FTP

Overiview

The File Transfer Protocol (FTP) is one of the oldest protocols on the Internet. The FTP runs within the application layer of the TCP/IP protocol stack. Thus, it is on the same layer as HTTP or POP. These protocols also work with the support of browsers or email clients to perform their services. There are also special FTP programs for the File Transfer Protocol.

Let us imagine that we want to upload local files to a server and download other files using the FTP protocol. In an FTP connection, two channels are opened. First, the client and server establish a control channel through TCP port 21. The client sends commands to the server, and the server returns status codes. Then both communication participants can establish the data channel via TCP port 20. This channel is used exclusively for data transmission, and the protocol watches for errors during this process. If a connection is broken off during transmission, the transport can be resumed after re-established contact.

A distinction is made between active and passive FTP. In the active variant, the client establishes the connection as described via TCP port 21 and thus informs the server via which client-side port the server can transmit its responses. However, if a firewall protects the client, the server cannot reply because all external connections are blocked. For this purpose, the passive mode has been developed. Here, the server announces a port through which the client can establish the data channel. Since the client initiates the connection in this method, the firewall does not block the transfer.

FTP server return codes

FTP server return codes always have three digits, and each digit has a special meaning.[1] The first digit denotes whether the response is good, bad or incomplete:

Range
Purpose

1xx

Positive Preliminary reply

The requested action is being initiated; expect another reply before proceeding with a new command. (The user-process sending another command before the completion reply would be in violation of protocol; but server-FTP processes should queue any commands that arrive while a preceding command is in progress.) This type of reply can be used to indicate that the command was accepted and the user-process may now pay attention to the data connections, for implementations where simultaneous monitoring is difficult. The server-FTP process may send at most, one 1xx reply per command.

2xx

Positive Completion reply

The requested action has been successfully completed. A new request may be initiated.

3xx

Positive Intermediate reply

The command has been accepted, but the requested action is being held in abeyance, pending receipt of further information. The user should send another command specifying this information. This reply is used in command sequence groups.

4xx

Transient Negative Completion reply

The command was not accepted and the requested action did not take place, but the error condition is temporary and the action may be requested again. The user should return to the beginning of the command sequence, if any. It is difficult to assign a meaning to "transient", particularly when two distinct sites (Server- and User-processes) have to agree on the interpretation. Each reply in the 4xx category might have a slightly different time value, but the intent is that the user-process is encouraged to try again. A rule of thumb in determining if a reply fits into the 4xx or the 5xx (Permanent Negative) category is that replies are 4xx if the commands can be repeated without any change in command form or in properties of the User or Server (e.g., the command is spelled the same with the same arguments used; the user does not change his file access or user name; the server does not put up a new implementation.)

5xx

Permanent Negative Completion reply

The command was not accepted and the requested action did not take place. The User-process is discouraged from repeating the exact request (in the same sequence). Even some "permanent" error conditions can be corrected, so the human user may want to direct his User-process to reinitiate the command sequence by direct action at some point in the future (e.g., after the spelling has been changed, or the user has altered his directory status.)

6xx

Protected reply

RFC 2228 introduced the concept of protected replies to increase security over FTP communications. The 6xx replies are Base64 encoded protected messages that serves as responses to secure commands. When properly decoded, these replies fall into the above categories.

The second digit is a grouping digit and encodes the following information:

Range
Purpose

x0x

Syntax

These replies refer to syntax errors, syntactically correct commands that don't fit any functional category, unimplemented or superfluous commands.

x1x

Information

These are replies to requests for information, such as status or help.

x2x

Connections

Replies referring to the control and data connections.

x3x

Authentication and accounting

Replies for the login process and accounting procedures.

x4x

Unspecified as of RFC 959.

x5x

File system

These replies indicate the status of the Server file system vis-a-vis the requested transfer or other file system action.

Below is a list of all known return codes that may be issued by an FTP server.

