Network / FTP Authentication

Link to the challenge: FTP Authentication

When starting the challenge, a file is downloaded (ch1.pcap). This file is a capture file of the wireshark software, so in order to open it, you will need to download it. The software can be find here. This tool is a network analyzer. It captures all communication packets going through the selected interface and display their information. Wireshark will be required to almost all network challenges.
Once you installed it, you can open ch1.pcap with it.

I will quickly go over it's interface.

Section 1: This is the list of all packets of the capture. You can see some information like the ID of the packets, the Source IP, the Destination IP, the Protocol, the Length of the packet, as well as some information about it's content.
Section 2: This contains some more detailed information about the selected packet, from the section 1. This section contain several dropdown menus you can open to see the different layers of the packet (Physical, IP, TCP, etc...).
Section 3: This section contains raw data of the selected field from section 2, displayed in hexadecimal and ascii.

Let's now look at our ch1.pcap. We can see several packets have been captured. Let's have a look at them.

 1     0.000000     10.20.144.150     10.20.144.151     TCP     74     35974 → 21 [SYN] Seq=0 Win=32648 Len=0 MSS=1380 WS=1 TSval=1657560000 TSecr=0  
 2     0.000320     10.20.144.151     10.20.144.150     TCP     78     21 → 35974 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1356 WS=1 TSval=1657390000 TSecr=1657560000  
 3     0.000570     10.20.144.150     10.20.144.151     TCP     66     35974 → 21 [ACK] Seq=1 Ack=1 Win=32648 Len=0 TSval=1657560000 TSecr=1657390000  

These challenges will require you to have some prior knowledge about the TCP/IP type of packets.
You really need to understand this part: TCP Segment Structure.
Then you will recognize in the first 3 packets of our file, a typical TCP/IP handshake.
These packets are not really important here. Let's move to the next ones, shall we ?

 4     0.060630     10.20.144.151     10.20.144.150     FTP     106     Response: 220-QTCP at fran.csg.stercomm.com.  
 6     0.275760     10.20.144.151     10.20.144.150     FTP     126     Response: 220 Connection will close if idle more than 5 minutes.  

We can see that packets 4 and 6 are using the FTP protocol. As the challenge is about FTP authentication, let's have a closer look at them.
In packet 4, if we open the File Transfer Protocol (FTP) dropdown menu, we can see:

 File Transfer Protocol (FTP)  
   220-QTCP at fran.csg.stercomm.com.\r\n  
     Response code: Service ready for new user (220)  
     Response arg: QTCP at fran.csg.stercomm.com.  

Apparently, the response code says the service is ready for a new user. Interesting. Let's look at packet 6:

 File Transfer Protocol (FTP)  
   220 Connection will close if idle more than 5 minutes.\r\n  
     Response code: Service ready for new user (220)  
     Response arg: Connection will close if idle more than 5 minutes.  

Here we see that the server told us that the connection will close after 5min if idle. Ok, nothing really interesting so far. Let's keep looking at next FTP packets.

The packet 8 is really interesting. Here is it's FTP content:

 File Transfer Protocol (FTP)  
   USER cdts3500\r\n  
     Request command: USER  
     Request arg: cdts3500  

We can see that the command sent is USER followed by what seems to be a username. If we look at the FTP Authentication procotol, we see that to authenticate, the client needs to send his username with USER, and his password with PASS.
You got his username, so now you need to find his password.
But I will let you work on that bit. Now you know how to use Wireshark, and you know what you are looking for. You should be able to find it really quickly.

As always, don't hesitate to comment or asking for help if you can't make it.
See you soon for another challenge.