1
00:00:00,330 --> 00:00:00,570
Okay.

2
00:00:00,570 --> 00:00:05,700
So in this video, I'm going to show you how to capture Fttp off the wire using pipe shock.

3
00:00:05,939 --> 00:00:08,610
So I'm using a Python script once again.

4
00:00:08,820 --> 00:00:10,370
I'm importing PI shock.

5
00:00:10,380 --> 00:00:13,390
I'm doing a live capture on Ethernet zero.

6
00:00:13,410 --> 00:00:19,170
So this one to host is going to be capturing traffic in real time of Ethernet zero.

7
00:00:19,560 --> 00:00:26,550
And then I've got a loop here saying that for packaging capture, if it's an FTP packet, so look for

8
00:00:26,550 --> 00:00:27,770
FTP in the packet.

9
00:00:27,780 --> 00:00:30,870
In other words, find out if it's an FTP packet.

10
00:00:31,380 --> 00:00:37,650
This is a TRAI and exception rule which basically says try and do something.

11
00:00:37,650 --> 00:00:39,390
If there's a problem with the output.

12
00:00:39,390 --> 00:00:39,570
Yeah.

13
00:00:39,600 --> 00:00:42,570
Then just continue with the script.

14
00:00:42,570 --> 00:00:43,830
Don't break the script.

15
00:00:44,690 --> 00:00:46,070
So try and do the following.

16
00:00:46,340 --> 00:00:48,700
Output equals package or FTP.

17
00:00:48,710 --> 00:00:50,840
So we're looking for an FTP packet.

18
00:00:50,840 --> 00:01:00,800
And then if we find user in this output, which I've made a string print username and then print the

19
00:01:00,800 --> 00:01:08,000
actual output as a string, otherwise in other words else if look for pass in the string and then print

20
00:01:08,090 --> 00:01:09,470
this output out.

21
00:01:10,140 --> 00:01:12,120
So it's actually going to be easier just to show you this.

22
00:01:12,130 --> 00:01:17,940
So let's run the script and then I'll show you what it's doing exactly again.

23
00:01:19,220 --> 00:01:21,650
So I'll create a script called FTP, TCP.

24
00:01:21,650 --> 00:01:23,810
Why paste that script in?

25
00:01:24,410 --> 00:01:27,380
So this is a very basic script that I've written once again.

26
00:01:27,380 --> 00:01:31,790
So cat ftp p y there's a very basic script.

27
00:01:32,060 --> 00:01:34,730
What I'll do now is run that script.

28
00:01:34,730 --> 00:01:37,610
So Python ftp p y.

29
00:01:37,640 --> 00:01:40,540
So Python three running ftp tcp.

30
00:01:40,550 --> 00:01:41,030
Why?

31
00:01:41,540 --> 00:01:43,250
Nothing's happening at the moment.

32
00:01:43,610 --> 00:01:45,830
But what I'll do is copy.

33
00:01:47,250 --> 00:01:52,050
The running config from the router to the toolbox server.

34
00:01:52,290 --> 00:01:59,310
So the first thing I need to do is specify a FTP username, which in this case I'm going to specify

35
00:01:59,310 --> 00:02:05,010
as root and FTP password in this case is going to be three.

36
00:02:05,460 --> 00:02:12,270
That is the username and password that I need to use on the FTP server which is running on Toolbox one.

37
00:02:12,720 --> 00:02:15,800
So this is the FTP server.

38
00:02:15,900 --> 00:02:18,210
IP address ends in 99.

39
00:02:18,930 --> 00:02:21,850
So let's get that onto console.

40
00:02:21,930 --> 00:02:23,160
Up here it is.

41
00:02:23,400 --> 00:02:24,990
And then on the router.

42
00:02:26,210 --> 00:02:33,650
What I'll do now is copy the running config from the router to the FTP server.

43
00:02:33,680 --> 00:02:42,140
IP address 100 21681 2299 that's the IP address of the toolbox server config will be that.

44
00:02:42,530 --> 00:02:47,540
This will then log into the FTP server and copy the config which it's done.

45
00:02:47,570 --> 00:02:49,130
Notice writing config.

46
00:02:49,130 --> 00:02:50,120
That's been done.

47
00:02:50,120 --> 00:02:52,100
But notice on my ubuntu host.

48
00:02:52,100 --> 00:02:57,950
I can see username is root password is DNS three.

49
00:02:58,890 --> 00:03:04,230
I've just formatted the output nicely using this little script.

50
00:03:04,860 --> 00:03:07,200
So looking for user.

51
00:03:07,230 --> 00:03:11,490
There it found it prints this output.

52
00:03:11,730 --> 00:03:13,520
So prints username.

53
00:03:13,530 --> 00:03:14,520
There we go.

54
00:03:15,240 --> 00:03:16,590
Prints the output.

55
00:03:16,980 --> 00:03:18,210
That's what its captured.

56
00:03:18,210 --> 00:03:25,920
So the FTP layer, in other words, in the same model, it's not layer two, it's not layer three,

57
00:03:25,920 --> 00:03:26,930
it's higher layers.

58
00:03:26,930 --> 00:03:30,360
So this is actually an application FTP runs on TCP.

59
00:03:30,360 --> 00:03:34,860
So it's not layer two Ethernet, not three, which is IP, not four, which is TCP.

60
00:03:34,890 --> 00:03:36,600
It's layers 5 to 7.

61
00:03:37,110 --> 00:03:39,960
FTP username is this.

62
00:03:41,370 --> 00:03:43,440
Password is gen three.

63
00:03:43,470 --> 00:03:45,060
You can see that in the output there.

64
00:03:45,330 --> 00:03:49,120
So it's looking for the username, looking for the password and essentially printing it out.

65
00:03:49,140 --> 00:03:51,030
So let's do that again.

66
00:03:51,480 --> 00:03:55,230
Copy running config ftp ftp server is this.

67
00:03:55,800 --> 00:04:02,610
Notice once again that I'm copying the config from this router to this toolbox, but because I'm running

68
00:04:02,610 --> 00:04:05,910
span here, the ubuntu client is seeing this.

69
00:04:06,480 --> 00:04:13,230
Now you could use hacking tools like eta kap to poison the network or you could do other things such

70
00:04:13,230 --> 00:04:19,260
as set up a rogue DHCP server and default gateway to manipulate where traffic goes.

71
00:04:19,260 --> 00:04:23,490
And I'll show you some of those using Kelly Linux in this course.

72
00:04:24,180 --> 00:04:28,350
So copy the config to the FTP server.

73
00:04:28,350 --> 00:04:29,130
It's done.

74
00:04:29,130 --> 00:04:32,880
And notice there again is a username and password.

75
00:04:33,120 --> 00:04:44,190
So you could once again run the script and simply get this running in the background and save it to

76
00:04:44,190 --> 00:04:50,700
a file or email it to you or do something else so that you get the username and password off the wire.

77
00:04:51,500 --> 00:04:51,710
Okay.

78
00:04:51,710 --> 00:04:53,390
So that was an example of FTP.

79
00:04:53,420 --> 00:04:55,040
Let's try telnet.

80
00:04:55,370 --> 00:04:56,970
Telnet is not a good idea.

81
00:04:56,990 --> 00:05:00,860
Neither is FTP and other clear text protocols in a network.

82
00:05:00,860 --> 00:05:03,620
We should use encrypted protocols whenever possible.