FTP (File Transfer Protocol) is used to communicate and transfer files between computers. Typically FTP service runs on unsecured TCP port 21
or secured TCP port 990
. The client and server establish a control channel through TCP port 21
and data channel via TCP port 20
. Depending on the configuration, FTP may use only TCP port 21
or both TCP port 20
and TCP port 21
. FTP has active and passive connection modes.
In a non-firewalled client environment communication can happen in an active mode. The client connects from a random unprivileged port (N > 1024) to the FTP server’s port 21. Then, the client starts listening on port (M > 1024) and sends the FTP command PORT M
to the FTP server. The server will then initiate a connection back to the client’s specified data port M from its local data port 20. See FTP Active Connection Mode Communication traffic flow.
|
|
In a firewalled client environment a passive mode is used. The client initiates connection to the FTP server’s port 21 from a random unprivileged port (N > 1024) and issue the FTP command PASV
. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the FTP command PORT P
back to the client. The client then initiates the connection from port (M > 1024) to port P on the server to transfer data. See FTP Passive Connection Mode Communication traffic flow.
|
|
It is important to note that while observing the traffic on the wire we may only see the control port traffic due to how the FTP server was configured.
Common FTP Server Application
- Unix systems
- vsftpd (Very Secure FTP Daemon)
- ProFTPD
- Pure-FTPd
- Windows systems
- Core FTP Server
- IIS (Internet Information Services)
- FileZilla Server
Common FTP Commands
COMMAND | USAGE | DESCRIPTION |
---|---|---|
ABOR | ABOR | abort a file transfer |
CWD | CWD $FOLDERNAME | change working directory |
DELE | DELE $FILENAME | delete a remote file |
HELP | HELP command | show commands supported/details |
LIST | LIST $FOLDERNAME | list of remote directory |
MKD | CWD $FOLDERNAME | make a remote directory |
PASS | PASS $PASSWORD | send password |
PASV | PASV | send password |
PORT | PORT a1,a2,a3,a4,p1,p2 | open a data port where address a1.a2.a3.a4, port ((p1 x 256) + p2) |
PWD | PWD | print working directory |
QUIT | QUIT | terminate the connection |
RETR | RETR $FILENAME | retrieve a remote file |
RMD | RMD $FOLDERNAME | remove a remote directory |
RNFR/RNTO | RNFR $OLD_FILENAME RNTO $NEW_FILENAME | rename a file |
STOR | STOR $FILENAME | store a file on the remote host |
TYPE | TYPE $DATATYPE | set transfer type |
USER | USERNAME $USERNAME | send username |
Common Vulnerability
- Path Traversal: CWE-37
- Information Disclosure: CWE-200 CWE - 220 CWE-319
- Improper Access Control: CWE-284
Known Attack Vectors
Security Best Practices
- Deploy the FTPS secure implementation, preferably SFTP which runs via SSH protocol.
- Enable authentication with a strong password policy.
- Enable file access control policy.
- Disable application version fingerprint.
- Configure CIDR/IP range whitelist if necessary.
Exploitation
Almost all FTP implementations do not have ability to execute a shell command directly but are great for information disclosure, file upload and exfiltration. An attacker’s inclination when an FTP service is encountered can include:
- What valuable information they can find including hidden contents.
- Whether they can perform path traversal to reach other valuable contents.
- Whether they can upload a malicious file and execute it through another service.
|
|
References
- https://phoenixnap.com/kb/linux-ftp
- https://www.cosmos.esa.int/documents/772136/977578/psa_activeVsPassiveFtp.pdf
- https://exploit-notes.hdks.org/exploit/network/protocol/ftp-pentesting/
- https://secybr.com/posts/ftp-pentesting-best-practices/
- https://book.hacktricks.xyz/pentesting/pentesting-ftp
- https://www.infosecmatter.com/nmap-nse-library/?nse=ftp-brute
- https://ss64.com/rawftp.html