Saturday, July 3, 2010

FTP - Packet Sniffing and Wireshark Analysis

FTP (File Transfer Protocol) as the name implies, is a protocol to transfer files from one computer to another. The protocol operates on TCP ports 20 for data transfer and 21 for control. The authentication, communication, and file data are all communicated in plain text; meaning *no* encryption is used.

The most common implementation of FTP is establishing a connection and transferring files with a web server. I configured Wireshark to monitor my wireless connection and then made an FTP connection to my web site.

The screenshot above shows the resulting packets that were transmitted. Here is what actually happened:
  • I execute the command to start the connection, and immediately a DNS query goes out to find the IP address of the host name I provided.
  • DNS responds with the proper IP address and TCP takes over to initiate communication with the server using a series of SYN and ACK transmissions. (TCP Three-way handshake)
  • FTP server says "Welcome" and my host transmits the user name to authenticate. (the username is transmitted in plain text)
  • FTP server responds saying the user name is OK but needs a password.
  • My client transmits the password across the Internet **in unencrypted text** readable to anyone
  • FTP server accepted the user name and password and grants the user access permissions.
  • Client sends the command "PWD" - and the server replies by Printing the Working Directory.
  • The communication ends with another series of SYN and ACK transmissions.

Do not use FTP to transmit anything confidential. This simple analysis shows that in 17 captured packets your server and files can be compromised.

The best alternative is FTPS (FTP and SSL) - from the wikipedia page:
FTPS (also known as FTP Secure and FTP-SSL) is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols.
FTPS should not be confused with the SSH File Transfer Protocol (SFTP), an incompatible secure file transfer subsystem for the Secure Shell (SSH) protocol. It is also different from Secure FTP, the practice of tunneling FTP through an SSH connection.

Computer Biology