Go hack yourself - recovering your FTP password (old, probably outdated)

Warning: This page is pretty old and was imported from another website. Take any content here with a grain of salt.

All of the websites I put together at the moment are used for playing around and testing things. It’s fun to set up a site, try some things out, delete it or just let it sit and then - usually much later - start over and try something else. The only problem is that by the time I am ready to start over, I have forgotten my password. I can find my user name, it’s in the FTP client and visible in my hosting control panel, but the password is not visible anywhere. The secure way would be to just pick a new password, but let’s assume you need your old one :-) . The following will also work for email passwords stored in your email client, by the way.

What we’ll do is “sniff” the connection that your FTP client builds up, we’ll take a look at the packets sent out and received. Remember that other people can do this as well - say if you’re on an insecure wireless connection on the road – use secure connections and protocols whenever you can!

You’ll have to get a copy of Ethereal (archive.org) (freeware), a universal network analysis tool (there are many similar tools available, I like the flexibility of Ethereal). Download it, install it and start it up.

To get started, select the menu item Capture and Start, then choose your ethernet interface (WLAN, cable, etc) and let it start. You are now recording your complete network traffic, you 1337 self-h4x0r :D . Depending on what you’re doing at the moment, it may record a lot of traffic. We’ll filter it later on, so don’t worry about that.

Ethereal capture in progress

Now start up your FTP client (make sure you’re not using a secure FTP connection) and connect to your server. When you connect to your server like that, you will send your user name and password over the network and Ethereal record that for you. Once you have that, you can stop capturing in Ethereal.

Sniffed Ethereal connection

If you scroll through the data you collect like that, you’ll quickly notice that there’s a lot going over those wires. Let’s just look at the data going to and from our FTP server. You’ll have to get the IP address of your server (which you can usually do in a shell/command box by typing “nslookup ftp.yourservername.com”). In the filter box on top, enter: ip.addr eq nnn.nnn.nnn.nnn (where the “nnn’s” are the IP address of your server).

Sniff your server’s IP address

Once you only look at the data going to and from your server, you’ll see the authentication information right away:

Username and password, hacked

Now that you see how easy it is to hack yourself, make sure that others can’t do the same with your account:

  • If you’re using a wireless connection, always assume that others can listen in (even if you’re using your own access point with WEP or WPA encryption).
  • Make sure that you use a secure version of FTP. In general, they will encrypt your authentication information so that it will not be readable on your network. Double-check it with Ethereal, if you want to be sure.
  • Change your FTP/email passwords after you have used them on an insecure connection like a hotel or airport wireless.
  • If you use a web-based email service, make sure that you are accessing the site with HTTPS (archive.org) and not HTTP. Most web-mail services allow that (though they may not activate it by default since it is a bit slower and is usually not needed on your home network).
  • Even if your FTP (or email) client encrypts passwords in the settings, they can still be read with the right tools.

Stay safe!

Warning: This page is pretty old and was imported from another website. Take any content here with a grain of salt.

Comments / questions

There's currently no commenting functionality here. If you'd like to comment, please use Mastodon and mention me ( @hi@johnmu.com ) there. Thanks!

Related pages