.

Telnet/FTP Security Question

<<

dirtmaster88

Newbie
Newbie

Posts: 1

Joined: Wed Sep 03, 2008 12:00 pm

Post Wed Sep 03, 2008 12:26 pm

Telnet/FTP Security Question

Hello All,

This is my very first post here.

I've started my own project here at work to give hard proof to others that protocols such as ftp and telnet are very insecure. I am having a hard time trying to give real life examples of what could happen because any sort of sniffing I've done has been inside the network. I've taken a beginner's course on security which we touched a few basic parts of wireshark and cain/abel. I've been able to sniff my telnet/ftp traffic on my workstation and see everything in clear text but I just cant seem to figure out how I could sniff the traffic of a remote machine (on a switched network). What would be ideal is if I could somehow sniff the traffic from my house and show that everything is in complete clear text. Could someone point me in the right direction? I know many tools require command line and I am very familiar with that as I am the *NIX administrator here.

Thank You!
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Sep 03, 2008 2:29 pm

Re: Telnet/FTP Security Question

First of all, welcome to EH-Net.

Secondly, here are a few things to go on:

1. Cain & Abel for man-in-the-middle attacks to be able to grab switched traffic. See video from our very own Brian Wilson.

2. One could always get in through a wireless AP, and therefore then be on the same network segment as others in your company. This would also allow sniffing directly or via MITM.

3. Client-side attacks are the biggest thing right now. Get someone to click on a "bad" link in a browser, install some kind of malware, capture local traffic with a sniffer or keylogger, send passwords back to the bad guy.

Hope this helps,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Wed Sep 03, 2008 3:05 pm

Re: Telnet/FTP Security Question

"Inside" the network is where sniffing is done.  Well unless you hack the server of the ISP or intercept the traffic before it reaches the destination modem, but good luck doing that. 
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Wed Sep 03, 2008 6:25 pm

Re: Telnet/FTP Security Question

There are two things that I think you need to impress on your employers.

1) Someone can eventually find a way in.  An attacker only needs one misconfiguration or unpatched vulnerability to get access to some system.  Even if you have good security practices and are patched up-to-date, a new exploit could be released tomorrow that leaves you vulnerable to every script kiddie who decides to take a poke at you.

2) Once an attacker gets in, he usually wants to keep his access and move to other systems within the network.  The primary means of expanding his access are cracking passwords, or otherwise stealing credentials from the first machine, and sniffing the network to get other credentials.  Many people don't believe that it's possible to sniff switched networks, but many also think the Earth is flat.  Tools such as Cain and Abel, and Dsniff have made sniffing on switched networks relatively easy.

Good security isn't only about keeping the bad guys out, it's also about containing the damage once they get in.  If an attacker gets into one machine and can then sniff FTP, telnet, POP, LM/NTLM, you're wide open.  If he gets in but has limited network access (due to firewalls, VLANs), is unable to crack the passwords on the system, and can't sniff any useful traffic, he has a much more difficult task ahead of him.  That's not to say that he can't still own the whole network, but it raises the bar significantly in terms of skill and time.  Increased time is increased risk for the attacker; the longer he is logged in and putzing around on your systems, the more likely he is to get caught (especially if you have good logging and some IDS in place.)

Cheers.
BS in IT, CISSP, MS in IS Management (in progress)
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Thu Sep 04, 2008 9:35 am

Re: Telnet/FTP Security Question

nice first post unicityd. very nice indeed.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Thu Sep 04, 2008 10:02 am

Re: Telnet/FTP Security Question

Very nicely said indeed,

I will just add -

The key to security these days is the buzz word "Defense in Depth", layered security. It is all about protecting your crown jewel "the data" with multiple layers of protection and having some good ways to monitor yr defenses for breaches. Its not the question of "if" your network will be breached but "when" it will be breached. Patching, Anti virus, good password policies are great start but there is a zero day for something everyday, mostly with the client and application softwares and i guess there are no protections for "zero days" yet. In that case the layered enclaves are only way to slow down the attacker and protecting your most precious day.

Ummm .. I guess thats what we all need to emphasize to our employers
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Thu Sep 04, 2008 10:18 am

Re: Telnet/FTP Security Question

Some good information in this topic, so well done all.
The next challenge comes in securing the funding for these improvements.

Businesses want to make money (dont we all), and when you make recomendations to be pro-active, they often want to know the ROI. It can be a battle to make a company understand how security plays a part in loss prevention, and being less reactive.

