Blog

Managed File Transfer and Network Solutions

Countering Packet Sniffers Using Encrypted FTP

Posted by John V. on Tue, Dec 11, 2012 @ 04:09 PM

Overview

A lot of people who often send files just love FTP. The File Transfer Protocol allows users to transmit volumes of files over the Internet through uncomplicated FTP clients, some of which are already built-in in the two popular operating systems, Windows and Mac OS X. Sadly, this well-loved technology is not very secure. That's why people who craft regulations like PCI DSS are wary of it. They know that an attacker armed with a packet sniffer can easily obtain usernames and passwords just by sniffing an FTP connection. 

In this post, I'll help you understand what a packet sniffer is and how it can be used in a Man-in-the-Middle (MITM) attack known as ARP poisoning. After that, I'll show you exactly what an attacker sees on a packet sniffer when they carry out such an attack on both regular and encrypted FTP connections.

How packet sniffers manage to grab passwords

In spite of its negative connotations, a packet sniffer (a.k.a. network analyzer, packet analyzer, protocol analyzer, or sniffer) is supposed to be used by network administrators to perform network diagnostics. But, as indicated in this post's overview, there are people who use it for exploitative purposes. That's what we're going to focus on here.

Some of the popular sniffers are Cain and Abel, Carnivore, dSniff, Ettercap, Fiddler, tcpdump, and Wireshark. For this post, I'm going to use Ettercap, a free sniffer that runs on Linux. 

A sniffer basically works by first capturing packets it receives from the network, including those packets intended for other hosts. This can easily be done in a LAN that connects hosts via a hub. That's because a hub simply forwards all packets entering it to all connected hosts regardless of those packets' destination addresses.

 

packet sniffing in a hub resized 600

 

All you'll need then to grab packet information is a sniffer running on a connected host equipped with a NIC (network interface card) set to promiscuous mode. 

'Promiscuous' is a mode which some NICs can assume that would allow them to receive any packet that comes their way regardless of that packet's destination address. By default, NICs are supposed to discard all packets not addressed to them. Obviously, you'll want your NIC to be set to 'promiscuous' if you want to do any sniffing.

Once the packets are passed on to your sniffer, you can obtain lots of information about them. For instance, you can grab usernames and passwords from FTP packets. 

However, that feat won't be as easy if you're operating in a switched network (i.e. a LAN that uses a switch instead of a hub). You see, a switch is smarter than a hub. It only forwards packets to machines they are destined for. Therefore, you won't be able to view the contents of certain packets that aren't addressed to your machine because you will never receive them in the first place.

 

packet sniffing on a switch network resized 600

 

But there are workarounds to this. One of it entails impersonating the legitimate recipient, thereby tricking the sender into sending packets to you instead of the host those packets were originally intended for. The specific technique we're referring to here is known as ARP poisoning or ARP spoofing, a very common type of MITM. 

ARP Poisoning

What is a Man-in-the-Middle Attack?

This is a form of active eavesdropping wherein an attacker intercepts communications between at least two machines and dupes the victims into thinking they are still communicating directly with one another. But in actuality, the communication packets flow through the attacker's machine, thus allowing the attacker to eavesdrop on them.

ARP poisoning is one example of an MITM and it's what we're going to talk about shortly. It takes advantage of a vulnerability in ARP, the protocol used to convert IP addresses into physical network (MAC) addresses. 

IP addresses and MAC addresses

When you initiate a connection to another machine, say an FTP server, you normally enter that destination machine's IP address or hostname (hostnames like ftp.somedomain.com are automatically mapped to IP addresses) into your client application. 

 

connecting to ftp resized 600

 

However, the hardware devices themselves do not use IP addresses to distinguish themselves from one another. Rather, hardware devices belonging to the same network use the MAC addresses that are uniquely assigned to their NICs. Hence, before messages can be exchanged between an FTP client and an FTP server, for example, IP addresses have to be resolved into MAC addresses. 

 

ARP IP MAC address resized 600

This is the job of ARP, which really stands for Address Resolution Protocol.  

Normal ARP communication

To translate an IP address into its corresponding MAC address, ARP looks it up in a table known as the ARP cache. You can view the contents of a host's ARP cache by typing arp -a in that host's terminal. Here's a screenshot of what was displayed when I ran arp -a  on the router (a Linux machine running pfsense) in my virtual lab. 

