• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Tachytelic.net

  • Get in Touch
  • About Me

Recovering saved FTP Passwords using a simple netmon filter

February 18, 2010 by Paulie 5 Comments

Today I needed to FTP some files to a site that I have used on and off for a number of years. Because I have recently installed Windows 7 I needed to setup the site again in my FTP Client, Core FTP.

Although my old machine still has the connection setup I was not able to see the cached/saved password. Although it is possible to export the sites, the password remained encrypted and I wanted to document the actual password.

There are a lot of tools, some free and some which you have to pay for which will recover the cached FTP password for you. Some of these looked a bit questionable and as FTP is an entirely unencrypted service I thought it should be easy to sniff the password out of the FTP traffic itself.

Turns out that it really is very easy and the saved password can be retreived instantly using netmon.

So here is how to do it.

Create a new capture filter in netmon and enter the following:

tcp.Port==21 and property.TCPPayload.contains("PASS")

Should look like this:

Netmon FTP Password Capture

Then click on the start button to begin capture. Then open your FTP client which contains the cached password and connect to the FTP server.

As soon as you have made a succesful connection switch back to netmon and stop the capture. You should then be able to see the FTP password in clear text in the capture window, something like this:

I spotted a lot of posts from people trying to recover or export their saved FTP passwords from CoreFTP and CuteFTP and many programs are designed specifically for this purpose. This is quick and simple and does not depend on any 3rd party software and should work with any FTP client.

Hope this helps someone.

Filed Under: How To, Technical Posts

Reader Interactions

Comments

  1. Aaron says

    September 16, 2010 at 3:50 pm

    This is great! Thanks for the wonderful tip. I was wary of using a 3rd party tool for something so simple, so this was exactly what I needed.

    Plus, I will now play more with Netmon.

  2. Sam says

    August 4, 2011 at 9:01 pm

    I had a list of FTP sites for clients’ webpages that I’d forgotten the passwords for long ago, and needed to inform the new IT person about. This worked perfectly. Thank you!

  3. Brian says

    October 6, 2011 at 3:40 pm

    This was a big help. Beats the suspicious $17 app I was looking at. I would like to add something. A lot of my sites are SSL,SSH, and/or on ports other than port 21. CoreFTP does not reset the username and password when you switch protocols. I just copied by profiles, changed them all to port 21 and ftp and ran them. Worked like a charm.

  4. Scott Hack says

    September 11, 2012 at 10:25 pm

    Thanks, kept me from having to go into my cpanel and reset the password. Seems silly to not have a way to view the password in CoreFTP if it was this easy to sniff it out!

  5. Sarah Lewis says

    January 15, 2013 at 4:13 pm

    This just helped me make sense of the Core FTP export a client handed me. Saved me so much back-and-forth it’s not even funny. Thanks for taking the time to post this!

Leave a Reply Cancel reply

Primary Sidebar

Link to my LinkedIn Profile
Buy me a coffee

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 259 other subscribers.

Go to mobile version