WEBVTT 0:00:07.740000 --> 0:00:09.800000 Okay, welcome back. 0:00:09.800000 --> 0:00:14.220000 In our next segment, we will talk about capturing FTP or file transfer 0:00:14.220000 --> 0:00:20.720000 protocol traffic for analysis to see if you can find issues with a simple 0:00:20.720000 --> 0:00:24.020000 FTP transfer of data. 0:00:24.020000 --> 0:00:27.120000 FTP, file transfer protocol. 0:00:27.120000 --> 0:00:34.840000 It's one of the oldest Unix-based TCPIP protocols in existence. 0:00:34.840000 --> 0:00:39.960000 It was used to transfer data from one host to another and is still very 0:00:39.960000 --> 0:00:45.940000 relevant today. With the new technologies, we're obviously securing it 0:00:45.940000 --> 0:00:50.580000 either with SSH or its own secure functions, which adds encryption to 0:00:50.580000 --> 0:00:58.420000 it. The reason for this is because it is extremely unsecure in its native 0:00:58.420000 --> 0:01:03.720000 format. It will send information in clear text, including credentials 0:01:03.720000 --> 0:01:06.280000 and the data that's being sent. 0:01:06.280000 --> 0:01:12.680000 So although it's very helpful, it's a very helpful protocol. 0:01:12.680000 --> 0:01:15.540000 It is also very unsecure. 0:01:15.540000 --> 0:01:22.460000 So with Wire Shark, basically you capture FTP data to look at the communication 0:01:22.460000 --> 0:01:28.420000 stream. It's very lightweight, although it does use TCP as an underlying 0:01:28.420000 --> 0:01:34.800000 mechanism so that it can guarantee the transfer of the data via TCP, but 0:01:34.800000 --> 0:01:38.020000 it is generally lightweight. 0:01:38.020000 --> 0:01:43.360000 And as we mentioned before, it can capture text that you're sending in 0:01:43.360000 --> 0:01:46.960000 clear text, so highly unsecure. 0:01:46.960000 --> 0:01:52.120000 You can also use Wire Shark to find issues with traversal, which we'll 0:01:52.120000 --> 0:01:54.340000 get into momentarily. 0:01:54.340000 --> 0:01:59.740000 And as you can see here, capturing FTP is actually very easy. 0:01:59.740000 --> 0:02:03.980000 Simply open up Wire Shark, run a capture. 0:02:03.980000 --> 0:02:08.940000 And then for this example, what I did was I just opened up an FTP session 0:02:08.940000 --> 0:02:15.280000 to a website. I chose one where I can download files as an example. 0:02:15.280000 --> 0:02:20.980000 A lot of your printer drivers and so on for your systems can be accessed 0:02:20.980000 --> 0:02:24.860000 this way. And it's very common to access them this way. 0:02:24.860000 --> 0:02:31.940000 So what I did was I ran an FTP and did some work on it. 0:02:31.940000 --> 0:02:37.540000 And interestingly, when I was able to pull this up in Wire Shark, I was 0:02:37.540000 --> 0:02:42.900000 shown specifically the transmission in clear text. 0:02:42.900000 --> 0:02:51.320000 So if I just run a filter on FTP and I pull up the TCP stream, I can see 0:02:51.320000 --> 0:02:56.140000 that my login credentials were sent in clear text. 0:02:56.140000 --> 0:03:02.260000 And basically, the login was successful and I was able to transfer some 0:03:02.260000 --> 0:03:08.520000 data. So capturing FTP with Wire Shark is actually very easy. 0:03:08.520000 --> 0:03:12.980000 Here we showed you some specifics with how to filter for it and how to 0:03:12.980000 --> 0:03:17.320000 pull up the stream to look at the entire conversation. 0:03:17.320000 --> 0:03:22.180000 So problems with FTP? 0:03:22.180000 --> 0:03:26.660000 Obviously, there's a few that we've already mentioned such as passwords 0:03:26.660000 --> 0:03:27.780000 and information. 0:03:27.780000 --> 0:03:30.480000 Your credentials are sent in clear text. 0:03:30.480000 --> 0:03:38.020000 This opens it up to a large amount of security vulnerabilities. 0:03:38.020000 --> 0:03:43.520000 People can use these sites that are easily cracked as Wear sites and place 0:03:43.520000 --> 0:03:47.180000 their own stuff on them for transfer. 0:03:47.180000 --> 0:03:50.980000 Obviously, the stuff that they're putting on these websites is not user 0:03:50.980000 --> 0:03:55.820000 friendly and likely constitutes a security violation all in itself. 0:03:55.820000 --> 0:04:00.060000 Maybe even criminal charges may be filed. 0:04:00.060000 --> 0:04:06.500000 So when you have FTP servers, your first basic rule is to make sure that 0:04:06.500000 --> 0:04:10.560000 they're secure. And a good way to do that is to use encryption and to 0:04:10.560000 --> 0:04:11.520000 try to lock it down. 0:04:11.520000 --> 0:04:16.400000 So obviously, here you can see in the slide that there's a secure version 0:04:16.400000 --> 0:04:20.580000 of FTP. There's an SSH based version of FTP. 0:04:20.580000 --> 0:04:26.260000 So there's ways that you can secure yourself so that you don't have some 0:04:26.260000 --> 0:04:34.220000 ongoing issues. And FTP can have some issues with firewalls and nadting. 0:04:34.220000 --> 0:04:38.760000 So one of the things that we were mentioning before is transversal. 0:04:38.760000 --> 0:04:43.660000 And you will be able to find and capture that with wire shark as well. 0:04:43.660000 --> 0:04:49.840000 So you should be aware that you can have these issues where these devices 0:04:49.840000 --> 0:04:52.580000 will break FTP communications. 0:04:52.580000 --> 0:04:58.980000 And the way to find that is to obviously run a scan or a run a capture 0:04:58.980000 --> 0:05:02.620000 on the client and on the server and take a look at the communications 0:05:02.620000 --> 0:05:05.300000 and see what's going on. 0:05:05.300000 --> 0:05:10.140000 You can look at the TCP stream and determine whether the data has been 0:05:10.140000 --> 0:05:14.260000 encrypted or decrypted or if there's a problem logging in or if there 0:05:14.260000 --> 0:05:17.000000 was any kind of communications issues. 0:05:17.000000 --> 0:05:20.980000 And you can also validate whether the session or the communication is 0:05:20.980000 --> 0:05:26.940000 being blocked or broken with network address translation. 0:05:26.940000 --> 0:05:33.680000 And here you could see just from a simple capture, we were able to log 0:05:33.680000 --> 0:05:42.600000 in. We were able to basically get into a Unix box and function pretty 0:05:42.600000 --> 0:05:46.600000 easily. But again, the worst thing that you could see here is that everything 0:05:46.600000 --> 0:05:48.380000 is passed in clear text. 0:05:48.380000 --> 0:05:53.520000 So a reminder if you're using wire shark, please be conscious of the fact 0:05:53.520000 --> 0:05:58.220000 that you will be able to capture this information, which may be against 0:05:58.220000 --> 0:06:01.520000 the company's policies, so just make sure that you're aware of that.