 

arp  a before ping resized 600

Notice how there are only two items in this host's ARP cache: IP address 192.168.100.125, whose corresponding MAC address is 08:00:27:75:9d:48, and IP address 10.0.0.2 whose corresponding MAC address is 08:00:27:b5:5d:52. 

Now, if the MAC address that's needed isn't found in the ARP cache, the host sends out what is known as an ARP request. An ARP request is basically a shout out to all machines in the network, asking who owns a particular IP address. When the owner of the IP address receives the ARP request, it responds with an ARP reply, which would then include its MAC address. As soon as the requesting host receives the ARP reply, it adds the IP/MAC address pair to its ARP cache.

 

ARP request ARP reply resized 600

 

Here's another look at the same host's ARP cache after I executed arp -a right after pinging a host in the network bearing IP address 192.168.100.102. Notice how that host's IP and MAC addresses were added to the router's ARP cache.

 

arp  a after ping resized 600

 

Each ARP request also includes the sender's IP and MAC address. Thus, all machines who receive the request will know the IP address and MAC address of the requester. Once two machines already know each other's IP and MAC address, they can start communicating.

Taking advantage of ARP

Unfortunately, ARP accepts updates any time. Meaning, a device may send an ARP reply to another device even without receiving an ARP request, and the second device will promptly update its ARP cache. Herein the vulnerability of ARP lies. That unsolicited ARP reply can easily come from an attacker. 

An attacker may impersonate a legitimate host by sending an ARP reply to a machine which that host is supposed to communicate with. In fact, the attacker can send unsolicited ARP replies to the two machines in order to fool them both!

 

ARP poisoning MITM

This is basically how ARP poisoning works. After carrying out ARP poisoning, the attacker would then be able to establish itself as the man-in-the-middle. 

Oftentimes, FTP clients aren't found in the same network as the FTP server. Hence, an ARP poisoning MITM attack intended to sniff FTP packet information can be carried out by positioning the attacker between either the FTP client and its network's router or between the FTP server and its network's router. In this experiment, I implemented the former.

 

packet sniffing experiment network configuration resized 600

 

What a sniffer can see on an FTP connection

Some packet sniffers can carry out ARP Poisoning before sniffing the connection. When performed on a connection like FTP, which sends out information in plaintext, packet sniffing can allow the attacker to see things he's not supposed to see - for example, usernames and passwords.

Here's a screenshot of Ettercap running on the attacker machine that's positioned as shown in the diagram above.  Notice how clearly the username and password is displayed (username: user1; password: demo).

 

sniffing FTP connection resized 600

 

To prevent a packet sniffer from viewing your users' usernames and passwords while they are carrying out file transfers, we suggest you let them use encrypted FTP protocols like FTPS or SFTP instead of regular FTP. These two secure file transfer protocols encrypt the information sent, rendering them unreadable.

Here's a screenshot of the same packet sniffer sniffing on an FTPS connection. 

 

sniffing FTPS connection resized 600 

 

And here's a screenshot of it sniffing an SFTP connection:

 

sniffing SFTP connection resized 600

 

As you can see, both FTPS and SFTP connections are incomprehensible when viewed on a packet sniffer. An attacker would not be able to retrieve usernames and passwords this way.

 

Recommended Downloads

To prevent packet sniffers from obtaining sensitive information from your file transfer sessions, employ encrypted file transfer protocols like FTPS or SFTP. Both protocols are supported by JSCAPE MFT Server, a platform-independent managed file transfer server that supports multiple secure file transfer protocols.

JSCAPE MFT Server comes with a free fully-functional evaluation edition which you can download below.

Note that not all file transfer clients support FTPS and SFTP. To ensure full compatibility with JSCAPE's managed file transfer server, use clients like AnyClient, which support a wide range of secure file transfer protocols.

 

 

 

 

 

 

Topics: JSCAPE MFT Server, Security

Subscribe via E-mail

Download Now
Free Consultation
Request Demo

Latest Blog Posts

How To Automatically Decrypt PGP-Encrypted Files Upon Upload
How To Delete A File On Your Server After It’s Downloaded
How To Set Up An SFTP Reverse Proxy
Business Benefits Of An SFTP Server