DSM-G600, DNS-3xx and NSA-220 Hack Forum

with telnet/ssh access you could probably do "cat var/log/messages", take a look at the wiki

wrathofthepenguin wrote:

Some would say that the odds of somebody intercepting this info are very low - they are wrong.

That "somebody" pretty much has to be in one of the following four places to "capture" the required information.

1)  On the same (W)LAN as the DNS-323 - AND - assuming a switched network as most are, either using a MITM attack or if the switch is managed, have access to the switch management

2)  On the ISP network to which the DNS-323 LAN is connected - AND - with access to the ISP management systems, for what it's worth, ISP policy usually prohibits ISP personnel from packet capture of this nature.

3)  On the same (W)LAN from which you are accessing the DNS-323 remotely - AND - assuming a switched network as most are, either using a MITM attack or if the switch is managed, have access to the switch management.

4)  On the ISP network to which the remote LAN mentioned in (3) above is connected - AND - with access to the ISP management systems, for what it's worth, ISP policy usually prohibits ISP personnel from packet capture of this nature.

As you move further away from the end points listed above, the volume of traffic increases and the task of capturing the necessary traffic and filtering out the unwanted protocols becomes more & more challenging.

Yes, ftp (and also telnet) is insecure for the reasons mentioned above, but rather than create an atmosphere of "fud" - fear, uncertainty & doubt - I prefer to inform, so the end user can make an informed decision. 

There are ways to limit your exposure - one of which is to user your firewall to limit the range of ip addresses from which it will accept an incoming ftp or telnet session.

A comment on the use of open wireless LANs at a coffee shop etc. - there is a lot more at stake than just your ftp user and password - pop3 user names & passwords are also sent clear text - unless your ISP allows encryption and you specifically configure it - I think significantly more people are likely to check their email than login to their ftp server.

As with everything else in life, there are dangers - even something as simple as crossing the street - the trick is to know where the dangers lie and how to deal with them, just as you teach folks to use the cross walk and to look both ways before crossing - look left, look right and then look left again - you can teach them to use the internet safely.

Last edited by fordem (2008-07-26 19:04:13)

fordem wrote:

wrathofthepenguin wrote:

Some would say that the odds of somebody intercepting this info are very low - they are wrong.

That "somebody" pretty much has to be in one of the following four places to "capture" the required information.

1)  On the same (W)LAN as the DNS-323 - AND - assuming a switched network as most are, either using a MITM attack or if the switch is managed, have access to the switch management

2)  On the ISP network to which the DNS-323 LAN is connected - AND - with access to the ISP management systems, for what it's worth, ISP policy usually prohibits ISP personnel from packet capture of this nature.

3)  On the same (W)LAN from which you are accessing the DNS-323 remotely - AND - assuming a switched network as most are, either using a MITM attack or if the switch is managed, have access to the switch management.

4)  On the ISP network to which the remote LAN mentioned in (3) above is connected - AND - with access to the ISP management systems, for what it's worth, ISP policy usually prohibits ISP personnel from packet capture of this nature.

As you move further away from the end points listed above, the volume of traffic increases and the task of capturing the necessary traffic and filtering out the unwanted protocols becomes more & more challenging.

Yes, ftp (and also telnet) is insecure for the reasons mentioned above, but rather than create an atmosphere of "fud" - fear, uncertainty & doubt - I prefer to inform, so the end user can make an informed decision. 

There are ways to limit your exposure - one of which is to user your firewall to limit the range of ip addresses from which it will accept an incoming ftp or telnet session.

A comment on the use of open wireless LANs at a coffee shop etc. - there is a lot more at stake than just your ftp user and password - pop3 user names & passwords are also sent clear text - unless your ISP allows encryption and you specifically configure it - I think significantly more people are likely to check their email than login to their ftp server.

As with everything else in life, there are dangers - even something as simple as crossing the street - the trick is to know where the dangers lie and how to deal with them, just as you teach folks to use the cross walk and to look both ways before crossing - look left, look right and then look left again - you can teach them to use the internet safely.

I'm kind of surprised that you feel I was somehow creating fud by stating the obvious. By telling the OP that he was using a protocol that is insecure and then suggesting that he use a more secure protocol I believe I meet your statement of "teach them to use the internet safely". While I agree that people are much more likely to check their email than access their ftp server, that's not the subject of the current thread. He's asking about somebody accessing his FTP server. If you feel we need to point out every insecure protocol/security issue that might he might be more at risk of when he's asking about a specific situation, well, feel free to list them for him. I'll stick to the question he asks.

To capture the data, one need simply be in one of the places that I mentioned. Wireless increases security risks - if it's open or secured by WEP, then it can be easily captured. Even if the data is not captured in the clear it can be captured and decrypted later at leisure. So, if you're sitting on a wireless network that's secured by WEP that connects to a switched network, the guy three rooms down can easily capture everything you do, even if he's never connected to the access point. And guess what. In most places what he's doing is legal, as long as he doesn't attack the network - all he has to do is passively capture the traffic. How many times have you used wired access in public places while you're away from home. In most cases, people use wireless, even when they're at their buddies house.

And if you think that ISPs prevent their personnel from capturing traffic, you are sorely mistaken. Not only is traffic routinely captured, it is often sent to several other places, sometimes to support, sometimes to traffic analysis shops, sometimes just stored on a flash drive. If I actually collected every username/password combination I've seen in traces I'd have hundreds.

I have not even touched on the various situations in which a server/network/PC has been compromised.

For the OP: If you believe your username/password have been compromised, change them, and look into using a secure protocol. Keep in mind this statement: The only time a computer is truly secure is when it's unplugged and locked in your closet. Assuming somebody is not in the closet with it. Definitely look at using a more secure protocol. If you believe you've been compromised, you may be right. It could have been simply a brute force attack on your DNS-323, but more likely, somebody captured it at some point. It really doesn't matter how it happened, what matters is stopping the access now and making it much more difficult in the future. Look into using a secure protocol, and if you don't know what's secure and what's not - definitely post and ask. There are a lot of people who will be willing to help you out.

One other thing - you may want to make a detailed examination of what's on your DNS-323. If somebody has been using it there could be a lot on there you are not aware of. I have seen several situations in which an enterprise public FTP server has been used for trading music, movies or worse.

There is one thing and one thing ONLY to use FTP for. Anonymous ftp servers for distributing public files.

Anything else is to beg for problems.