How to spoof SFTP?

Question

Is there anyway to spoof an organisation that distributes files across the internet via SFTP?

I know it's easy to spoof an IP address. But how easy is it to an SFTP link?

Answer 1

You are profoundly mistaken as spoofing an IP address on the Internet is only doable with UDP requests and incomplete connection attacks since TCP needs bidirectional communications to connect. SFTP uses TCP for its communication.

If you were able to do a man in the middle attack (which is obviously more complex than you think), it would most likely be able to steal the username and password from those that you are targeting since people often do not worry about certificate warnings with SFTP.

Note that implementing a man in the middle attack or an IP address spoof that targets a local client is incredibly simple if you control the router and are sufficiently skilled, but that is not the case for Internet wide attacks.

Answer 2

But how easy is it to an SFTP link?

This entirely depends on the user's vigilance. SFTP (not to be confused with FTPS) is a file transfer protocol that uses SSH protocol. The security properties of SFTP, therefore is quite similar to SSH.

The first time you connect to an SFTP server, your SFTP client should show you the server's certificate fingerprint. The user must check this fingerprint against a trusted source before entering their credentials.

If the user checks the server's fingerprints against a trusted source before connecting, then spoofing/MITMing an SFTP connection should be practically impossible.

If the user doesn't check the server's fingerprint, then the SFTP connection is vulnerable to spoofing/MITM attack. The trust model is TOFU in this case, which is much weaker than strict fingerprint checking.

Most clients would remember the fingerprint, so you don't need to recheck the fingerprint beyond the first time you connect to a new server. If your SFTP client never shows server fingerprints even in first the connection, then uninstall the client.