Code
Explanation

100 Series

The requested action is being initiated, expect another reply before proceeding with a new command.

110

Restart marker replay . In this case, the text is exact and not left to the particular implementation; it must read: MARK yyyy = mmmm where yyyy is User-process data stream marker, and mmmm server's equivalent marker (note the spaces between markers and "=").

120

Service ready in nnn minutes.

125

Data connection already open; transfer starting.

150

File status okay; about to open data connection.

200 Series

The requested action has been successfully completed.

202

Command not implemented, superfluous at this site.

211

System status, or system help reply.

212

Directory status.

213

File status.

214

Help message. Explains how to use the server or the meaning of a particular non-standard command. This reply is useful only to the human user.

215

NAME system type. Where NAME is an official system name from the registry kept by IANA.

220

Service ready for new user.

221

Service closing control connection. Logged out if appropriate.

225

Data connection open; no transfer in progress.

226

Closing data connection. Requested file action successful (for example, file transfer or file abort).

227

Entering Passive Mode (h1,h2,h3,h4,p1,p2).

228

Entering Long Passive Mode (long address, port).

229

Entering Extended Passive Mode (|||port|).

230

User logged in, proceed.

232

User logged in, authorized by security data exchange.

234

Server accepts the security mechanism specified by the client; no security data needs to be exchanged.

235

Server accepts the security data given by the client; no further security data needs to be exchanged.

250

Requested file action okay, completed.

257

"PATHNAME" created.

300 Series

The command has been accepted, but the requested action is on hold, pending receipt of further information.

331

User name okay, need password.

332

Need account for login.

334

Server accepts the security mechanism specified by the client; some security data needs to be exchanged.

335

Server accepts the security data given by the client; more security data needs to be exchanged.

336

Username okay, need password. Challenge is "....".

350

Requested file action pending further information

400 Series

The command was not accepted and the requested action did not take place, but the error condition is temporary and the action may be requested again.

421

Service not available, closing control connection. This may be a reply to any command if the service knows it must shut down.

425

Can't open data connection.

426

Connection closed; transfer aborted.

430

Invalid username or password

431

Need some unavailable resource to process security.

434

Requested host unavailable.

450

Requested file action not taken.

451

Requested action aborted. Local error in processing.

452

Requested action not taken. Insufficient storage space in system. File unavailable (e.g., file busy).

500 Series

Syntax error, command unrecognized and the requested action did not take place. This may include errors such as command line too long.

501

Syntax error in parameters or arguments.

502

Command not implemented.

503

Bad sequence of commands.

504

Command not implemented for that parameter.

530

Not logged in.

532

Need account for storing files.

533

Command protection level denied for policy reasons.

534

Request denied for policy reasons.

535

Failed security check.

536

Data protection level not supported by security mechanism.

537

Command protection level not supported by security mechanism.

550

Requested action not taken. File unavailable (e.g., file not found, no access).

551

Requested action aborted. Page type unknown.

552

Requested file action aborted. Exceeded storage allocation (for current directory or dataset).

553

Requested action not taken. File name not allowed.

600 Series

Replies regarding confidentiality and integrity

631

Integrity protected reply.

632

Confidentiality and integrity protected reply.

633

Confidentiality protected reply.

10000 Series

Common Winsock Error Codes[2] (These are not FTP return codes)

10054

Connection reset by peer. The connection was forcibly closed by the remote host.

10060

Cannot connect to remote server.

10061

Cannot connect to remote server. The connection is actively refused by the server.

10065

No route to host / DNS cannot be resolved.

10066

Directory not empty.

10068

Too many users, server is full.

FTP client commands:

File and Directory Management:

  • cd directory : Change the remote working directory.

  • lcd directory : Change the local working directory.

  • dir (or ls) : List files and directories on the remote server.

  • pwd : Print the current working directory on the remote server.

  • mkdir directory : Create a new directory on the remote server.

