1
00:00:00,000 --> 00:00:07,971


2
00:00:07,971 --> 00:00:10,982
Ok, welcome back. In our next segment,

3
00:00:10,981 --> 00:00:15,281
we will talk about capturing FTP or file transfer protocol

4
00:00:15,281 --> 00:00:23,625
traffic for analysis to see if you can find issues 
with a simple FTP transfer of data.

5
00:00:23,625 --> 00:00:29,118
FTP, file transfer protocol, is one of the oldest

6
00:00:29,118 --> 00:00:34,753
Unix-based TCP/IP protocols in existence.

7
00:00:34,753 --> 00:00:41,875
It was used to transfer data from one host
 to another and is still very relevant today

8
00:00:41,872 --> 00:00:47,171
with the new technologies where obviously 
securing it either with SSH,

9
00:00:47,172 --> 00:00:51,259
or it's own secure functions which adds incryption to it.

10
00:00:51,259 --> 00:01:00,146
The reason for this is because it is 
extremely unsecure in its native format.

11
00:01:00,140 --> 00:01:05,999
It will send information in clear text including 
credentials and the data that is being sent.

12
00:01:06,008 --> 00:01:15,135
So, although it's very helpful, it's a very 
helpful protocol, it is also very unsecure.

13
00:01:15,135 --> 00:01:23,756
So with Wireshark, basically you capture 
FTP data to, to look at communication stream.

14
00:01:23,756 --> 00:01:30,548
It's very lightweight although it does use TCP
as an underlying mechanism so that 

15
00:01:30,548 --> 00:01:34,668
it can guarantee the transfer of the data to your TCP

16
00:01:34,668 --> 00:01:40,169
but it is generally lightweight and 
as we mentioned before,

17
00:01:40,169 --> 00:01:46,852
it can capture texts that you're sending, 
in clear text, so highly unsecure.

18
00:01:46,872 --> 00:01:54,146
You can use Wireshark to find the issues 
with traversal which we'll get into momentarily.

19
00:01:54,146 --> 00:01:59,194
And as you could see here, capturing FTP 
is actually very easy.

20
00:01:59,194 --> 00:02:04,391
Simply open up Wireshark, run a capture,

21
00:02:04,391 --> 00:02:11,110
and then for this example, what I did was I just 
opened up an FTP session to a website.

22
00:02:11,110 --> 00:02:15,297
I chose one where I can download files as an example.

23
00:02:15,306 --> 00:02:21,670
A lot of your printer, drivers and so on 
for your systems can be accessed this way.

24
00:02:21,666 --> 00:02:24,496
And it's very common to access them this way.

25
00:02:24,496 --> 00:02:33,231
So, what I did was I ran an FTP 
and did some work on it and interestingly,

26
00:02:33,231 --> 00:02:36,869
when I was able to pull this up in Wireshark,

27
00:02:36,869 --> 00:02:42,659
I was shown specifically the transmission in clear text.

28
00:02:42,659 --> 00:02:50,771
So if I just run a filter on FTP
and I pull up the TCP stream,

29
00:02:50,771 --> 00:02:55,709
I can see that my log in credentials
were sent in clear texts.

30
00:02:55,709 --> 00:03:02,825
And basically, the log in was successful 
and I was able to transfer some data.

31
00:03:02,825 --> 00:03:08,283
So capturing FTP with Wireshark
is actually very easy.

32
00:03:08,283 --> 00:03:12,345
Here, we showed you some specifics 
with how to filter for it.

33
00:03:12,345 --> 00:03:17,862
And how to pull up the stream to look
at the entire conversation.

34
00:03:17,862 --> 00:03:21,320
So, problems with FTP -

35
00:03:21,320 --> 00:03:25,447
Obviously, there's a few that we've already mentioned

36
00:03:25,447 --> 00:03:29,943
such as passwords and information,
your credentials are sent in clear texts.

37
00:03:29,943 --> 00:03:37,738
This opens it up to a large amount of 
security vulnerabilties.

38
00:03:37,746 --> 00:03:42,113
People can use these sites that are easily cracked

39
00:03:42,127 --> 00:03:46,867
as ware sites and placed their own 
stuff on them for transfer.

40
00:03:46,877 --> 00:03:51,694
Obviously, the stuff that they're putting 
on these websites is not user-friendly

41
00:03:51,694 --> 00:03:55,691
and likely consitutes a security violation all in itself.

42
00:03:55,707 --> 00:04:00,063
Maybe even criminal charges may be filed.

43
00:04:00,063 --> 00:04:07,775
So when you have FTP servers, your first basic
rule is to make sure that they're secure.

44
00:04:07,775 --> 00:04:12,031
And a good way to do that is to use encryption
and to try to lock it down.

45
00:04:12,031 --> 00:04:17,497
So obviously, you could see on the slide 
that there's a secure version of FTP.

46
00:04:17,497 --> 00:04:20,554
There's an SSH-based version of FTP.

47
00:04:20,554 --> 00:04:24,851
So there's ways that you can, 
you can secure yourselves

48
00:04:24,851 --> 00:04:29,121
so that you don't have some ongoing issues.

49
00:04:29,121 --> 00:04:34,170
And FTP can have some issues 
with firewalls and NATing.

50
00:04:34,170 --> 00:04:39,111
So one of the things that we're 
mentioning before is transversal.

51
00:04:39,111 --> 00:04:43,560
And you would be able to find and 
capture that with Wireshark as well.

52
00:04:43,560 --> 00:04:47,539
So you should be aware that you can have 

53
00:04:47,539 --> 00:04:52,715
these issues where these devices 
will break FTP communications.

54
00:04:52,714 --> 00:04:59,597
And a way to find that is to obviously
run a scan or run a capture 

55
00:04:59,597 --> 00:05:05,335
on the client and on the server and take a look 
at the communications and see what's going on.

56
00:05:05,343 --> 00:05:10,157
You can look at the TCP stream and 
determine whether the data has been

57
00:05:10,161 --> 00:05:13,642
encrypted or decrypted or if 
there's a problem logging in or

58
00:05:13,634 --> 00:05:16,964
if there was any kind of communications issues.

59
00:05:16,964 --> 00:05:22,238
And you can also validate whether the session
or the communication is being blocked

60
00:05:22,238 --> 00:05:27,657
or broken with network address translation.

61
00:05:27,657 --> 00:05:34,513
And here you could say just from a simple 
capture, we were able to log in.

62
00:05:34,514 --> 00:05:44,429
We were able to basically get into a Unix box 
and function pretty easily, but again,

63
00:05:44,438 --> 00:05:48,281
the worst thing that you could see here 
is that everything is passed in clear texts.

64
00:05:48,281 --> 00:05:54,261
So, a reminder if you're using Wireshark,
please be conscious of the fact that 

65
00:05:54,261 --> 00:05:58,526
you will be able to capture this information 
which may be against

66
00:05:58,526 --> 00:06:02,121
the company's policy, so just make sure 
that you are aware of that .

67
00:06:02,121 --> 00:06:09,730