File Transfer Protocol (FTP):
File Transfer Protocol (FTP) is a standard network protocol used to transfer files from one host to another over a TCP-based network, such as the Internet.
FTP is a client-server protocol, with separate control and data connections between the client and the server.
FTP enables users to upload, download, and manage files on a remote server. It is often used to transfer website files from a personal computer to a hosting server and is also commonly used to download files from servers to a local computer.
How does FTP work?
To establish an FTP connection, two channels are opened.
The first channel is the control channel, which is established via TCP port 21. The control channel is used for communication between the client and server, where the client sends commands and the server returns status codes.
The second channel is the data channel, which is established via TCP port 20. The data channel is used exclusively for transferring data between the client and server, and the FTP protocol monitors for errors during the transfer.
Figure -1- FTP Connection
- If the connection is lost during a file transfer, the transfer can be resumed once the connection is reestablished.
Lab Structure:
Figure -2- Lab Structure
- In our attack lab, we will use the attacker machine (a Kali Linux virtual machine) and the target machine (a Ubuntu Server 22.04.2 virtual machine).
Download vsFTPd
FTP Server:
I chose vsFTPd because it is easy to configure.
Let's install the vsFTPd FTP server on our Ubuntu server lab using the following command:
# On your ubuntu server terminal
sudo apt-get install vsftpd
The vsFTPd configuration file is located at
/etc/vsftpd.conf
.To view the default enabled settings for the vsFTPd server, use the following command:
# On your ubuntu server terminal
cat /etc/vsftpd.conf | grep -v "#"
- To start, stop, or enable the FTP services, use the following commands:
# Start the ftp service
sudo systemctl start vsftpd
# Stop the ftp service
sudo systemctl stop vsftpd
# restart the ftp service
sudo systemctl restart vsftpd
# enable the ftp service
# (this will let the ftp service run even if you restart the server)
sudo systemctl enable vsftpd
Active vs Passive Mode In FTP:
In FTP, operations can be conducted in one of two modes: active or passive.
Active Mode:
When a user wants to transfer files using FTP in active mode, they connect from a random port on their file transfer client to FTP port 21 on the server.
The client then sends the
PORT
command specifying the port on the client that the server should connect to for the data transfer.The server receives the command and establishes a connection from port 20 to the client port designated for the data channel.
Once the data connection is established, file transfers are made through these client and server ports.
Figure -3- Active Mode | FTP
Enable Active Mode:
- To activate the active mode in vsFTPd, edit the following setting in the
/etc/vsftpd.conf
file:
connect_from_port_20=YES
pasv_enable=NO
- To configure it automatically, execute the following command:
sudo bash -c "echo -e \"connect_from_port_20=YES\npasv_enable=NO\" >> /etc/vsftpd.conf"
- If you need more information about any configuration option at any step, consult the manual page, which can be a valuable resource:
man vsftpd.conf
- After editing the configuration file, remember to restart the FTP service for the changes to take effect. Use the following command:
sudo systemctl restart vsftpd
Active Mode Analysis: Examining Network Traffic with Wireshark:
Open Wireshark on your Kali Linux machine and begin analyzing network traffic on your network interface. In my case, I'm using the
eth0
interface.From your Kali Linux attacker machine, connect to the FTP server using the FTP client with the following command:
# Kali Linux Terminal
ftp 10.0.2.15
- Return to the Wireshark interface, and you'll observe all the traffic generated by your FTP client:
Figure -4- PORT command sent from the client | wireshark traffic analysis
Passive Mode:
The client initiates a connection to the server on port 21, which is the default port for FTP.
The client then sends a PASV command, which tells the server to enter passive mode and wait for the client to establish a connection for data transfer.
The server responds with the port number that it has opened for this purpose.
The client then establishes a new connection to the server on the specified port.
Once this connection is established, the client and server can begin transferring data through these two ports.
The client and server may use different, randomly chosen ports for this purpose, which helps to increase security and prevent interference from other connections.
Figure -5- Passive Mode / FTP
Enable Passive Mode:
- To enable passive mode, simply change the
pasv_enable
value fromNO
toYES
.
# /etc/vsftpd.conf
pasv_enable=YES
Passive Mode Analysis: Examining Network Traffic with Wireshark
Open Wireshark on your Kali Linux machine and begin analyzing network traffic on your network interface. In my case, I'm using the
eth0
interface.From your Kali Linux attacker machine, connect to the FTP server using the FTP client with the following command:
# Kali Linux Terminal
ftp 10.0.2.15
- Return to the Wireshark interface, and you'll observe all the traffic generated by your FTP client:
Figure -6- PASV command sent from the client | wireshark traffic analysis
- From the screenshot above, you can observe the client sending the
PASV
command to the FTP server. This instructs the server to enter passive mode and await the client's connection for data transfer.
Anonymous Login:
One of the most common misconfigurations encountered with FTP services is the allowance of anonymous logins. This lets anyone connect to the FTP using the
anonymous
account, typically withanonymous
as the username and eitheranonymous
as the password or no password at all.Such a configuration can pose significant risks to a company if the FTP service hasn't been appropriately configured for read and write permissions. If anonymous login is enabled, any FTP service user could potentially access sensitive company information stored in accessible directories.