  • rmdir directory : Remove a directory on the remote server.

  • delete file : Delete a file on the remote server.

  • mdelete files : Delete multiple files on the remote server.

  • rename old-file new-file : Rename a file on the remote server.

File Transfer:

  • get remote-file : Download a file from the remote server.

  • put local-file : Upload a file to the remote server.

  • mput files : Upload multiple files to the remote server.

  • append local-file : Append a local file to an existing file on the remote server.

Transfer Modes:

  • ascii : Set the transfer mode to ASCII (text) mode.

  • binary : Set the transfer mode to binary mode (for non-text files).

Connection Control:

  • open hostname : Connect to a remote FTP server.

  • close : Close the current FTP connection.

  • quit : Exit the FTP client.

Miscellaneous:

  • ! : Execute a local shell command.

  • ? (or help) : Display a list of available FTP commands.

  • status : Display the current status of the FTP connection.

  • prompt : Toggle interactive prompting for multiple file transfers.

Remember:

  • Specific commands and syntax might vary slightly between different FTP clients.

  • Check the documentation for your specific FTP client for more details.

  • Always use secure FTP (SFTP) for sensitive data transfers.

Download All Available Files

Download All Available Files

$ wget -m --no-passive ftp://anonymous:anonymous@10.129.14.136

--2021-09-19 14:45:58--  ftp://anonymous:*password*@10.129.14.136/                                         
           => ‘10.129.14.136/.listing’                                                                     
Connecting to 10.129.14.136:21... connected.                                                               
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD not needed.
==> PORT ... done.    ==> LIST ... done.                                                                 
12.12.1.136/.listing           [ <=>                                  ]     466  --.-KB/s    in 0s       
                                                                                                         
2021-09-19 14:45:58 (65,8 MB/s) - ‘10.129.14.136/.listing’ saved [466]                                     
--2021-09-19 14:45:58--  ftp://anonymous:*password*@10.129.14.136/Calendar.pptx   
           => ‘10.129.14.136/Calendar.pptx’                                       
==> CWD not required.                                                           
==> SIZE Calendar.pptx ... done.                                                                                                                            
==> PORT ... done.    ==> RETR Calendar.pptx ... done.       

...SNIP...

2021-09-19 14:45:58 (48,3 MB/s) - ‘10.129.14.136/Employees/.listing’ saved [119]

FINISHED --2021-09-19 14:45:58--
Total wall clock time: 0,03s
Downloaded: 15 files, 1,7K in 0,001s (3,02 MB/s)

Footprinting the Service

Nmap FTP Scripts

$ sudo nmap --script-updatedb

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 13:49 CEST
NSE: Updating rule database.
NSE: Script Database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.28 seconds

All the NSE scripts are located in /usr/share/nmap/scripts/, but on our systems, we can find them using a simple command on our system.

$ find / -type f -name ftp* 2>/dev/null | grep scripts

/usr/share/nmap/scripts/ftp-syst.nse
/usr/share/nmap/scripts/ftp-vsftpd-backdoor.nse
/usr/share/nmap/scripts/ftp-vuln-cve2010-4221.nse
/usr/share/nmap/scripts/ftp-proftpd-backdoor.nse
/usr/share/nmap/scripts/ftp-bounce.nse
/usr/share/nmap/scripts/ftp-libopie.nse
/usr/share/nmap/scripts/ftp-anon.nse
/usr/share/nmap/scripts/ftp-brute.nse

As we already know, the FTP server usually runs on the standard TCP port 21, which we can scan using Nmap. We also use the version scan (-sV), aggressive scan (-A), and the default script scan (-sC) against our target

