i still see people using ftp or telnet for work instead of sftp and ssh. is it true that using ftp or telnet can let people see the password quite easily? Who can actually see it?
Update: for example, if i am not using Wireless... which i heard can be breakable if it is WEP when 1GB traffic is sent or received ... so if not using Wireless, and I am using either DSL, Cable Internet like Comcast, or AT&T's U-verse's fiber optics, then who can read it? Can my neighbor, or joe at the data center at a nearby company or university read it? Or joe at a big hosting company or data center that happens to be some where between California and Chicago if I am ftp'ing from California to Chicago?
Update 2: so maybe it is good to alias ftp='echo use sftp!!' on the bash too
To answer briefly, anyone on the path of the packets from your pc to the server.
In some cases (insecure networks, wireless networks, and so on) many more persons.
That's because the password will travel in plain text.
You can see more about packet sniffing at http://en.wikipedia.org/wiki/Packet_capture.
Also check http://en.wikipedia.org/wiki/File_Transfer_Protocol#Security_problems
Both ftp and telnet are unencrypted. That means that anyone who can capture your internet traffic (e.g. your isp, hosting provider, maybe government) can read your password in plain text averytime you login. Ssh and sftp/scp will encrypt your password and none should be able to read it.
Yes, by using a simple packet sniffer, such as Wireshark it is possible to read the plaintext passwords used by telnet and ftp. Try using this tool while initializing a ftp or telnet session and you'll see how non-secure these mechanisms are.
As tagged with this post, ssh and sftp are more secure alternatives as they encrypt the data as it moves across the wire. And, as always, never use these sorts of tools for evil!
Anyone with a sniffer can see it. Use the secure equivalents i.e. SFTP and SSH instead. They are protected with strong encryption and everything will be encrypted.
Related
I've just started experimenting with WebRTC with Go and downloaded pions/webrtc library but I'am stuck with it's data-channels example.
As it written in docs I opened jsfiddle client example.
Then I'am running go run main.go command in the /go/src/github.com/pions/webrtc/examples/data-channels folder on my server to launch data-channel.
After that I copy Browser base64 Session Description from jsfiddle example and paste it into my terminal where data-channels go script is running and it generates Golang base64 Session Description code which I paste into jsfiddle example and then press Sart session button.
And it fails to establish connection :(
This is my jsfiddle example for client side:
And this is my server side go script:
What am I doing wrong?
Thanks for using pion-WebRTC (I am one of the developers!)
WebRTC uses a technology called ICE to allow peers to talk to each other. Two peers exchange IP addresses via the SDP (the text you pasted) then they attempt to communicate by sending small UDP packets between each other. Once two IP addresses successfully communicate via ICE the rest of the WebRTC steps can continue. For you this process is failing. I don't know how/why though. Firewalls, VPNs etc... all can cause problems.
You will have to debug and check different scenarios. I would try running the examples on your local PC. If that works then maybe try between a different server. A good tool to help here also is tcpdump that can show if UDP packets are arriving. I usually use tcpdump -i any udp and inbound
We also recently added IPv6 support, so might be worth trying from master and see if that helps at all! Hopefully this helps, but if you are still having issues feel free to ask more questions. We are also all available via our Slack Channel you can sign up here here and would be more then happy to chat!
I met similar problem, and I solved by
echo $BROWSER_SDP | ./main
BROWSER_SDP is the session description in your browser, main is the exe by go build main.go(you can rename exe by mv). This can make sure transfer SDP to the server, which is really important.
The detail
I was trying to find traceroute program implementation for MS Windows that can be used by regular user (with no admin rights) and I could not find any. Those I could find (like tracetcp or nmap) require PCAP library and in order to install winpcap I think administration rights are required.
I don't know much about Windows internals but I'm wondering what is the 'magic' behind. If tracert shipped by MS with Win OS works fine for regular user (but it can use ICMP only) then is there any issue (technical limitation) with setting TTL for TCP/UDP packet by regular user and receiving respective response on the socket such as:
ICMP: TTL expired in transit
UDP: port unreachable
and probably few others (like TCP RST, ICMP host unreachable etc)?
So basically:
if there is no issue why there is no reasonable traceroute implementation
for windows?
if there is a technical limitation for TCP/UDP then why
original MS ICMP traceroute works fine for non admin users?
I know that the most popular linux traceroute with -T option (for using SYN probes) requires root priviliges too but I'm assuming it's just because it does not want to complete full TCP handshake and sending RST after receiving SYN-ACK may be restricted for root. Anyway as longs as TTL can be set by reqular user (for UDP it seems to work fine) then I would imagine TCP traceroute completing full TCP handshake should be possible to implement for non root linux users?
And by the way ICMP traceroute also needs admin rights because of using RAW sockets but surprisingly for Windows it does not seem to be an issue.
Sadly, the simple answer to your question is "no, there is no native way to do that on a Windows box".
I am a bit unsure about your specific usecase, but one route to go is evaluate if Power Shell has more functionality to help you out. Jose Baretto from Microsoft wrote an article about Power Shell equivalents for common networking commands. You can find it here:
https://blogs.technet.microsoft.com/josebda/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup/
Failing that, your only option is (as you mention yourself) 3rd party tools, and you'll be hard press to find one that doesn't require elevated privileges.
I want to write a CLLE Program to transfer Files from the IFS to a Webserver.
The Webserver is registered in the Hosttable from the Iseries.
(commandline: CFGTCP -> Option 10 -> Scroll to the Webserver IP)
Current CLLE Program: (only the ftp-access)
PGM
OVRDBF FILE(INPUT) TOFILE(CMDDTAR7_2/US9FIP) OVRSCOPE(*JOB)
OVRDBF FILE(OUTPUT) TOFILE(CMDDTAR7_2/US9FOP) +
OVRSCOPE(*JOB)
FTP RMTSYS('10.1.2.99')
ENDPGM
After i call my Program i get some results in a PF-File.
The Results are in German but i translated shortly for you.
The Connection is unavalable to 10.1.2.99 on Port 21. Try it again later.
[...]
My Question at the end.
Do you have some solutions for me to transfer xml files to my Webserver from the iseries?
You're writing about a web server and you want to transfer files by ftp. Perhaps you're mixing up protocols here. I'll concentrate to resolve your apparent ftp connection problem.
Seems that the destination host 10.1.2.99 doesn't accept connections on Port 21.
Please make sure, there's no firewall or other stuff blocking your request to the destination host. Moreover, on the host 10.1.2.99 try telnet 10.1.2.99 ftp or ftp 10.1.2.99 in a command window, depending on OS and installed components.
Before automating, just test manually if you can successfully connect and log in via standard command line: ftp 10.1.2.99.
Transferring data by FTP is just fine in a local LAN. Beware that any data including username and password will be transferred in clear text and thus can be possibly read by others as the intended hosts.
Following up to your comment: Actually there are many possibilities to copy files. If you're running a recent version of IBM i, I'd opt for using scp. It's encrypted and thus safe for running outside of local LANs. Great to automate by utilizing Key-Authentication instead of passwords. And many web hosting companies offer scp/sftp access.
Usually I'd use Wireshark, but is there a really super quick way to determine what URL an app is pulling data from? I need to whitelist the host so that it works through a proxy server, as the app doesn't support proxies.
Fire up terminal and type
lsof -i
this lists all open internet connections. Of course you can restrict the listing to include only connections from certain executable with -c option. Read the man page for lsof. Learn to use it, it's a great little tool.
Check out Little Snitch http://www.obdev.at/products/littlesnitch/index.html
Great little program to catch those "phone homes". Cheap too!
Give this a shot:
Charles Web Debugging Proxy
It's not quite as heavy as Wireshark so you should be able to get your results pretty quick. Short of something like Wireshark or a HTTP Debugging Proxy, I'm not sure how you'd know.
To help users, I would like my code to discover Oracle databases on the LAN. I thought to do this by first detecting all hosts, then checking each host to see if it is listening on Oracle's default port.
Any ideas how to go about this? Preferably in Java, but any language or algorithm would do.
Are you using DHCP? If so, your DHCP server has a list of the leases it has passed out. That should do you for a list of hosts on the LAN. Then try opening a connection to the Oracle port on each of those hosts and see if it accepts the connection.
It should be pretty simple to implement as a shell script with half a dozen lines or so. Java seems like overkill for something like this. Loop through the leases file, grab the IP from each lease, and telnet to the Oracle port; if it connects, disconnect and print the IP to standard out.
If you want to stay platform-independant, and unless you have access to some kind of database that lists the hosts, the only way to get a list is to try each IP address in the local network - might as well try to connect to the Oracle port on each of them.
There are lots of problems with this approach:
Will only search through the local network, which may only be a small part of the LAN (in case of large companies with lots of subnets)
Can take a long time (you definitely want to reduce the timeout for the connection attempts, but if someone has configured his LAN as a class A network, it will still take forever)
Can trigger all kinds of alerts, such as desktop users' personal firewalls, and intrusion detection systems - because you're doing exactly the same thing someone trying to exploit a security hole in Oracle servers would do
As brazzy points out, scanning for hosts is likely to cause problems, especially if there is a bug in your scanner.
A better approach may be to get the owners of the databases to register them somewhere, for example in a local DNS service (or does Oracle have zeroconf support?), or simply on some intranet webpage or wiki.
You better register the SID names/addresses to some server with a fixed address(maybe with a simple web service), and then query the list from there. Another approach is the bruteforce one (explained by #brazzy) by scanning one or more subnets, but this isn't really a good thing to do.
In case you are looking for a tool Loo#Lan can do this for you. Unfortunately there's no source available...
All of these smart answers are the reasons why many companies do not use the default port. Using a different port for each database is entirely possible, you know.