Sniff and Reassemble Files Uploaded or Download from FTP Network using NetworkMiner

[Chaitanya]

Here is a tool called NetworkMiner which is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer or packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate or reassemble transmitted files and certificates from PCAP files. You would be surprised to know how easy it is to do it with NetworkMiner. Just download, extract and run NetworkMiner. I then selected the network adapter that I’ll be sniffing and click on the Start button to start sniffing. I connect to my server’s FTP and upload a file called CD-konboot-v1.1-2in1.zip. Now take a look at NetworkMiner. It managed to reassemble 2 files and one of it is CD-konboot-v1.1-2in1.zip. I just need to right click on the file and select either open file or open folder to access the file. If you look at the credentials tab, NetworkMiner also managed to capture the FTP username and password.

FTP security is weak, that’s why there is SFTP. SFTP, or Secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. Its functionally is similar to FTP, but because it uses a different protocol, you can’t use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.

There is another similar tool mainly used to capture and reassemble files uploaded or download from FTP called FTPXerox. It was written to demonstrate the fact that any “clear-text” file transfer protocol is susceptible to such attacks. It implements a full end-to-end TCP re-assembly engine that watches for FTP transfers. Once the engine detects an FTP file transfer, it grabs the file off the wire and stores it in a local file. It is quite intelligent in the sense, it can reconstruct exact file names and even grab binary files! FTPXerox is a very old tool released on year 2001 and it does NOT support PASV mode file transfers.

[ Download NetworkMiner ]