FTP - JA Smith

- file transfer protocol (FTP) runs at the application layer like HTTP - used to push/pull files to/from a server - client and server establish control channel on TCP port 21 - client sends commands to server, and server returns status codes - both communicants can establish a data channel on TCP port 20 - active mode: client establishes connection via TCP port 21 and informs server as to which client-side port it can provides its responses - passive mode: if a FW is present the server cannot reply, server announces port through which client can establish a data channel and client initiates connection so FW does not block transfer - client issues commands and server responds with a status code indicating whether command was successful - usually need credentials to access FTP - however, credentials are provided in plain-text - anonymous access may be enabled ## FTP Status Codes | status code | description | | ----------- | ----------------------------------------------------------------------------------------------- | | 1xx series | requested action initiated, expect another reply before proceeding with new command | | 2xx series | requested action has been successfully completed | | 3xx series | command is not acceptable, but the requested action is on hold, pending receipt of further info | | 5xx series | syntax error, command unrecognized and requested action did not occur | | 6xx series | reples regarding confidentiality and integrity | ## Footprinting FTP ``` bash #nmap ftp recon sudo nmap -sC -sV -A -p21 <target_ip> sudo nmap -sC -sV -A -p21 <target_ip> --script-trace #show packet traffic associated with scripts #by default -sC runs: ftp-anon, ftp-bounce, and ftp-syst scripts #indirect interaction (banner grabbing) nc -nv <target_ip> 21 telnet <target_ip> 21 openssl s_client -connect <target_ip> -starttls ftp ``` ### NSE Scripts ```bash sudo nmap -script-updatedb #update NSE scripts located in /usr/share/nmap/scripts find / -type f -name ftp* 2> /dev/null | grep scripts #find ftp related NSE scripts sudo nmap -p21 --script <script_name> <target_ip> ``` ### Anonymous FTP Login ```bash ftp <target_ip> #anonymous login command wget -m --no-passive ftp://anonymous:anonymous@<target_IP> #pull all files with anon login ``` # FTP Interactive Command Examples ```shell #example non-standard interactive ftp commands ftp> ls #list directory contents ftp> ls -R #recursively list directory ftp> LIST -R #recursively list directory ftp> status #reutrn status info ftp> help #returns help info ftp> debug #return debug state: on/off ftp> trace #return packet tracing state: on/off ftp> get file_name.txt #download file ftp> put file_name.txt #upload file ftp> exit ``` # FTP Standard Commands - IETF RFC 959 default commands - not all commands are consistently implemented by servers | command | description | | ------- | ----------------------------------------------------------------------- | | ABOR | abort active transfer | | ACCT | account info | | CDUP | change to parent directory | | CSID | client/server identification | | CWD | chanhe working directory | | DELE | delete file | | DSIZ | get directory size | | HELP | return help doc | | LIST | info for current working directory or info for specified file/directory | | MKD | make directory | | NLST | return list of files in specified directory | | PASS | authentication password | | PWD | print working directory | | QUIT | disconnect | | RMD | remove directory | | STOR | accept data and store as file at server | | SYST | return system type | | USER | authenticiation username | # vsFTPD - most-used FTP server on Linux distros - `sudo apt install vsftpd` to install on a system - default config found in `/etc/vsftpd.conf` - `/etc/ftpusers` used to blacklist specified users ## dangerous config settings | setting | description | | ------------------------------ | ----------------------------------------------------------------------------- | | anonymous_enable=yes | allow anaonymous login | | anon_upload_enable=yes | allow anonymous to uload files | | anon_mkdir_write_enable=yes | allow anonymous to create new directories | | no_anon_password=yes | do not ask anonymous for password | | anon_root=/home/<username>/ftp | directory for anonymous | | write_enable=yes | allow usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE | # TFTP - simplier than FTP - no authentication - uses UDP port 69 | command | description | | ------- | --------------------------------------------------------------------------------------- | | connect | sets remote host, and optionally the port | | get | transfers one or more files to local host | | put | transfers one or more files to remote host | | quit | disconnect | | status | show current status info such as transfer mode, connection status, time-out value, etc. | | verbose | enables verbose mode |