The Logical Kid - Blog on #InfoSec , atleast as some say!: Analysing FTP traffic using Wireshark

Hello! I am back with the new post, and this deals with analysis of FTP traffic using Wireshark.
We will be dealing with identification of data sent/received over FTP and retrieval of files (if any downloaded/uploaded).

Pre-requisites:
* Wireshark

* a PCAP file which may have FTP traffic captured. I have got my own, and if you do not have, you can download it from here.

Note: Click on the images to enlarge

Let's begin!

1. Open the pcap file in Wireshark.

2. To find out if there is any FTP traffic in it, just apply the filter 'ftp' in the display filter.

3. Now when you see FTP traffic, find out if any data was downloaded by a user. To find out, just apply the display filter ftp.request.command=="RETR"

4. You can see a retrieve (RETR) request by a few frames, let us see the frame number 767 which was the first instance.

5. Now clear the filters and scroll down to a couple of packets before frame 767. If you look at the frame number 762, the "info" tab gives some information. If you click on the "packet details" pane and on "File Transfer Protocol (FTP)" as shown in the picture below, you will find a field called "passive port". Note down the port number of that field and also the source IP Address of the same.

We found that the IP Address is 149.20.20.135 and the port number is 30893

6. Now we need to find out any activity to/from the IP address 149.20.20.135 over the port 30893.

To achieve the same, apply the following filter in Wireshark: ip.src==149.20.20.135 and tcp.port==30893

We get the following output.

7. What next? Observe the frame number 765? We can see some activity over the port 30893 from the source IP 149.20.20.135. Lets "Follow TCP stream"

8. Select the data from the source (149.20.20.135) to the destination.

9. In step 3 we have seen that user had requested for download of a .rpm file, so let us assume it to be the same for the mean time. Let us save the stream content as "something.rpm"

That's it! Your work is done (well, almost). Now do not try executing the file yourself directly as we are not sure about its nature; can be a malware too. Anyways you can try executing in a sandbox environment isolated from network just in case you are curious to know.

Hope this was informative and I didn't waste either of our time.

Will be back soon with a new post.

Until then, keep reading and keep spreading the word.

Regards,
itsmeRiF
The Logical Kid

The Logical Kid - Blog on #InfoSec , atleast as some say!

June 9, 2016

Analysing FTP traffic using Wireshark - The Logical Kid

Analytics for me

Inspect