Today I needed to FTP some files to a site that I have used on and off for a number of years. Because I have recently installed Windows 7 I needed to setup the site again in my FTP Client, Core FTP.
Although my old machine still has the connection setup I was not able to see the cached/saved password. Although it is possible to export the sites, the password remained encrypted and I wanted to document the actual password.
There are a lot of tools, some free and some which you have to pay for which will recover the cached FTP password for you. Some of these looked a bit questionable and as FTP is an entirely unencrypted service I thought it should be easy to sniff the password out of the FTP traffic itself.
Turns out that it really is very easy and the saved password can be retreived instantly using netmon.
So here is how to do it.
Create a new capture filter in netmon and enter the following:
tcp.Port==21 and property.TCPPayload.contains("PASS")
Should look like this:
Then click on the start button to begin capture. Then open your FTP client which contains the cached password and connect to the FTP server.
As soon as you have made a succesful connection switch back to netmon and stop the capture. You should then be able to see the FTP password in clear text in the capture window, something like this:
I spotted a lot of posts from people trying to recover or export their saved FTP passwords from CoreFTP and CuteFTP and many programs are designed specifically for this purpose. This is quick and simple and does not depend on any 3rd party software and should work with any FTP client.
Hope this helps someone.
Aaron says
This is great! Thanks for the wonderful tip. I was wary of using a 3rd party tool for something so simple, so this was exactly what I needed.
Plus, I will now play more with Netmon.
Sam says
I had a list of FTP sites for clients’ webpages that I’d forgotten the passwords for long ago, and needed to inform the new IT person about. This worked perfectly. Thank you!
Brian says
This was a big help. Beats the suspicious $17 app I was looking at. I would like to add something. A lot of my sites are SSL,SSH, and/or on ports other than port 21. CoreFTP does not reset the username and password when you switch protocols. I just copied by profiles, changed them all to port 21 and ftp and ran them. Worked like a charm.
Scott Hack says
Thanks, kept me from having to go into my cpanel and reset the password. Seems silly to not have a way to view the password in CoreFTP if it was this easy to sniff it out!
Sarah Lewis says
This just helped me make sense of the Core FTP export a client handed me. Saved me so much back-and-forth it’s not even funny. Thanks for taking the time to post this!