Keeps us guys and gals of the streets though :)
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Thu Sep 04, 2008 10:52 am

Re: Telnet/FTP Security Question

We test systems all the time and always find FTP or telnet in use. The good thing for us is that the systems are on a closed system, but because telnet and ftp transmit user names and passwords in the clear, any one on the network with a sniffer can get them. So even on the inside, don't discount the threat posed by another insider. They already have physical access to your network, it is just a matter of gaining greater access. Most people are lazy about user names and passwords and often use the same for multiple accounts.
Lets say you have a sysadmin with user name jdoe and a password of passwd for his system. Lets then say he uses it for and ftp session and that gets picked up by some one else on the network with a sniffer that does not have complete admin rights. That person could then try jdoe's credentials to gain greater access to the system. The moral here is that whether a person is on the outside or inside, clear text protocols like ftp and telnet are a bad idea.
Mike Conway
CISSP
CompTia Security +
C|EH
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Thu Sep 04, 2008 11:15 am

Re: Telnet/FTP Security Question

To take your discussion further, agreed that the clear text protocols are threat from insiders on a closed network, but, what if a client is compromised by the attacker and then all he has to do is wait and sniff the traffic "inside" to get the user name and password to either escalate his privileges or pivot to other systems with the sniffed user name and passwords.
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Thu Sep 04, 2008 11:29 am

Re: Telnet/FTP Security Question

FTP itself may or may not be a threat, depending on the contents of the FTP files and exploitability of the FTP app from within.  You can also set up FTP to be anonymous, in which case this argument is dead.

Telnet itself isn't necessarily a threat - it's the use of telnet to log into a system (ok, technically, it's the transmittal of username and password in cleartext, but you get the idea).  If you intend to allow remote logins, you might as well dictate in the corporate policy that ssh be used.  And if you go that route, you might as well require putty to be used for file transfers.

FTP and telnet (for logging in) are obsolete protocols in 90% of the cases today, and the alternatives are certainly not difficult to implement.  Also, on a tangent, I am baffled why people continue to use telnet in the first place - netcat is much more powerful, and doesn't have the problem of data manipulation that telnet has (...steps off soap box).
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Thu Sep 04, 2008 11:36 am

Re: Telnet/FTP Security Question

Well I tend to disagree that FTP and telnet are dead protocol, i still find about 80% of environment use these in some form or other, Agreed that netcat is more powerful than telnet but there are certain limitation using netcat (shell) over telnet (terminal).

VJ
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Thu Sep 04, 2008 2:35 pm

Re: Telnet/FTP Security Question

vijay2 wrote:...there are certain limitation using netcat (shell) over telnet (terminal).


I'm curious what you see as the advantages telnet have over netcat.
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

dean

Post Thu Sep 04, 2008 2:47 pm

Re: Telnet/FTP Security Question

The argument that a person should use netcat over telnet or ftp is absurd. Think AV. Most will flag and quarantine it.

Also, to answer the original question:

1. You will not be able to sniff traffic from your home without access to the network directly (vpn, etc...)

2. MITM is generally layer 2. Arp spoofing/cache poisoning will allow the attack you are thinking of. Ettercap or scapy can do that for you if you prefer *nix.

3. If it's just sniffing a switched environment look at a tool like Yersinia to manipulate the switch port accordingly.

Telnet and FTP are unfortunately not dead protocols. I'm in environments all the time where they are the only way to access and manage legacy applications/devices/etc...

Implementing SSH as an alternative can become a problem when you have thousands of devices in multiple locations requiring code upgrades or firmware upgrades. Not to mention the issue of change control and management. Does that make it acceptable? I don't know. Look at the risk associated with it and then decide. 
<<

geekyone

User avatar

Full Member
Full Member

Posts: 180

Joined: Fri Oct 26, 2007 12:45 pm

Location: Peoria, IL

Post Thu Sep 04, 2008 2:57 pm

Re: Telnet/FTP Security Question

The argument that a person should use netcat over telnet or ftp is absurd. Think AV. Most will flag and quarantine it.


If you were using Netcat as an administrative tool this wouldn't be a problem because you could exclude Netcat from the AV.
CISSP, CEH, GPEN, GCIH, GCFA
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Thu Sep 04, 2008 3:10 pm

Re: Telnet/FTP Security Question

dean wrote:The argument that a person should use netcat over telnet or ftp is absurd. Think AV. Most will flag and quarantine it.


As geekyone posted, netcat can be excluded from anti-virus rules.  Plus, I think symantec is the only av company that's put it on it's default quarantine list (I may be wrong on that one).

The argument still stands, though, that netcat is a better tool than telnet, especially with the ability to process raw traffic.
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software