sniffing username & password

[zzzove]

Hi.

In connection with an exam at school I hope to present how ftp clients username and password can be read by sniffing the packages/header.

The problem is just that I don't know how. I have read many places that it's possible, but I have not found any documentation on how it's done.

Hope someone can help me out!

Thank you.

 

[mikesgroovin]

The easiest way would be to setup 3 machines....your own FTP server machine, FTP client machine and then use a third machine to simply do the packet sniffing. Download ethereal from www.ethereal.com and install it on the third machine. All machines should be connected on a single hub (not a switch). Run the software and then start up your FTP server. Then attempt to login with the other machine running the client software. Are you familiar with packet analysis?

 

[zzzove]

Hi, Mike.

Thanks for the tip.

I'll see if I can hook this up. By the way I have no experience in analyzing packages...

 

[mikesgroovin]

Well, analyzing packets isn't very intuitive....You need to know what you are looking at.

 

[zzzove]

I thought it would be easier

Do you have any screenshoots of username & passwords that can be read in a package/header?

If not, I think I have to come up with something else to present. It doesn't have to be complicated, but it will have to have something to do with the ftp-protocol.

Any suggestions?

 

[þÄ®âÐÖx]

The attached image shows a typical ftp transaction as observed through Ethereal. 172.30.12.123 is the client, 172.30.12.122 is the server. As you can see, it's not too difficult to pick out the username and password (bob, bobspassword), but in order to truly understand what's going on, you need to have some knowledge of FTP and TCP.

 

[zzzove]

Thank you.

I understand some of it, but I would be greatful if you would explain the parameters in the 'info' field.

One last question: Could you produce an identical screenshot, but this time when logging on to a sftp server?

It would be greatly appreciated

 

[þÄ®âÐÖx]

In the first screenshot, the client first attempts to connect to the server. The server responds by accepting the connection. The server then sends a welcome message (the one that starts with "220") and waits for the client to issue a command. The client then sends a username ("USER bob") and the server responds by asking for the correct password ("331 Password required"). After the client provides the correct password ("PASS bobspassword"), the server allows it to login ("230 User bob logged in"), and again awaits a command. The rest of the packets are simply the client asking to disconnect ("QUIT"), and the connection being closed.

Below is a second screenshot showing a similar transaction, this time over sftp. I don't know much about ssh, so I'm not exactly sure how everything works in this case. I'm assuming, though, that it's essentially the same as ftp, except that all the communication is encrypted rather than being in plain text. Needless to say, if you're transferring any sensitive data, use stfp

EDIT: I forgot to mention that in this second screenshot, 172.30.12.123 is the server and 172.30.12.122 is the client

http://www.shatteredminds.com/sftp.gif