FTP, or File Transfer Protocol (TCP/21), is a standard network protocol used for transferring files between a client and a server over a network. It operates on the application layer of the TCP/IP protocol suite and relies on a client-server model.
FTP can operate in two modes: active mode and passive mode.
Active Mode:
· In active mode, the client initiates the FTP connection and specifies the client-side data port for data transfer.
· The server then establishes a connection with the client's specified data port to transfer the requested file.
· Active mode can sometimes face challenges when the client is behind a firewall or NAT (Network Address Translation) device because the client's specified data port may be blocked.
Passive Mode:
· In passive mode, the client connects to the server's control port, just like in active mode.
· However, instead of specifying a client-side data port, the client requests the server to provide a port for data transfer.
· The server opens a passive port and notifies the client about the port number.
· The client then establishes a data connection with the server's passive port to transfer files.
· Passive mode is often more firewall-friendly, as the client doesn't need to specify a data port.
Security Concerns in FTP: While FTP is a widely used protocol, it poses some security concerns that should be considered during penetration testing:
· Lack of Encryption: FTP transfers data in plain text, including usernames, passwords, and file contents. This makes it vulnerable to eavesdropping and interception. FTP should be avoided when sensitive data is involved.
· Weak Authentication: FTP traditionally relies on plain-text authentication, making it susceptible to brute-force attacks and password sniffing. Strong authentication mechanisms should be implemented, such as FTPS (FTP over SSL/TLS) or SFTP (SSH File Transfer Protocol).
· Software vulnerabilities: Various FTP software implementations have been found to have vulnerabilities, such as buffer overflow, command injection, directory traversal, and weak authentication mechanisms. These vulnerabilities can be exploited by attackers to gain unauthorized access, execute arbitrary code, or manipulate files on the FTP server.
It is possible to use inbuilt FTP clients as well as multiple tools to test the security of FTP on a system
Nmap:
· Syntax: nmap -p 21 --script ftp* <target IP>
FTP client:
· Syntax: ftp <target IP>
bruteforce credentials
· Syntax: hydra -L usernames.txt -P passwords.txt ftp://<target IP>
Once authenticated to an FTP server there are multiple commands that can be used to perform actions. The most commonly used are “Put” and “Get”
Put: The "put" command is used to upload or send files from the local system to an FTP server. It allows the user to transfer a file from their system to the remote server. The syntax for the "put" command is typically:
Syntax: put local-file [remote-file]
Example: put test.txt
· local-file: Specifies the file name or path on the local system that will be uploaded.
· remote-file: (Optional) Specifies the file name or path on the remote FTP server where the uploaded file will be saved. If not specified, the file is saved with the same name as the local file.
· In this example the file test.txt will be uploaded from the local machine onto the FTP server.
Get: The "get" command is used to retrieve or download files from an FTP server to the local system. It allows the user to request a file from the server and save it locally. The syntax for the "get" command is typically:
Syntax: get remote-file [local-file]
Example: get NGS.txt
· remote-file: Specifies the file name or path on the remote FTP server.
· local-file: (Optional) Specifies the file name or path on the local system where the downloaded file will be saved. If not specified, the file is saved with the same name as the remote file.
· In this example, the file NGS.txt will be downloaded from the FTP server and saved on the local computer
