Objective
Understand how unencrypted FTP traffic can be intercepted to extract sensitive data such as login credentials and learn the importance of using secure alternatives like SFTP.
Scenario
As a penetration tester, you’re tasked with assessing the security of a company’s legacy file transfer system, which uses unencrypted FTP for file sharing. In this exercise, you’ll demonstrate how easily sensitive credentials can be captured when transmitted over an unsecured network. You’ll set up an FTP server, capture network traffic during login, and analyze the data to extract the username and password.
⚠️ Important: This exercise must only be conducted in a legal and isolated lab environment. Intercepting credentials without authorization is illegal and unethical.
Lab Instructions
Step 1: Set Up the Lab Environment
- FTP Server: Linux machine running an FTP service.
- Victim Machine: A device on the same network to simulate the user logging in.
- Attacker Machine: A machine running Wireshark to capture network traffic.
Step 2: Install and Configure the FTP Server
On the FTP Server, install and configure the FTP service:
sudo apt update
sudo apt install vsftpd -yEdit the configuration file to enable basic authentication:
sudo nano /etc/vsftpd.confEnsure the following lines are set:
anonymous_enable=NO
local_enable=YES
write_enable=YESRestart the FTP service:
sudo systemctl restart vsftpdCreate a user for FTP access:
sudo adduser ftpuser
sudo passwd ftpuserStep 3: Capture FTP Traffic with Wireshark
On the Attacker Machine, open Wireshark.
Select the network interface connected to the same network as the FTP server.
Apply the following capture filter to focus on FTP traffic:
tcp port 21Start capturing packets.
Step 4: Simulate FTP Login
On the Victim Machine, connect to the FTP server:
ftp <ftp-server-ip>Enter the username ftpuser and the password when prompted.
Step 5: Analyze Captured Packets
In Wireshark, stop the capture.
Filter captured packets using:
ftpLocate packets showing USER and PASS commands.
Inspect the packet details to extract the plain-text username and password.
Example Output
USER ftpuser
PASS mysecretpassword
Solution & Explanation
Why FTP is Insecure
- Plaintext Transmission: FTP sends data, including credentials, without encryption.
- Vulnerability: Attackers on the same network can easily intercept login details using packet sniffing tools.
Captured Credentials
- USER Command: Reveals the username.
- PASS Command: Reveals the password in plaintext.
Impact
- Unauthorized access to sensitive files.
- Potential for privilege escalation or lateral movement in the network.
Mitigation: Use Encrypted Protocols
Secure Alternatives
- SFTP (SSH File Transfer Protocol): Encrypts data and credentials using SSH.
- FTPS (FTP Secure): FTP over SSL/TLS for encrypted communication.
Benefits of SFTP/FTPS
- Confidentiality: Protects data from eavesdropping.
- Integrity: Prevents data tampering.
- Authentication: Secure login via SSH keys or certificates.
Testing & Verification
- Verify that captured FTP traffic exposes credentials.
- Set up SFTP and attempt to capture traffic.
- Expected Result: No readable credentials due to encryption.
Setting Up SFTP
On the FTP Server, install and configure OpenSSH:
sudo apt install openssh-server -y
sudo systemctl start sshConnect via SFTP:
sftp ftpuser@<ftp-server-ip>Attempt to capture credentials—Wireshark should not reveal any sensitive data.
Additional Script (Optional)
Automate the FTP server setup:
#!/bin/bash
# Install vsftpd
sudo apt update
sudo apt install vsftpd -y
# Configure FTP
sudo bash -c 'echo -e "anonymous_enable=NO\nlocal_enable=YES\nwrite_enable=YES" > /etc/vsftpd.conf'
# Restart FTP service
sudo systemctl restart vsftpd
# Create FTP user
sudo useradd -m ftpuser
echo "ftpuser:password" | sudo chpasswd
Run the script:
chmod +x setup_ftp.sh
sudo ./setup_ftp.sh
Conclusion
In this exercise, you demonstrated how easily credentials can be captured from an unencrypted FTP session using Wireshark. You also explored secure alternatives like SFTP, emphasizing the importance of encrypting data and credentials to prevent unauthorized access and data breaches.
0 Comments