Mailing List Join us on Google+ Twitter facebook RSS Feeds
Exposing the Password Secrets of WS_FTP Professional
Exposing the Password Secrets of WS_FTP Professional
See Also
About WS_FTP Professional
WS_FTP Professional (version 12.3) is one of the popular FTP client from Ipswitch who has proven its continued innovation in all the products. WS_FTP helps to securely transfer files with lightning-fast transfer speeds, industry-leading security and includes time-saving automation features. With over 40 million users, WS_FTP Professional is the world's most popular file transfer client.

In this article, we will expose internal details of where WS_FTP Professional stores the FTP account passwords, its encryption algorithm and how to decrypt this encrypted password using the practical code example.
Password Storage Location of WS_FTP
WS_FTP stores all the configured FTP account & password information in the file "ws_ftp.ini" at following location
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Ipswitch\WS_FTP\Sites\

[Windows Vista & Windows 7]
Here is the sample of ws_ftp.ini file [other details are snipped for clarity purposes]
[securityxploded ftp site]
Username and password for each FTP site is stored after fields "uid=" and "pwd=" respectively as shown above.
Internals of WS_FTP Password Encryption
WS_FTP uses strong crypto algorithm with secret magic key for protecting the stored secrets from privy eyes.

To understand more, lets look at stored password from the sample file
Here the first character ( _ ) is redundant, which is often used to confuse the hackers. Rest of the text is Base64 encoded value of the encrypted password. Once you decode it you will see 'Triple DES' encrypted value of original password.

Here is the 24 byte magic key used in Triple DES encryption
0xE1, 0xF0, 0xC3, 0xD2, 0xA5, 0xB4, 0x87, 0x96,
0x69, 0x78, 0x4B, 0x5A, 0x2D, 0x3C, 0x0F, 0x1E,
0x34, 0x12, 0x78, 0x56, 0xab, 0x90, 0xef, 0xcd
WS_FTP Password Decryption Operation
As mentioned earlier, WS_FTP Professional (version 12.3) uses 'Triple DES' algorithm with secret magic key to secure the stored FTP passwords.

Before you proceed to decryption, you have to perform Base64 decoding of the stored data (ignoring the first character). Then you can perform Triple DES decryption of the decoded data.

Here is the sample code which shows how to decrypt the password using OpenSSL's DES crypto functions.
#include <openssl/des.h>

void DecryptPassword(BYTE *byteBase64DecodedData, DWORD dwDataSize)

//Magic key used by WS_FTP
BYTE magic_key[] = {
0xE1, 0xF0, 0xC3, 0xD2, 0xA5, 0xB4, 0x87, 0x96,
0x69, 0x78, 0x4B, 0x5A, 0x2D, 0x3C, 0x0F, 0x1E,
0x34, 0x12, 0x78, 0x56, 0xab, 0x90, 0xef, 0xcd

// Set up the key and iv vector for decryption
DES_key_schedule key_schedule1, key_schedule2, key_schedule3;

DES_set_key_unchecked((const_DES_cblock *)&magic_key[0], &key_schedule1);

DES_set_key_unchecked((const_DES_cblock *)&magic_key[8], &key_schedule2);

DES_set_key_unchecked((const_DES_cblock *)&magic_key[16], &key_schedule3);

DES_cblock iVector;
memcpy(iVector, &magic_key[16], sizeof(DES_cblock));

//Perform the Triple DES Decryption now
BYTE byteDecryptData[1024];

byteDecryptData[0] = 0;

DES_ede3_cbc_encrypt(byteBase64DecodedData, byteDecryptData, dwDataSize, &key_schedule1, &key_schedule2, &key_schedule3, &iVector, 0);

if( *byteDecryptData == 0 )
printf("Triple-DES Decryption failed");

printf(" ***** Success ********* Decrypted password is [%s]", byteDecryptData);

Above code is self explainatory, 'DecryptPassword' function takes input as decoded Base64 data and its size as parameter. First it sets up the key and iv vector using the magic key used by WS_FTP and then performs the decryption using DES_ede3_cbc_encrypt function passing 0 as last parameter to indicate decryption operation.
Recovering WS_FTP Password using WS_FTPPasswordDecryptor
WS_FTP Password Decryptor is the FREE software to instantly recover FTP login passwords stored by WS_FTP Professional. You can either use it to automatically recover the stored passwords from local system or recover passwords from remote machine by manually feeding WS_FTP "ws_ftp.ini" file.
It presents both GUI as well as command line interface which will be useful for Penetration Testers & Forensic investigators.It works on most of the Windows platforms starting from Windows XP to latest operating system, Windows 7.
Above article exposes how WS_FTP professional stores the FTP account password after encryption using the Triple DES algorithm and presents sample code to decrypt the same to recover the original password.

Note that this article does not state that algorithm used by WS_FTP software is weak or insecure in anyway. In fact WS_FTP professional uses strongest double layer of password encryption using Triple DES and Base64 to make it as secure as possible. However user should be aware of the fact that any password can be crackable and leaving your system in attacker's hands is not good idea.
See Also