How do I go about hacking file transfer protocol? Part II

Adrian Stolarski
December 5, 2012 by
Adrian Stolarski

In the previous part of this article series, we introduced the topic of FTP security, and the basics of how the protocol works. After reading that previous article, you should already have a basic understanding of FTP. Is this is all you need to know? Can more information about the various modes be useful? I discuss a little theory, first, and then we start the preparation for the attack. So, to not bore you too much, let's get started.

Quick return to active and passive mode

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

To start, we will analyze two algorithms, the active mode and the passive mode data connection.

In the case of active mode, the situation is as follows. The client receives one of the ephemeral ports from the operating system. Most of the ports are in the range of 1024 to 5000, but in the case of Solaris, the ports will be in the range of 32768 to 65535. In addition, other exceptions may also occur. The client then waits until the port connects to the server. The client can communicate with the server on that port through the use of the PORT command. Now it's time for the server to respond. This machine receives the information about the client port number, and performs an active open to this port, which is usually port number 20 on the server side.

The second mode of FTP connection is the so-called passive mode. Here's a description of the pattern of passive connections. First, our client sends to the server a request to use the passive mode. The server receives from the operating system a number of temporary ports. The server then starts waiting for the port to connect to the clients, after which the server can send information to the client on the port that received the communication. For this purpose, the server uses the PORT command. The client receives information about the server port number, and then opens that port.

How is the data connection in practice?

Now it is time to gain some practical skills, and look at a specific example. Do you remember what we did in the previous article? Oh yes, we retrieved one of the files named README.TXT. What if we had a situation? Well, after the successful establishment of the connection and a valid login to the system, the user has downloaded a file called README.TXT. I may seem like nothing bad can happen, but where is it possible? The answer is simple. See for yourself: an intruder can come through the gap in the FTP and connect to any open port, before it gets to the server. And this one simple flaw, which is due to the fact that FTP uses a separate data connection, makes FTP very susceptible to all kinds of attacks related to being able to impersonate another computer.

As can be seen from the description of an active and a passive connection to send the file requested by the client, the server has to perform a certain action. This is the active data connection to open the port specified by the client, which is done through the PORT command. And here lies the main weakness of FTP. The client does not check, ever, whether the computer that is able to make this connection is actually the computer you want to connect to the server. The very fact that it uses the separately compiled data connections really makes the protocol extremely vulnerable to any attacks that are associated with impersonating another computer. Simple, isn't it?

So , are attacks on FTP possible?

Honestly, the answer to this question is yes. After all, we already know how FTP works, so in theory we are ready for this type of attack. But I do not know what are the possible types of attacks and what kind of conditions have to be really satisfied that such attacks could be successful. In fact, the most dangerous attacks that can be carried out in practice by an attacker is to impersonate an FTP server and send to the client a different file substituted for the file which the client really wanted to download. In fact, for this attack to be completely successful, an attacker would need to know the answers to three basic questions:

  • At what point do you actually use FTP?
  • When the protocol is used, is it in active mode or passive mode?
  • Which port is opened for establishing a data connection?

So, how do we know when a victim is using FTP? There are a lot of ways to answer that question. For now, to give a simple answer, does FTP use encryption? Of course not, and because of this, an intruder has one major possibility, namely being able to overhear any FTP session to easily find out when the user actually uses FTP. So let's look at systems that support the ability to log multiple users simultaneously. In this case, there are a lot of tools that allow you to check if there's another user or system administrator. The UNIX command ps can easily be used to detect an intruder situation when another user starts an FTP session. In addition, an attacker can predict both the relationship between the circumstances in which FTP can be used. And that usually allows you to predict when it will actually be used by the victim. How can an intruder do it?

At what point do you use FTP?

Well, for this article, I allowed myself to come up with some scenarios to show how you can determine what you will do and how they will benefit from an FTP session. The first example is really quite trivial and involves the use of browser web sites. How is this done? Well, the case is very simple. As an attacker, you can of course create your own website where you can put links to some fabricated and interesting programs that are located on public FTP servers. In this way we get almost 100% probability that someone will want to download this software and then just use the built in browser support FTP.

Another interesting software that can come to our aid is actually a very serious software that is now used almost anywhere, the software used to build computational clusters. In this environment files are exchanged all the time, and there is virtually no break in the exchange. Where can this go wrong? Actually, every time a user starts any calculation, it needs to transfer a large number of files on multiple computers. In addition, all files that are actually transmitted between computers always use FTP.

As a third example, I'll tell you another interesting case: automatically download system updates. What is the effect of this type of software? A system update is a recurring download of the latest patches and versions of the programs we use from the operating system. Updates almost always happen at a specific time, so it should be difficult to determine, but that is not so. Really, if you look at the popular operating systems, we can easily determine the time because it is always selected by default during the installation. In addition, Microsoft's systems never check the automatic updates of any antivirus and treat them as trusted. This is a very serious security vulnerability which Microsoft still isn't doing anything about, so maybe this is intentional?

How to determine whether you use passive or active mode?

Now that we have established that beautiful moment when you begin to use FTP, we can move on to the next item. Now as an intruder, we need to know in which mode the software will be used by the user. Obviously in this case, there are many possible ways to extract such information. Of course, as in the previous case, it is best to listen for FTP sessions. However, for very useful information, the default mode of FTP is active. Other than that, the choice of mode does not have a huge impact on something like network topology. Now, let us note one very important thing. Sometimes, when a machine that uses FTP is outside a firewall or NAT, the connection will always use the passive mode.

Going back to the three scenarios we have presented, let's look at them again a second time. The first scenario is, as usual, our beloved web browser. See, Internet Explorer always uses the default active mode, for example, while Firefox uses passive mode. This information can be collected, with a simple PHP script using $ _SERVER array. It does, among other things, allow an attacker to correctly determine what mode the FTP connection is using.

Now it's time for the software which is used to build a computational cluster. In this case, the FTP mode of operation will depend mainly on the type of operating system, because it uses the default software from the client's system. So, for example, by the use of OS Fingerprinting techniques, we need to know only the operating system that an intruder will use. I prepared a little cheat sheet for you. Here it is:

Primary Operating systems, where the client defaults to active mode

  • Linux
  • Windows
  • Sun Solaris Unix and each family SVR

Secondary Operating systems, where the client uses the default passive mode

  • SuSE Linux
  • UNIX operating systems, based on the BSD license

And how about when downloading system updates? In this case also, of course, our victim system will use an FTP client. So again we can calmly determine what the mode of the data connection is.


As you can see, we are, of course, already a step further. Practically, we know how it all works now. In addition, we discussed two basic principles that allow you to identify the type of connection, and on which FTP mode each operating system defaults to. We also know everything about how FTP works. We have also started preparations for the attack on the FTP session. You really have a lot of information that is certainly useful in the following articles of this series. And what happens next?

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

In the next section, we begin by identifying the port used by the FTP connection. And then I proceed to attack the FTP and analyze all the places where we can start to attack FTP sessions. Then I analyze everything, every possibility that exists, and finally learn how to prevent them. Do not be afraid, it will be really easy. So far, this is the end of this section, and as always, I invite you to the next part. Greetings!(Cheers! Or Thanks!)

Adrian Stolarski
Adrian Stolarski

Adrian Stolarski is a freelance security tech blogger, specializing in Java, PHP, and JQuery. In his own words, he does the hard work of training the unemployed. Currently, he handles Evaluation Visualization for real-time systems with XWT and Eclipse RAP. If he sees that something works, he asks how it works and why it works, then sets out to make it work better. A researcher for InfoSec Institute, he currently lives in Poland, but plans to move to London.