In the next section, we'll discuss how to enable anonymous login in the vsFTPd service.
Enable Anonymous Login:
- To enable anonymous login, we must modify several settings.
Setting | Description |
anonymous_enable=YES | Allow anonymous FTP? |
anon_upload_enable=YES | Allow anonymous users to upload files |
anon_mkdir_write_enable=YES | Allow anonymous users to create new directories |
no_anon_password=YES | Do not ask anonymous for a password |
anon_root=/path/to/ftp/anon/directory | Directory for an anonymous user |
write_enable=YES | To enable any form of FTP write |
We need to adjust these parameters in the
/etc/vsftpd.conf
file. This will allow you to log in as an anonymous user and utilize FTP.To simplify the configuration for anonymous users, I've written the following bash script. You can use it to easily set up anonymous login on your test server and assess FTP's anonymous login functionality:
############### Run the script as root ###############
#!/bin/bash
# Backup original config file
echo -e "[+] \033[34mCreate Backup File:\033[0m \033[31m/etc/vsftpd.conf.bak\033[0m"
cp /etc/vsftpd.conf /etc/vsftpd.conf.bak
# Configuration File
FTPConf=/etc/vsftpd.conf
# Replace "anonymous_enable=NO" with "anonymous_enable=YES"
echo -e "[+]\033[34m Enable Anonymous Login: \033[0m \033[31manonymous_enable=YES \033[0m"
sed -i 's/anonymous_enable=NO/anonymous_enable=YES/g' $FTPConf
echo -e "[+]\033[34m Enable Upload: \033[0m \033[31m write_enable=YES \033[0m"
sed -i 's/#write_enable=YES/write_enable=YES/g' $FTPConf
echo -e "[+]\033[34m Enable Anonymous Upload: \033[0m \033[31m anon_upload_enable=YES \033[0m"
sed -i 's/#anon_upload_enable=YES/anon_upload_enable=YES/g' $FTPConf
echo -e "[+]\033[34m Enable Anonymous Directory Creation \033[0m \033[31m anon_mkdir_write_enable=YES \033[0m"
sed -i 's/#anon_mkdir_write_enable=YES/anon_mkdir_write_enable=YES/g' $FTPConf
echo -e "[+]\033[34m Enable Anonymous Deletion And Renaming\033[0m \033[31m anon_other_write_enable=YES\033[0m"
echo -e "# Custom For Anonymous Login \nanon_other_write_enable=YES" >> $FTPConf
echo -e "[+]\033[34m Sets the root folder for anonymous logins \033[0m \033[31m anon_root=/var/ftp/ \033[0m"
echo -e "anon_root=/var/ftp/" >> $FTPConf
echo -e "[+]\033[34m Stops prompting for a password on the command line \033[0m \033[31m no_anon_password=YES \033[0m"
echo -e "no_anon_password=YES" >> $FTPConf
echo -e "[+]\033[34m Shows the user and group as ftp:ftp, regardless of the owner \033[0m \033[31m hide_ids=YES \033[0m"
echo -e "hide_ids=YES" >> $FTPConf
echo -e "[+]\033[34m Limits the range of ports that can be used for passive FTP \033[0m \033[31m pasv_min_port=40000 and pasv_max_port=50000 \033[0m"
echo -e "pasv_min_port=40000\npasv_max_port=50000" >> $FTPConf
# Make directory for anonymous login
echo -e "[+]\033[34m Create anonymous directory \033[0m \033[31m /var/ftp/pub \033[0m"
mkdir -p /var/ftp/pub
chown nobody:nogroup /var/ftp/pub
echo -e "[+]\033[34m Create secret file \033[0m \033[31m /var/ftp/pub/secret.txt \033[0m"
echo "Congratulations! You are anonymous now" | tee /var/ftp/pub/secret.txt
chmod a+rwx /var/ftp/pub
# restart vsftpd service
systemctl restart vsftpd
Figure -7- Anonymous Login
One intriguing setting I've configured using my script is
hide_ids
.This option functions as follows: It displays the user and group as
ftp:ftp
, irrespective of the actual owner.Refer to the subsequent screenshots to discern the difference when this option is enabled versus when it's not:
Figure -8- hide_ids=NO
Figure -9- hide_ids=YES
Footprinting The FTP Service:
- We will employ the renowned port scanner tool,
nmap
, to actively scan the target and fingerprint the FTP service:
# Kali Linux Terminal
export target_IP='10.0.2.15'
sudo nmap -sV -p21 -sC -A $target_IP --script-trace
Nmap includes various NSE scripts, written in Lua, designed for vulnerability scanning.
To utilize all the FTP-related scripts, execute the following command:
sudo nmap -sV --script ftp-* $target_IP
Thank You:
I hope you enjoyed reading this article and found something new and valuable to learn. ❤️
References:
[FTP RFC] - (https://www.rfc-editor.org/rfc/rfc959)