Nmap

$ sudo nmap -sV -p21 -sC -A <IP HERE>

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-16 18:12 CEST
Nmap scan report for 10.129.14.136
Host is up (0.00013s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rwxrwxrwx    1 ftp      ftp       8138592 Sep 16 17:24 Calendar.pptx [NSE: writeable]
| drwxrwxrwx    4 ftp      ftp          4096 Sep 16 17:57 Clients [NSE: writeable]
| drwxrwxrwx    2 ftp      ftp          4096 Sep 16 18:05 Documents [NSE: writeable]
| drwxrwxrwx    2 ftp      ftp          4096 Sep 16 17:24 Employees [NSE: writeable]
| -rwxrwxrwx    1 ftp      ftp            41 Sep 16 17:24 Important Notes.txt [NSE: writeable]
|_-rwxrwxrwx    1 ftp      ftp             0 Sep 15 14:57 testupload.txt [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.4
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status

The default script scan is based on the services' fingerprints, responses, and standard ports. Once Nmap has detected the service, it executes the marked scripts one after the other, providing different information.

The ftp-syst, for example, executes the STAT command, which displays information about the FTP server status.

Nmap also provides the ability to trace the progress of NSE scripts at the network level if we use the --script-trace option in our scans. This lets us see what commands Nmap sends, what ports are used, and what responses we receive from the scanned server.

Nmap Script Trace

$ sudo nmap -sV -p21 -sC -A 10.129.14.136 --script-trace

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 13:54 CEST                                                                                                                                                   
NSOCK INFO [11.4640s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [10.129.14.136:21]                                   
NSOCK INFO [11.4640s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 16 [10.129.14.136:21]             
NSOCK INFO [11.4640s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 24 [10.129.14.136:21]
NSOCK INFO [11.4640s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 32 [10.129.14.136:21]
NSOCK INFO [11.4640s] nsock_read(): Read request from IOD #1 [10.129.14.136:21] (timeout: 7000ms) EID 42
NSOCK INFO [11.4640s] nsock_read(): Read request from IOD #2 [10.129.14.136:21] (timeout: 9000ms) EID 50
NSOCK INFO [11.4640s] nsock_read(): Read request from IOD #3 [10.129.14.136:21] (timeout: 7000ms) EID 58
NSOCK INFO [11.4640s] nsock_read(): Read request from IOD #4 [10.129.14.136:21] (timeout: 11000ms) EID 66
NSE: TCP 10.10.14.4:54226 > 10.129.14.136:21 | CONNECT
NSE: TCP 10.10.14.4:54228 > 10.129.14.136:21 | CONNECT
NSE: TCP 10.10.14.4:54230 > 10.129.14.136:21 | CONNECT
NSE: TCP 10.10.14.4:54232 > 10.129.14.136:21 | CONNECT
NSOCK INFO [11.4660s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 50 [10.129.14.136:21] (41 bytes): 220 Welcome to HTB-Academy FTP service...
NSOCK INFO [11.4660s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 58 [10.129.14.136:21] (41 bytes): 220 Welcome to HTB-Academy FTP service...
NSE: TCP 10.10.14.4:54228 < 10.129.14.136:21 | 220 Welcome to HTB-Academy FTP service.

The scan history shows that four different parallel scans are running against the service, with various timeouts. For the NSE scripts, we see that our local machine uses other output ports (54226, 54228, 54230, 54232) and first initiates the connection with the CONNECT command.

From the first response from the server, we can see that we are receiving the banner from the server to our second NSE script (54228) from the target FTP server. If necessary, we can, of course, use other applications such as netcat or telnet to interact with the FTP server.

Service Interaction with nc, telnet, or openssl

$ nc -nv 10.129.14.136 21
$ telnet 10.129.14.136 21

It looks slightly different if the FTP server runs with TLS/SSL encryption. Because then we need a client that can handle TLS/SSL. For this, we can use the client openssl and communicate with the FTP server. The good thing about using openssl is that we can see the SSL certificate, which can also be helpful.

$ openssl s_client -connect 10.129.14.136:21 -starttls ftp

PreviousInfrastructure Based EnumerationNextSMB

Last updated