Go hack yourself - recovering your FTP password

Posted on 12 January 2008 at 16:05 UTC, filed under Tricks, disclaimer

All of the websites I put together at the moment are used for playing around and testing things. It’s fun to set up a site, try some things out, delete it or just let it sit and then - usually much later - start over and try something else. The only problem is that by the time I am ready to start over, I have forgotten my password. I can find my user name, it’s in the FTP client and visible in my hosting control panel, but the password is not visible anywhere. The secure way would be to just pick a new password, but let’s assume you need your old one . The following will also work for email passwords stored in your email client, by the way.

What we’ll do is “sniff” the connection that your FTP client builds up, we’ll take a look at the packets sent out and received. Remember that other people can do this as well - say if you’re on an insecure wireless connection on the road — use secure connections and protocols whenever you can!

You’ll have to get a copy of Ethereal (freeware), a universal network analysis tool (there are many similar tools available, I like the flexibility of Ethereal). Download it, install it and start it up.

To get started, select the menu item Capture and Start, then choose your ethernet interface (WLAN, cable, etc) and let it start. You are now recording your complete network traffic, you 1337 self-h4×0r . Depending on what you’re doing at the moment, it may record a lot of traffic. We’ll filter it later on, so don’t worry about that.

Ethereal capture in progress

Now start up your FTP client (make sure you’re not using a secure FTP connection) and connect to your server. When you connect to your server like that, you will send your user name and password over the network and Ethereal record that for you. Once you have that, you can stop capturing in Ethereal.

Sniffed Ethereal connection

If you scroll through the data you collect like that, you’ll quickly notice that there’s a lot going over those wires. Let’s just look at the data going to and from our FTP server. You’ll have to get the IP address of your server (which you can usually do in a shell/command box by typing “nslookup ftp.yourservername.com”). In the filter box on top, enter: ip.addr eq nnn.nnn.nnn.nnn (where the “nnn’s” are the IP address of your server).

Sniff your server's IP address

Once you only look at the data going to and from your server, you’ll see the authentication information right away:

Username and password, hacked

Now that you see how easy it is to hack yourself, make sure that others can’t do the same with your account:

If you’re using a wireless connection, always assume that others can listen in (even if you’re using your own access point with WEP or WPA encryption).
Make sure that you use a secure version of FTP. In general, they will encrypt your authentication information so that it will not be readable on your network. Double-check it with Ethereal, if you want to be sure.
Change your FTP/email passwords after you have used them on an insecure connection like a hotel or airport wireless.
If you use a web-based email service, make sure that you are accessing the site with HTTPS and not HTTP. Most web-mail services allow that (though they may not activate it by default since it is a bit slower and is usually not needed on your home network).
Even if your FTP (or email) client encrypts passwords in the settings, they can still be read with the right tools.

Stay safe!

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Previous post: How to use Google webmaster tools stats with Excel
Next post: Running Firefox in parallel

There are 4 comments to this post.

Adam Moro (26 March 2008 at 7:39 pm):

“Even if your FTP (or email) client encrypts passwords in the settings, they can still be read with the right tools.”

Sounds like ultimately there will always be a risk for those who don’t know how to use the right tools. Scary. Thanks for the great info, John!
Adam Moro (27 April 2008 at 5:16 am):

Wow, I finally gave this a try. Even more scary… http://www.cacetech.com/products/airpcap_family.htm. $200 bucks and an unsecured wireless connection is all someone needs to get OTHER people’s passwords. You made me reconsider my whole password convention because of this, John! Thanks again!
John Mueller (27 April 2008 at 1:03 pm):

Adam, if you’re running Linux you can do the same thing for free (there are even Linux versions that run off of a CD which do the same, eg “Backtrack”, you don’t even have to set up a computer to use them). With a little know-how you can not only access unprotected networks, but also WEP encrypted wireless networks. Many public access points are not encrypted, which would allow anyone to listen in when you sign in for email or if you need to make a last-minute website update via FTP .

The easy way to protect yourself is to use more secure protocols like HTTPS when signing in for your webmail account or sFTP instead of FTP . Gmail supports HTTPS, I’m pretty sure the others do too.
Adam Moro (30 April 2008 at 7:54 pm):

Well thanks a lot John. I was up ALL night playing with Backtrack and as a result am now in the dreaded doghouse with my girlfriend. Just kidding obviously. Thanks for the tip, as always, it’s a great one. I assume you’re a Linux ftw kind of guy. Which distro’s your favorite? Not sure if that makes sense (I just recently emerged myself into the world of Linux…yep, Ubuntu it was) so in other words, do you prefer say Gentoo over Fedora or another one? I almost didn’t ask because a friend of mine laughed at me when I asked him that question and told me he uses his own version of Linux. I assume that has something to do with compiling the kernal and adding the desktop environments and such manually…that scares the begeezus out of me so I’m wondering what the more simple answer would be.

Feel free to leave a reply to this posting.