FTP ANALYSIS

FAILED LOGINS

root@dco:~$ wireshark &

#step 1: get an overview 
WireShark
 Filter: ftp
 
#anomalous: failed login attempts
WireShark > ftp.response.code == 530

FILE UPLOAD

the command “STOR” is used to upload a file to the FTP Server while the "RETR" command is used to retrieve a file. once the correct filter is applied, the traffic can be followed via "Follow > TCP Stream"

root@dco:~$ wireshark &

#step 1: get an overview
WireShark
 Filter: ftp
 
#upload/downloaded files
WireShark > ftp.request.command == "STOR" || ftp.request.command == "RETR"

WireShark > Packet List > Packet Details > FTP > RETR > Request Arg > Copy > Value
 * resume.doc

TRACKING CMDS

root@dco:~$ wireshark &

#step 1: get an overview
WireShark
 Filter: ftp
 
#upload/downloaded files
WireShark > ftp.request.command == "STOR" || ftp.request.command == "RETR"

WireShark > Packet List > right-click packet > Follow > TCP Stream
 ...
 PWD
 257 "/" is current directory.
 TYPE A
 200 Type set to A
 EPSV
 229 Entering Extended Passive Mode (|||35656|)
 LIST
 150 Opening ASCII mode data connection for file list
 226 Transfer complete.
 SITE CHMOD 777 resume.doc
 550 resume.doc: Permission denied
 QUIT
 221 Goodbye.

PreviousWIRESHARK NextHTTP ANALYSIS

Last updated 4 months ago