Penetration Testing mailing list archives
Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd?
From: Jon Kibler <Jon.Kibler () aset com>
Date: Sun, 12 Oct 2008 05:03:45 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chip Panarchy wrote:
Well thanks for the replies guys.
A couple of related points about FTP vs. SFTP... First FTP is a clear text protocol. This makes the protocol not only susceptible to credentials sniffing, it also makes it susceptible to session hijacking and data stream modification. Tools to demonstrate session hijacking include ettercap and hunt. Data stream modification is more trivially accomplishable than many realize. Using ettercap filters can make data stream modification child's play. My second point regarding FTP is how it is being used by the malware folks. In a discussion I had about 6 months ago with a top industry malware researcher, he indicated that FTP exploits are one of the most common ways that web sites are being hacked. It appears that all techniques described above are being used: Either sniff credentials and then use them to modify web sites to inject malware, or, hijack FTP sessions to modify the web site, or, inject malware into the site as it is being updated by FTP. Apparently, there are several crimeware packages that can be purchased to do any of those attacks as a means of infecting a web site via exploiting FTP's clear text nature. So, if you use SFTP to update web sites instead of FTP, you apparently can greatly reduce the changes of your site being hacked. Jon - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjxvXEACgkQUVxQRc85QlMPkgCglGfHQ4xHUgIcGcUSotprKzQz M04AnRAHTHjRe3Q5Dqp62bUrtrVPLNvY =Fk4A -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Chip Panarchy (Oct 10)
- Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Jon Kibler (Oct 10)
- Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? p0liX (Oct 10)
- Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Gustavo Castro (Oct 10)
- Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Chip Panarchy (Oct 11)
- Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Jimmy Brokaw (Oct 12)
- RE: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Craig Wilson (Oct 12)
- Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Robin Wood (Oct 12)
- Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Jon Kibler (Oct 12)
- Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Adriel Desautels (Oct 12)