

RT cyb3rkitties: waking up at 6 am - totally worth it to watch this webinar with DidierStevens and take all the notes! RT NVISOsecurity: A PDF document containing a DOCX file, that downloads a RTF, that executes shellcode will be the star of DidierStevens… 3 days ago RT sans_isc: rtfdump's Find Option i5c.us/d29174 1 day ago Twitter sans_isc: Video: PNG Analysis i5c.us/d29176 1 day ago.Thanks to Nicolas for pointing out that fzsftp is based on PuTTY: I verified the last-write timestamp for PuTTY’s registry key, and indeed, 4 days ago it was last written to.


I most likely deleted that key (PuTTY is not my default SSH client). Well, I started to remember that some days ago today, I had been experimenting with PuTTY’s registry keys. So that answered my question: “Why did FileZilla warn me this morning?” “Because the key was not cached”.īut then I was left with another question: “Why is the key no longer cached, because it was cached?” That confirms that FileZilla reads and writes PuTTY’s registry fingerprint cache. One last check: I modified the registry entry and started FileZilla again:Īnd now FileZilla warns me that the key is different. After some searching, I found the answer:Īnd indeed, when I start FileZilla again and allow it to cache the key, it appears in PuTTY’s registry keys. Then I’m taking a look with ProcMon to figure out where FileZilla caches its fingerprints. Then I went to the registry, but there’s no FileZilla entry under my HKCU Software key. What’s going on here? I started to search through FileZilla configuration files (XML files) looking for the cached fingerprints, and found nothing. I checked the fingerprint on my server, and it matched the one presented by FileZilla. I logged in over SSH, and my SSH client did not show a warning. This morning, I connected to my server over SFTP with FileZilla, and got this prompt: Today I figured out that FileZilla uses PuTTY‘s registry key (HKCU\SOFTWARE\SimonTatham\PuTTY\SshHostKeys) to cache SSH fingerprints.
