Chapter 10 What is the FTP password?

10.1 Objects in memory/packages loaded from preceding chapters

Objects available:

  • read_zeek_log() — helper function to read Zeek log files (Chapter 3)
  • packets — data frame of PCAP packet data (Chapter 4)
  • conn — Zeek conn.log data (Chapter 5)
  • hoststshark host/IP file (Chapter 8)

Packages:

  • {tidyverse}

10.2 Question Setup

We mentioned in a previous chapter that PCAPs contain all the details of network exchanges between hosts. When this information is not encrypted, anyone on the network, or in possession of a capture such as this, can see the payloads. This quest helps underscore how terribly insecure bare FTP is. However, since FTP will be around for some time to come, knowing where and how to look for answers to FTP questions will be a necessary skill.

10.3 Solving the quest with R and Zeek ftp.log

This one is almost too easy. Because we used Zeek to pre-process the PCAP file, we have all the FTP session information available in the ftp.log log file. One of the fields in that file is (you guessed it) password:

# read in the Zeek ftp.log — this will now be in memory for future reference

(ftp <- read_zeek_log("maze/ftp.log"))
## # A tibble: 10 x 19
##         ts uid    id.orig_h id.orig_p id.resp_h id.resp_p user  password command
##      <dbl> <chr>  <chr>         <dbl> <chr>         <dbl> <chr> <chr>    <chr>  
##  1  1.62e9 CNQEH… 192.168.…     48794 192.168.…        21 kali  AfricaC… PASV   
##  2  1.62e9 CNQEH… 192.168.…     48794 192.168.…        21 kali  AfricaC… PASV   
##  3  1.62e9 CWIAn… 192.168.…     48800 192.168.…        21 kali  AfricaC… PASV   
##  4  1.62e9 CWIAn… 192.168.…     48800 192.168.…        21 kali  AfricaC… STOR   
##  5  1.62e9 CWIAn… 192.168.…     48800 192.168.…        21 kali  AfricaC… PASV   
##  6  1.62e9 CWIAn… 192.168.…     48800 192.168.…        21 kali  AfricaC… PASV   
##  7  1.62e9 CWIAn… 192.168.…     48800 192.168.…        21 kali  AfricaC… STOR   
##  8  1.62e9 CWIAn… 192.168.…     48800 192.168.…        21 kali  AfricaC… PASV   
##  9  1.62e9 Cq6vw… 192.168.…     48810 192.168.…        21 kali  AfricaC… PASV   
## 10  1.62e9 Cq6vw… 192.168.…     48810 192.168.…        21 kali  AfricaC… RETR   
## # … with 10 more variables: arg <chr>, mime_type <chr>, file_size <chr>,
## #   reply_code <dbl>, reply_msg <chr>, data_channel.passive <chr>,
## #   data_channel.orig_h <chr>, data_channel.resp_h <chr>,
## #   data_channel.resp_p <chr>, fuid <chr>
distinct(ftp, password)
## # A tibble: 1 x 1
##   password     
##   <chr>        
## 1 AfricaCTF2021
# or with Base R

unique(ftp$password)
## [1] "AfricaCTF2021"

While this chapters was short, we’ll be revisiting FTP in future chapters.