read we now see that everything is hashed because of the encryption.

Happy hunting for packets...

1 comment:

Anonymous said...

ty for help!

Post a Comment