HPE Community
Operating System - HP-UX
1833777 Members
2239 Online
110063 Solutions
New Discussion

Re: can I capture ftp login password?

 
Camel_1
Valued Contributor

‎05-03-2006 07:42 AM

‎05-03-2006 07:42 AM

can I capture ftp login password?

Hi there,

I am wondering how I can capture the ftp login password.

There has a process to send file from another company to my server every single minute; they wrote an ftp script to transfer the files. Sometime I found in the syslog there has PAM Authentication failed, I checked with their support they said they haven't changed the ftp script; they use the same password. I am wondering how can I capture the password when they making ftp connection to my server. Just want to make sure they use the correct password?

Thanks,

0 Kudos
9 REPLIES 9
Steven E. Protter
Exalted Contributor

‎05-03-2006 07:46 AM

‎05-03-2006 07:46 AM

Re: can I capture ftp login password?

Shalom Simon,

Since ftp authenticates in clear text it is detectable with any network sniffer.

ethereal gui
tcpdump

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Patrick Wallek
Honored Contributor

‎05-03-2006 07:48 AM

‎05-03-2006 07:48 AM

Re: can I capture ftp login password?

You would have to have a network sniffer running. The best way (much less network traffic clutter to sort through) would be to set the sniffer to look for only those packets going between your server and the other companies server. Or you could also narrow it down to packets going to your server on the FTP ports. If doing that don't forget that FTP uses tcp ports 20 AND 21 (20=FTP data, 21=FTP control).
0 Kudos
Camel_1
Valued Contributor

‎05-03-2006 07:50 AM

‎05-03-2006 07:50 AM

Re: can I capture ftp login password?

Thank you for your quick response?

I don't have sniffer installed, how I can capture from the Unix level?

0 Kudos
Greg Vaidman
Respected Contributor

‎05-03-2006 08:10 AM

‎05-03-2006 08:10 AM

Re: can I capture ftp login password?

Get tcpdump here:
http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/tcpdump-3.9.4/

Get ethereal here:
http://hpux.cs.utah.edu/hppd/hpux/Gtk/Applications/ethereal-0.10.14/

Don't forget to also download all run-time dependencies (they're listed and linked right on each of the above pages). If you're building from source, you'll also need the build-time dependencies.
0 Kudos
Greg Vaidman
Respected Contributor

‎05-03-2006 09:58 AM

‎05-03-2006 09:58 AM

Re: can I capture ftp login password?

Sorry, should have qualified my last message a bit - you only need one of the two, not both. As Steven implied, tcpdump is text-based, and ethereal has both a text-based and X version (although most people use the just the GUI piece), so that should guide which you choose.

Because of the functionality difference, tcpdump is also significantly smaller (300-400KB binary vs 16-20MB for ethereal).
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎05-03-2006 10:21 AM

‎05-03-2006 10:21 AM

Re: can I capture ftp login password?

Since this is a script-driven FTP session and it works some (most) of the time, I very much doubt that the wrong password is being used. I suspect that instead the script isn't all that robust and is getting out of phase so that it is sending the password at the ftp user prompt rather than at the password prompt. I would alter /etc/inetd.conf and add a -l argument to the ftpd entry to enable logging and then issue and inetd -c command to reconfigure inetd. You can then examine syslog.log for any abnormal logins. I suspect that you are going to see occasional
entries like:
ftpd[pid]: User topsecret: Login incorrect

where topsecret is actually the password.
If it ain't broke, I can fix that.
0 Kudos
Bill Hassell
Honored Contributor

‎05-03-2006 10:25 AM

‎05-03-2006 10:25 AM

Re: can I capture ftp login password?

Note also that Ethereal is really a decoder/display program that can read hundreds of sniffer file formats including the built-in nettl tool in HP-UX. Ethereal also runs on a PC which may be more convenient as you may not have Xwindows capability. You'll need the WinPcap tool to actually perform the capture. By setting a filter by IP address, only the packets from the desired system will be captured.


Bill Hassell, sysadmin
0 Kudos
rick jones
Honored Contributor

‎05-03-2006 12:55 PM

‎05-03-2006 12:55 PM

Re: can I capture ftp login password?

One can also get tcpdump from the HP Internet Express bits http://software.hp.com/ or "straight from the horses mouth" :

http://www.tcpdump.org/

which would allow you to compile the most current libpcap/tcpdump bits if you wanted.
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Camel_1
Valued Contributor

‎05-04-2006 06:58 AM

‎05-04-2006 06:58 AM

Re: can I capture ftp login password?

thanks all.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.