This 9-minute video demonstrates how an attacker can easily obtain the FTP password of a victim. The main reason is that the victim's FTP password is sent in clear, without using a secure channel.

This attack can be easily extended to the following scenarios:

  • The attacker and the victim may be connected to a wired network instead of wireless.
  • The attacker does not need to know the IP addresses of the server or the client.
  • The server is on a different network than the client.
  • The attacker may obtain the files of the victim, instead of the password.

The last item means that simply performing authentication over a secure channel will not be enough. To resolve this issue, a secure FTP mechanism must be used, where both the FTP authentication and file upload/download must occur via a secure channel. Standard mechanisms to create a secure channel include SSL and TLS. Interested reader may search for SFTP or SCP for secure FTP protocols.

 

The video was created by Cansın Yıldırım.

Basic FTP Password Attack