Communication Security: Web Based Services • Chapter 5  335

                 Packet Sniffing FTP Transmissions


                 As mentioned earlier in this section, FTP traffic is sent in cleartext so that creden-
                 tials, when used for an FTP connection, can easily be captured via MITM attacks,
                 eavesdropping, or sniffing. Exercise 5.03 looks at how easy it is to crack FTP with a
                 sniffer. Sniffing (covered in Chapter 2) is a type of passive attack that allows hackers
                 to eavesdrop on the network, capture passwords, and use them for a possible pass-
                 word cracking attack.


                  EXERCISE 5.03


                  CAPTURING FTP WITH A SNIFFER
                      In this exercise, you will use a protocol analyzer to capture FTP traffic on
                      the network. You will look at someone logging into an FTP site with
                      their credentials, and because the network is being sniffed, you will be
                      able to capture the credentials to use later to get into the server. For
                      the purposes of this exercise, we will use Wireshark (formerly Ethereal),
                      which is available for download from www.wireshark.org.

                         1. First, open your protocol analyzer. Wireshark was used for these
                             screenshots, but you can use any protocol analyzer you are com-
                             fortable with.
                         2. Build a filter to pick up only FTP-based communications. In
                             Wireshark, this is done by clicking the Options menu item found
                             under the Capture menu. By doing so, you should see a dialog
                             box similar to that shown in Figure 5.20. By typing the following
                             into the Capture Filter field, only FTP-based traffic will be cap-
                             tured:

                         tcp port 20 or tcp port 21

                         3. The filter shown in Figure 5.20 was built to capture only FTP-
                             based traffic to TCP port 20 and TCP port 21 on the computer on
                             which Wireshark is being used (which are the ports used by FTP).
                             By setting this filter and clicking the Start button, any other
                             packets on the network are ignored and won’t be captured.
                             Creating your own filter for this exercise is not absolutely neces-
                             sary, but makes it much easier to look for FTP traffic when that is
                             the only type of traffic that has been captured.




                                                                              www.syngress.com