FTP Analysis:
File Transfer Protocol (FTP) is designed to transfer files with ease, so it focuses on simplicity rather than security. As a result of this, using this protocol in unsecured environments could create security issues like:
- MITM attacks
- Credential stealing and unauthorised access
- Phishing
- Malware planting
- Data exfiltration
- Global search:
ftp
- "FTP" options for grabbing the low-hanging fruits:
ftp.response.code == 211
- x1x series: Information request responses.
- 211: System status.
- 212: Directory status.
- 213: File status
- x2x series: Connection messages.
- 220: Service ready.
- 227: Entering passive mode.
- 228: Long passive mode.
- 229: Extended passive mode.
- x3x series: Authentication messages.
- 230: User login.
- 231: User logout.
- 331: Valid username.
- 430: Invalid username or password
- 530: No login, invalid password.
- Note: "200" means command successful.
- FTP commands for grabbing the low-hanging fruits:
ftp.request.command == "USER"ftp.request.command == "PASS"ftp.request.arg == "password"
- USER: Username. / PASS: Password. / CWD: Current work directory. /LIST: List.
- Advanced usages examples for grabbing low-hanging fruits:
ftp.response.code == 530(ftp.response.code == 530) and (ftp.response.arg contains "username")(ftp.request.command == "PASS" ) and (ftp.request.arg == "password")
- Bruteforce signal: List failed login attempts. / Bruteforce signal: List target username. / Password spray signal: List targets for a static password.