APR-FTPS enables the capture and the decryption of FTPS traffic between hosts. It works in conjunction with Cain's Certificate Collector to inject fake certificates into SSL sessions, previously hijacked by mean of APR. Using this trick it is possible to decrypt encrypted data before it arrives to the real destination performing a what so called Man-in-the-Middle attack.

 

Actually this feature support "implicit" FTPS protocol only which by default use TCP port 990. You can grab and prepare spoofed certificates in advance using Cain's Certificate Collector as show in the following picture.

 

 

 

Prerequisites  

This feature needs APR to be enabled and a Man-in-the-Middle condition between the FTPS server and the victim host.

APR SSL spoofing features requires a direct TCP/IP connection between the attacker machine and the SSL enabled server. To handle spoofed communications Cain must be able to reach the remote SSL server without the use of proxy servers.

Limitations

This feature does not work like a PROXY server; because of the usage of the Winpcap driver it cannot decrypt FTPS sessions initiated from the local host.

Usage

After you successfully set up APR enabling FTPS sniffer filter, sessions are automatically saved in the FTPS subdirectory and can be viewed using the relative function within the list pop up menu.