Network Traffic Analysis for IR: FTP Protocol with Wireshark

Introduction to the FTP protocol

The File Transfer Protocol (FTP), as its name suggests, is designed for transferring files between computers. It is used for a variety of different purposes, but a common one is transferring pages to/from a remote web server.

One of the issues with FTP is that it is a completely plaintext protocol and can be configured to allow anonymous authentication to the service. Since the protocol is designed to allow files to be added to or removed from the FTP server, this can be a significant security concern.

A couple of different protocols exist for securing FTP. FTPS is the use of FTP traffic wrapped in Transport Layer Security (TLS). SFTP is a protocol related to secure shell (SSH) that is also designed to provide encrypted file transfer.

The FTP protocol in Wireshark

FTP is a plaintext protocol that operates over port 20 and 21. It can be identified in Wireshark using the ftp filter.

The image above shows a sample of FTP traffic collected by following a TCP stream in Wireshark. As shown, FTP is a request-response protocol. Each request is a command, potentially followed by a set of arguments. Responses include a response code followed by the data requested by the command.

An FTP packet simply contains the text data that is shown from the earlier session. This makes it very easy to read in a network capture. Since FTP operates as a plaintext protocol by default, this also makes it easy for an eavesdropper with access to an organization’s network traffic to extract sensitive data. 

While the packets above show examples of anonymous authentication to an FTP server (which should be disabled for security reasons), FTP traffic could also leak a user’s actual network login credentials. For this reason, it is advisable (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: