WS_FTP Professional (version 12.3) is one of the popular FTP client
from Ipswitch who has proven its continued innovation in all the
products. WS_FTP helps to securely transfer files with
lightning-fast transfer speeds, industry-leading security and
includes time-saving automation features. With over 40 million
users, WS_FTP Professional is the world's most popular file transfer
client.
In this article, we will expose internal details of where WS_FTP
Professional
stores the FTP account passwords, its encryption algorithm and how to
decrypt this encrypted password using the practical code example.
Password Storage Location of WS_FTP
WS_FTP stores all the configured FTP
account & password information in the file "ws_ftp.ini" at following
location
[Windows XP]
C:\Documents and Settings\<user_name>\Application
Data\Ipswitch\WS_FTP\Sites\
[Windows Vista & Windows 7]
C:\Users\<username>\AppData\Roaming\Ipswitch\WS_FTP\Sites\
Here is the sample of ws_ftp.ini file
[other details are snipped for clarity purposes]
Here the first character ( _ ) is
redundant, which is often used to confuse the hackers. Rest of the
text is Base64 encoded value of the encrypted password. Once you
decode it you will see 'Triple DES' encrypted value of original
password.
Here is the 24 byte magic key used in Triple DES
encryption
As mentioned earlier, WS_FTP
Professional (version 12.3) uses 'Triple DES' algorithm with secret magic key to
secure the stored FTP passwords.
Before you proceed to
decryption, you have to perform Base64 decoding of the stored data
(ignoring the first character). Then you can perform Triple DES
decryption of the decoded data.
Here is the sample code which
shows how to decrypt the password using OpenSSL's DES crypto
functions.
printf(" ***** Success *********
Decrypted password is [%s]", byteDecryptData);
}
Above code is self explainatory, 'DecryptPassword' function takes
input as decoded Base64 data and its size as parameter. First it sets up
the key and iv vector using the magic key used by WS_FTP and then
performs the decryption using DES_ede3_cbc_encrypt function passing 0 as
last parameter to indicate decryption operation.
Recovering WS_FTP Password Automatically
WS_FTP Password Decryptor is the FREE software to instantly recover FTP
login passwords stored by WS_FTP Professional. You can either use it to
automatically recover the stored passwords from local system or recover
passwords from remote machine by manually feeding WS_FTP "ws_ftp.ini"
file.
It presents both GUI as well as command line interface which will be
useful for Penetration Testers & Forensic investigators.It works on most
of the Windows platforms starting from Windows XP to latest operating
system, Windows 10.
Conclusion
Above article exposes how WS_FTP professional stores the FTP account password
after encryption using the Triple DES algorithm and presents sample code
to decrypt the same to recover the original password.
Note that
this article does not state that algorithm used by WS_FTP software is
weak or insecure in anyway. In fact WS_FTP professional uses strongest
double layer of password encryption using Triple DES and Base64 to make
it as secure as possible. However user should be aware of the fact that
any password can be crackable and leaving your system in attacker's
hands is not good idea.
