Posted: October 25, 2022 | %t min read | by Jose Vicente Nunez (Sudoer)

In my previous article, I showed how to replace clear-text and other insecure network protocols with more secure options. I used the example of replacing HTTP with HTTPS, and in this article, I explain how to switch FTP for SFTP and Telnet for SSH.

[ Cheat sheet: Get a list of Linux utilities and commands for managing servers and networks. ]

Because clear-text protocols are easy to capture and analyze, using them puts your network security at risk. Many of these services were written when the internet was in its infancy, and attackers now have better tools to capture sensitive information, making the bar very low for this kind of attack to succeed.

Knowing about the danger of using clear-test network protocols, you will be surprised how often I still get asked to set up an FTP or Telnet server (and the answer is always the same).

In case you haven't read my article about replacing HTTP with HTTPS, I'll repeat the tutorial's setup before explaining how to implement SFTP and SSH.

These articles will explain:

• How to use Podman to set up throwaway services to learn about insecure settings and protocols
• How to use TShark to capture and decode network traffic in real time
• How to replace obsolete services with more modern alternatives to eliminate this type of attack

This tutorial assumes you have:

• Access to Podman or Docker
• Privileged access to run TShark and containers in a special mode
• Basic knowledge of network protocols like TCP/IP, HTTP, or FTP (but don't worry too much if you don't)

[ Download now: Podman basics cheat sheet ]

Prepare your Apache sandbox

This tutorial will capture credentials on basic authentication against an unencrypted HTTPD Apache server.

You need a self-signed SSL certificate for this demo, so create a container. I used the Fedora 37 Linux distribution and the mkcert application:

[josevnz@dmaf5 self_signed_certificates]$ podman run --rm --interactive --tty --volume $HOME/Downloads:/certs mkcert_image mkcert -cert-file /certs/cert.pem -key-file /certs/cert.key dmaf5 localhost 192.168.1.30 ::1

You will use this new SSL certificate for your Podman container running Apache:

Next, build a special Apache container:

Test the authentication with curl:

curl --silent --user admin:notsosecurepassword http://dmaf5:88080/secret/
# We use --insecure because is a self-signed certificate
curl --insecure --silent --user admin:notsosecurepassword https://dmaf5:8443/secret/

The next step is to check how much sensitive information you can get with TShark.

[ Learn how to manage your Linux environment for success. ]

Use TShark to sniff the password from an FTP server

FTP sends data without encryption. Take a vsftpd container for a spin, and write a TShark expression that looks for specific FTP fields:

podman run --detach --tty --network=host --privileged --name kodegeek_vsftpd --env FTP_USER=admin --env FTP_PASS=insecurepassword --env LOG_STDOUT=yes fauria/vsftpd
tshark -i eno1 -Y 'ftp.request.command == USER or ftp.request.command == PASS' -T json

On a different terminal, establish an FTP session against your container:

josevnz@raspberrypi:~$ ftp -4 -n -v dmaf5 
Connected to dmaf5.home.
220 (vsFTPd 3.0.2)
ftp> user admin insecurepassword
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

TShark will "nicely" provide the user and password in clear text:

          "ftp.request": "1",
          "ftp.response": "0",
          "USER admin\\r\\n": {
            "ftp.request.command": "USER",
            "ftp.request.arg": "admin"
          }
...
        "ftp": {
          "ftp.request": "1",
          "ftp.response": "0",
          "PASS insecurepassword\\r\\n": {
            "ftp.request.command": "PASS",
            "ftp.request.arg": "insecurepassword"
          }
        },

See it in action:

Switch to SFTP

The solution for this is to use SFTP instead of FTP.

I won't dive into how to use SFTP, as there are lots of tutorials about SFTP out there, including Evans Amoany's How to use SCP and SFTP to securely transfer files.

Sniff a Telnet server password

A Telnet server is one of those services that no one should see on their networks. I won't even ask you to run a container; instead, I will show you what a live capture looks like (I used the Docker Telnet server for this demo).

TShark can decode Telnet traffic fields in real time.

Switch to SSH

Instead of Telnet, use SSH. Once again, there is no shortage of SSH tutorials out there, so start with Evans' article How to access remote systems using SSH.

[josevnz@dmaf5 InsecureContainer]$ tshark -i eno1 -Y 'telnet' -T fields -e telnet.data
Capturing on 'eno1'
Ubuntu 17.10\r\n
dmaf5 login: 
r
r
o
o
o
o
t
t
\r
\r\n
Password: 
m
a
l
w
a
r
e
\r
\r\n
Last login: Sun Oct  9 01:32:14 UTC 2022 from raspberrypi.home on pts/1\r\n

This is more or less the same thing you see on the client side:

josevnz@raspberrypi:~$ telnet dmaf5
Trying fd22:4e39:e630:1:1937:89d4:5cbc:7a8d...
Connected to dmaf5.home.
Escape character is '^]'.
Ubuntu 17.10
dmaf5 login: root
Password: 
Last login: Sun Oct  9 01:32:14 UTC 2022 from raspberrypi.home on pts/1

One last time in action:

Image

Download now

What's next?

• There is more you can do to protect your networks. Learn how to use Wireshark because the bad actors already know how.
• Get started with SSH server configuration. There are lots of resources out there.
• Get the code from this tutorial. This how-to managed to do a lot of work with containers with minimum effort.