Tilted Forum Project Discussion Community - View Single Post

Silvy · 01-24-2005, 10:38 AM

With regards to password "snapping" (commonly referred to as "sniffing"):

Anyone with access to the datapackets that travel between the FTP client and FTP server can read the username and password. Because, indeed, these are sent as plain text (meaning human-readable form) across the net.

Now who has access to these packets?
By necessity every hop between server and client. Most connections go through several machines, and each of these machines is able to read the username/password. It is however not common that these machines would bother.
In addition: on a unswitched network (networks connected by hubs, not switches) everyone on the LAN 'sees' all packets, including your FTP packets. So the local networks of both client and server can see the username/passwords. I suspect that most password sniffing is done on these networks.
There are tools available that can automatically sniff the network for such username/password combinations for e-mail, telnet, ftp and probably many more. With such a tool, gathering passwords is very easy.

The only way around sniffers is using secure FTP. I don't know if filezilla supports it, and I think client support is lacking as well. I haven't spent much time on this.

01-24-2005, 10:38 AM	#2 (permalink)
Silvy paranoid Location: The Netherlands	With regards to password "snapping" (commonly referred to as "sniffing"): Anyone with access to the datapackets that travel between the FTP client and FTP server can read the username and password. Because, indeed, these are sent as plain text (meaning human-readable form) across the net. Now who has access to these packets? By necessity every hop between server and client. Most connections go through several machines, and each of these machines is able to read the username/password. It is however not common that these machines would bother. In addition: on a unswitched network (networks connected by hubs, not switches) everyone on the LAN 'sees' all packets, including your FTP packets. So the local networks of both client and server can see the username/passwords. I suspect that most password sniffing is done on these networks. There are tools available that can automatically sniff the network for such username/password combinations for e-mail, telnet, ftp and probably many more. With such a tool, gathering passwords is very easy. The only way around sniffers is using secure FTP. I don't know if filezilla supports it, and I think client support is lacking as well. I haven't spent much time on this. __________________ "Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. " - Murphy MacManus (Boondock Saints)