Network Traffic Analysis for IR: TFTP with Wireshark

Introduction to TFTP

The Trivial File Transfer Protocol (TFTP) is designed to provide a bare-bones method of sending data from a server to a client. Its main use is for firmware upgrades and similar applications, where the client requesting the data has limited processing capabilities.

While TFTP is simple to use and effective, it is also extremely insecure. The protocol includes no encryption or authentication, meaning that it should only be used in a LAN (if then).

TFTP in Wireshark

TFTP is designed to be a stripped-down file transfer protocol without authentication or many of the features that FTP and other protocols offer. Instead, it has two main options: file read requests and file write requests.

The screenshot above shows an example of a TFTP read request (GET) in Wireshark. It is interesting to note that TFTP is unusual in that it has a well-known port but doesn’t use it for all traffic. As shown in the packet capture above, the first TFTP request is made to port 69 (the TFTP server), but after that, the TFTP server selects another high-number port to send its responses. This makes it difficult to filter for TFTP traffic in a live capture in Wireshark since the built-in ftp filter does not work and filtering for port 69 will only catch the initial request.

As shown in the screenshots above, TFTP packets are designed to be extremely simple. The image on the left is of the first packet in this sequence, a read request. It includes the opcode (1 for read request), the desired filename and the type of content that it is requesting (octet).

The packet on the right shows the first data packet (packet 2). Its header specifies an opcode (3 for data packet) and the block number, and the body contains (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: