Recover the FTP password via TCPDUMP

I always keep my frequently used files in my FTP server, at the same time, and i have my password saved in my FTP client in my laptop as well. So when i need to login to my FTP server from another machine, i was like “hmm…. what was my password now?”

Since FTP is run via plain text, there is no encryption at all. So i have recovered my password via TCPDUMP and the username and password are “everyone”.

netuser@HK1401-KVM:~$ sudo tcpdump -n  -vvv -i enp6s0 -A -f “port 2121” | grep -i “user\|pass

E..7|!@.v.&….”..b….I…….3P…_…USER everyone
E..L.E..?…..b….”.I…..3….P.}x.0..331 Password required for everyone
E..7|#@.v.&….”..b….I…….WP…V…PASS everyone
E..k.I..?…..b….”.I…..W….P.}x….230-Welcome user everyone@<source IP adderss> to FTP server.
E..E.M..?…..b….”.I……….P.}x….230 User everyone logged in

Let me break down the syntax.

sudo – to run the tcpdump in super user mode, it is not necessary if running with root.

tcpdump – this is the program name.

“-n” – to stop resolve and show the IP address with domain name.

“-vvv” – to display more packet data on the screen.

“-i enp6s0” – to run the tcpdump on the interface of enp6s0 only.

“-A” – to display the packet in ASCII (think of it as human readable form)

“-f “port 2121″” – to capture the packets that is related to port 2121 only. (this is my ftp server port.)

“| grep -i “user\|pass“” – to filter out the screen output with any lines that has the either user or pass as the keyword.


This track can be down with other non encrypted network transfer as well. Hope this can serve with anyone who need to recover their own password. Cheers.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s