I always keep my frequently used files in my FTP server, at the same time, and i have my password saved in my FTP client in my laptop as well. So when i need to login to my FTP server from another machine, i was like “hmm…. what was my password now?”
Since FTP is run via plain text, there is no encryption at all. So i have recovered my password via TCPDUMP and the username and password are “everyone”.


netuser@HK1401-KVM:~$ sudo tcpdump -n  -vvv -i enp6s0 -A -f “port 2121” | grep -i “user\|pass”
E..7|[email protected].&….”..b….I…….3P…_…USER everyone
E..L.E..?…..b….”.I…..3….P.}x.0..331 Password required for everyone
E..7|#@.v.&….”..b….I…….WP…V…PASS everyone
E..k.I..?…..b….”.I…..W….P.}x….230-Welcome user everyone@<source IP adderss> to 127.0.1.1 FTP server.
E..E.M..?…..b….”.I……….P.}x….230 User everyone logged in
Let me break down the syntax.
sudo – to run the tcpdump in super user mode, it is not necessary if running with root.
tcpdump – this is the program name.
“-n” – to stop resolve and show the IP address with domain name.
“-vvv” – to display more packet data on the screen.
“-i enp6s0” – to run the tcpdump on the interface of enp6s0 only.
“-A” – to display the packet in ASCII (think of it as human readable form)
“-f “port 2121″” – to capture the packets that is related to port 2121 only. (this is my ftp server port.)
“| grep -i “user\|pass“” – to filter out the screen output with any lines that has the either user or pass as the keyword.
 
This track can be down with other non encrypted network transfer as well. Hope this can serve with anyone who need to recover their own password. Cheers.