Intercepting FTP Service & Retrieve User Credential
After learning the mechanism of Intercepting Non-HTTP Request, now I will try to Intercept FTP Service. So I running 1 VM as a User/Client, and this user attempting to log in to the FTP Service and do some Uploading & Downloading files from there.
Before move to the intercepting phase, I need to do some passive reconnaissance on a Server that is running FTP Service. In this scenario, I’m using my friend Running Server {Chill :) I have already contacted my friend and asked for his permission, this is just for educational purposes only}.
With help from Nmap, I try to scan every Open Port:
Now I’m going to see what version of the running FTP Service:
Since I’m using Windows OS to running Burp Suite now I need to make sure that my VM is in the same network with my running Burp Suite Extension (NoPE Proxy):
Done…Now I need to configure my VM DNS Address, so it will be the same as the NoPE Proxy Address:
Move to the next step, send a request to the targeted server, and monitor the Request:
Next step, I configured the Non-HTTP Proxy and set the Server Address, Server Port, and Listener Port according to the request information that I already captured. Then just enable it if the configuration is already finished.
Now I need to check if the FTP Service allows anonymous login:
Hmmm… it seems that the FTP Service Disable any anonymous login, so I ask my friend to make me a low privilege user credential, to login to the FTP Service…
Intercepting Time
Now I move to TCP Intercept Tab, turn on the intercept button, and get ready to intercept every user input:
Now I try to input the user credential that my friend gave to me:
Here in the TCP History Tab you can monitor every request and response from the client and server. So you can retrieve anything that the client inputs (Ex: Username, Password & Command)
Note: You can modify the request using TCP Intercept Tab before the client sends the request to the server or Server send a response to the Client.
Prevention
- Disable Anonymous Login Configuration.
- Hiding Banner: so when anyone wants to enumerate the FTP Banner, He gets nothing from it, because The version of the service is already hidden (If the service version leaked then anyone can search for the exploit on the internet and use it)
- Using SSL Certification: so every request and response information from the client and server can be encrypted, preventing any sniffing method and intercept method. By installing SSL Certification in FTP Server, your FTP Server can be more secure (FTPS).
- Using SFTP: by using SFTP every data transfer and connection will be a lot more secure because you use SSH Port to transfer data and every request is encrypted over SSH. Every SSH server provides SFTP so just feel free to use it.
- Set iptable rule for account lockout: by set iptable rule policy every anonymous user cannot perform a brute-force attack since you can limit the number of login attempts and also lock the user for certain minutes if the user input the wrong password several times (You can use FTP Server log to see every IP Address who are trying to perform brute-force attack).
- Allow or Filter Specific IPs that can connect to the FTP Server.
Note: you can also use the port forwarding method if you want a specific person to access your FTP server, so you know who exactly the person outside your private network who connects to your internal network.