Day in a Life of Threat Hunter (Chapter 04) — FTP attack
The next day, Joe arrived at work early, still energized from his first experience with a cyber incident. As he settled at his desk, he noticed a sticky note from Justin labeled “To Do List”. The first item on the list was to research FTP and understand the potential attacks that could target FTP systems.
Joe mused, “I know FTP stands for File Transfer Protocol, but I’m curious about what kind of attacks it might be susceptible to.” For those unfamiliar, FTP is a standard network protocol used for transferring files between a client and a server on a computer network.
Eager to learn more, Joe started exploring various articles, including some from HackTheBox, a site known for its legal hacking and penetration testing practice environments. According to Hack The Box, it’s common for employees in some companies to bypass file checks and firewall rules to transfer files. However, this practice is declining as more companies tighten their security protocols. In contrast, in non-corporate settings, such restrictions are often less stringent.
While Joe was digesting this information, David stopped by his desk. “This FTP article is fascinating,” Joe commented. “I understand how people might bypass file checks, but I’m puzzled about how attackers could exploit FTP from outside the network.”
According to wikipedia: The File Transfer Protocol (FTP) is a standard communication protocol used to transfer computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data connections between the client and the server. FTP users may authenticate themselves with a clear-text sign-in protocol, generally in the form of a username and password. However, they can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).
David smiled and replied, “That’s a great question. FTP isn’t just used within single networks; it also facilitates file transfers across different networks. Imagine if a network engineer doesn’t secure an FTP server properly — it could be a goldmine for an attacker.”
David continued to explain, “FTP operates on a client-server model architecture. Users may authenticate with a username and password, but anonymous connections are also possible if allowed by the server. For security, FTP can be secured with SSL/TLS (known as FTPS) or replaced by SSH File Transfer Protocol (SFTP).”
“Essentially, in FTP, clients can request data from servers, which might respond with the requested file or an error message if the file doesn’t exist. FTP typically uses port 21, while SSH connects over port 22. If an FTP connection isn’t secured with SSL/TLS, it’s vulnerable to attacks because it doesn’t encrypt the data being transferred.”
Pointing to an image in the Hack The Box article, David noted, “Here you can see an example of an FTP setup without SSL/TLS — easy for attackers to target. But in this other image, where SSL/TLS is used, the connection is much more secure.”
David concluded, “This type of vulnerability can lead to Man-in-the-Middle attacks, where attackers can intercept and alter data being transferred without either the client or the server being aware of the intrusion.”
Thanks for joining us for the “The Day in the Life of a Threat Hunter,” and stay tuned as Joe’s journey into becoming a skilled professional continues, offering insights into the exciting world of cybersecurity. For the latest content please follow Secure Nutshell.
Comments
Post a Comment