Hopefully by now you have drank the proverbial kool aid and think Wireshark is the best tool since… ever. Yes, it is awesome but there are some security concerns. If a hacker compromises your server as a very under privileged user, it may benefit them to already have a packet capture utility installed so they can just run it instead of being denied to install it. You can also use it to discover other computers on the network and start making some dangerous assumptions.
One of the neato tricks to do is take a lengthy capture, then do a string search for your password. If your password is going over the wire, I would recommend dropping whatever service it is that you are using that would send your password over the wire, unencrypted.
Standard FTP is one of those services that will send plain text passwords. I have downloaded a .vhd for server 2012 R2 and installed the IIS + ftp role and feature.
In the previous captures we haven’t limited the capture itself and instead we are filtering post capture. Instead of a post filter, lets apply a pre filter. Open up the capture options and filter on the standard FTP port of 21.
To test out the security of our authentication choice, open up the simple, built-in Windows FTP utility. Type at the command prompt: ftp [Enter] open 10.10.10.108 or whatever your practice server is and pause a second to take a look at the capture. Nothing too crazy here, just a 3 way TCP handshake and then the FTP server responding with code 220 meaning it is “ready for new user.”
I chose Basic authentication and allowed all users to connect with no SSL. That means if I enter a Windows username and password I should be able to log in.
The login worked great! But I have also allowed my username and password to be compromised by someone capturing packets on the server.