Go hack yourself – recovering your FTP password

Posted on 12 January 2008 at 17:05 UTC, filed under Tricks, disclaimer

All of the websites I put together at the moment are used for playing around and testing things. It’s fun to set up a site, try some things out, delete it or just let it sit and then – usually much later – start over and try something else. The only problem is that by the time I am ready to start over, I have forgotten my password. I can find my user name, it’s in the FTP client and visible in my hosting control panel, but the password is not visible anywhere. The secure way would be to just pick a new password, but let’s assume you need your old one :-) . The following will also work for email passwords stored in your email client, by the way.

What we’ll do is “sniff” the connection that your FTP client builds up, we’ll take a look at the packets sent out and received. Remember that other people can do this as well – say if you’re on an insecure wireless connection on the road — use secure connections and protocols whenever you can!

You’ll have to get a copy of Ethereal (freeware), a universal network analysis tool (there are many similar tools available, I like the flexibility of Ethereal). Download it, install it and start it up.

To get started, select the menu item Capture and Start, then choose your ethernet interface (WLAN, cable, etc) and let it start. You are now recording your complete network traffic, you 1337 self-h4x0r :D . Depending on what you’re doing at the moment, it may record a lot of traffic. We’ll filter it later on, so don’t worry about that.

Ethereal capture in progress

Now start up your FTP client (make sure you’re not using a secure FTP connection) and connect to your server. When you connect to your server like that, you will send your user name and password over the network and Ethereal record that for you. Once you have that, you can stop capturing in Ethereal.

Sniffed Ethereal connection

If you scroll through the data you collect like that, you’ll quickly notice that there’s a lot going over those wires. Let’s just look at the data going to and from our FTP server. You’ll have to get the IP address of your server (which you can usually do in a shell/command box by typing “nslookup ftp.yourservername.com”). In the filter box on top, enter: ip.addr eq nnn.nnn.nnn.nnn (where the “nnn’s” are the IP address of your server).

Sniff your server's IP address

Once you only look at the data going to and from your server, you’ll see the authentication information right away:

Username and password, hacked

Now that you see how easy it is to hack yourself, make sure that others can’t do the same with your account:

  • If you’re using a wireless connection, always assume that others can listen in (even if you’re using your own access point with WEP or WPA encryption).
  • Make sure that you use a secure version of FTP. In general, they will encrypt your authentication information so that it will not be readable on your network. Double-check it with Ethereal, if you want to be sure.
  • Change your FTP/email passwords after you have used them on an insecure connection like a hotel or airport wireless.
  • If you use a web-based email service, make sure that you are accessing the site with HTTPS and not HTTP. Most web-mail services allow that (though they may not activate it by default since it is a bit slower and is usually not needed on your home network).
  • Even if your FTP (or email) client encrypts passwords in the settings, they can still be read with the right tools.

Stay safe!

There are 15 comments to this post.
  1. “Even if your FTP (or email) client encrypts passwords in the settings, they can still be read with the right tools.”

    Sounds like ultimately there will always be a risk for those who don’t know how to use the right tools. Scary. Thanks for the great info, John!

  2. Wow, I finally gave this a try. Even more scary… http://www.cacetech.com/products/airpcap_family.htm. $200 bucks and an unsecured wireless connection is all someone needs to get OTHER people’s passwords. You made me reconsider my whole password convention because of this, John! Thanks again!

  3. Adam, if you’re running Linux you can do the same thing for free (there are even Linux versions that run off of a CD which do the same, eg “Backtrack”, you don’t even have to set up a computer to use them). With a little know-how you can not only access unprotected networks, but also WEP encrypted wireless networks. Many public access points are not encrypted, which would allow anyone to listen in when you sign in for email or if you need to make a last-minute website update via FTP .

    The easy way to protect yourself is to use more secure protocols like HTTPS when signing in for your webmail account or sFTP instead of FTP . Gmail supports HTTPS, I’m pretty sure the others do too.

  4. Well thanks a lot John. I was up ALL night playing with Backtrack and as a result am now in the dreaded doghouse with my girlfriend. Just kidding obviously. Thanks for the tip, as always, it’s a great one. I assume you’re a Linux ftw kind of guy. Which distro’s your favorite? Not sure if that makes sense (I just recently emerged :) myself into the world of Linux…yep, Ubuntu it was) so in other words, do you prefer say Gentoo over Fedora or another one? I almost didn’t ask because a friend of mine laughed at me when I asked him that question and told me he uses his own version of Linux. I assume that has something to do with compiling the kernal and adding the desktop environments and such manually…that scares the begeezus out of me so I’m wondering what the more simple answer would be.

  5. 1) That was an awesome explanation even a non-techie like myself can understand.
    2) Why is the spam protection pre-entered?

  6. Hi. I am a hacker. I can get you a password (aol, myspace, facebook, msn/hotmail,yahoo..etc). I do charge a fee for a password. Once i get the password i’ll show you proof i have it. Are you interested? please email me at fordf[edited]@yahoo.com

  7. Hi Gab, the spam protection is pre-entered because it still seems to work that way – why make it more complicated than is necessary :-). If I notice that I get too many spammy comments, I might change it again, but for the meantime, it hasn’t brought more spam, so I’m happy with it like that.

  8. Thanks for the useful tip. Wouldn’t it be simply enough to login to your hosting account and change it? Or this tip is for super-l33t hax0rs only?

  9. Hi there John,
    Downloaded Wireshark today. it works just like ethereal i guess. Early on your article you made an impression of “recovering old and forgotten passwords”. Was it not the point of the article? Let me know.

    Great article,

  10. Great write up! People that know this stuff take it for granted that everyone else does, its shocking to see how easy it can be done.

  11. i need an hacker in my life coz easyly forget things & mostly they are valuable to me so someone should plz contact me..

  12. I felt shocked while testing the network analysis tool. I think it’s better to know if any other methods like this exists.

    Thank you for this useful article.

  13. don’t open the FTP once you login out of theserver!
    the question of the spam protection is automatically typed. I am using google chrome here

  14. Its not freeware. Its opensource.

  15. Thanks for the useful tip.

Feel free to leave a reply to this posting.

Warning! Your comment will be lost if you mistype the spam-test or forget to enter your name or e-mail-address. Copy your comment to the clipboard to be sure.

You may use these tags within your reply: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>