[Original] FTP protocol security analysis
-------------------------------------------------- ------------------------------ FTP protocol security analysis: xinhe
Forward FTP (File Transfer Protocol, file transfer protocol) is one of the commonly used protocols on the Internet, and people use FTP to implement file transfer on interconnect. Since the TCP / IP protocol is in design, it is in a platform for mutual trust, so that today, the security of TCP / IP protocols has become a focus of the security industry. The famous ARP spoofing, the data listening in the exchange environment, the middleman attack, and DDOS have used the vulnerability of the TCP / IP protocol. There are more problems with the FTP protocol or more. This article comes from the FTP protocol itself. The security of the FTP protocol.
Chapter 1 FTP Protocol I. Amgeted Introduction The FTP protocol is similar, which is similar to the TCP connection, but it is different from the HTTP protocol. All data of the HTTP protocol is transmitted through the 80-port (not considering SSL here), The FTP is handled separately from the data and commands, and we are temporarily named "Command Channel" and "Data Channel" respectively. Command channel is generally 21 port we are familiar with, and the data channel is usually a high port. For example, the client has to obtain a file from the FTP server, first log in to the server, establish a connection with the server, which is the "command channel" we mentioned earlier, the client will request the file from this channel to the server After receiving this command, the server will re-establish a connection with the client. This is the "data channel" in front of us, and the file data will be transferred to the client through the data channel. Here we use Figure 1-1 to represent processing in file transmission
User Interface | | Command Channel User Protocol Interpreter -------------- Server Protocol Interface | | Data Channel User Data Transfer Features ---------- Server Data Transfer
Second, data indicates that the FTP protocol specification provides a variety of options for controlling file transfer and storage. A choice must be made in the following four aspects. 1. File Type (1) ASCII code file type Under normal circumstances, the ASCII code file type is the default selection. (2) EBCDIC file type This type of transmission method requires both EBCDIC systems. (3) Image file type (also known as binary type) Data transmission is presented as a bit stream, typically used to transmit binary file types, transmit binary files between hosts with different byte size.
2, format control This option is only valid for ASCII and EBCDIC files. (1) Non-print (2) Remote login format control (3) Fortran Enter Control
3, Structure (1) File Structure (2) Recording Structure (3) Page Structure
4. Transmission mode (1) flow mode (2) block mode (3) compression mode
Third, the FTP command ftp command and response is to transfer in the command channel in the ASCII code open form. The following instructions are given below: Command Description Abor gives the previous FTP command and data transfer list list display file or directory Pass server password port customer IP address and port Quit Remove the RET RET from the server to take a file STOR Save a file SYST server Return System Type Type Document Type User User Name
Fourth, FTP Answers FTP Answers are 3 digits in the form of ASCII code and have a message option. Every one of the 3 digits has a different meaning. Here is some common reversal numbers: 125 data channels have been opened; the transfer begins. The 200 ready command. 214 Help packet. 331 Username Ready, require input password. 425 cannot open the data channel. 500 Syntax error (unidentified command). 501 syntax error (invalid parameters). 502 Unrealized MODE (Mode Command) Type.
5. Connection Management We have talked in front of the FTP command transfer and data transfer to transmit in different ports, and connection management also made the core problem of the FTP protocol. The most critical is also the management of the data channel. The data channel has three major uses: 1> Send a file from the customer. 2> Send a file from the server to the customer. 3> Send a file domain directory list from the server. The transmission mode has an active FTP and passive FTP. The general process of active FTP is as follows: 1. The customer issues a command to establish a data connection. 2, customers usually select a temporary port number for the data connection on the client host. The customer posted a passive opening from this port. 3. The customer uses the port command to send the port of the data channel to the server from the command channel. 4. The server receives the port number on the command channel and the port on the client host has an active opening. At this time, the server's data channel uses a 20-port. The passive FTP and the active FTP are not to open a temporary port by the client host, but by the server opens a temporary port waiting for the client's connection. Fedora comes with VSFTP is the passive transmission mode. Here is the entire process of logging in to VSFTP to perform LS, and then to exit. [xinhe @ xinhe xinhe] $ ftp -d xxx.xxx.xxx.xxx connection to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx). 220 Welcome To Ylyz FTP Service. Name (xxx.xxx.xxx .xxx: xinhe): xplore ---> User xinhe 331 please specify the password. Password: ---> Pass xxxx 230 login successful. -> SYST 215 UNIX TYPE: L8 Remote System Type IS UNIX. Using Binary Mode To Transfer Files. FTP> LS FTP: Setsockopt (Ignored): Permission Denied ---> PASV 227 Entering Passive Mode (xxx, xxx, xxx, xxx, 204,73) ---> list 150 here comes the directory Listing. DRWXR-XR-X 11 48 48 4096 JUL 21 10:52 XXX DRWXR-XR-X 19 48 48 4096 JUL 31 14:18 xxxx drwx ------ 2 0 0 16384 Jun 23 03:18 Lost Found DRWXR -XR-x 3 510 510 4096 AUG 03 05:42 Software DrwxR-XR-X 2 510 510 4096 JUN 30 09:34 TMP DRWXR-XR-X 6 510 510 4096 JUN 27 08:17 XXXXX DRWXRWXR-X 10 501 501 4096 AUG 12 20:35 xxxxxx -rw-r - r - 1 510 510 12649185 AUG 12 20:34 xxxx drwxr-xr-x 7 501 12 4096 JUL 03 15:13 xinhe drwxr-xr-x 7 510 510 4096 Aug 13 19:08 Zwell 226 Directory Send OK. Ftp> bye - -> quit 221 goodbye. The above is the server that logs in to a VSFTP. The whole process of LS is then exited. The above is the passive transmission mode, the key to see this sentence: ---> PASV 227 Entering passive mode (xxx XXX, XXX, XXX, 204, 73)
This sentence tells our server's IP and open temporary data port, then log in to this temporary port 52297, the algorithm of the temporary port: 204 * 256 73. In order to understand the process of understanding, we monitor the data transfer of this process. The following is a paragraph of the client to the temporary port process 08 / 24-15: 24: 24.052846 0: E0: 4C: F0: E0: EA -> 0: D0: F8: 51: FC: 81 TYPE: 0X800 LEN: 0X4A 192.168.10.8:8:8:32791 -> xxx.xxx.xxx.xxx:52297 TCP TTL: 64 TOS: 0x0 ID: 39780 iplen: 20 DGMLEN: 60 DF ****** S * SEQ: 0x42206DD2 ACK: 0x0 Win: 0x16D0 TCPLEN: 40 TCP Options (5) => MSS: 1460 Sackok TS: 849590 0 NOP WS: 0 Note: Since the server during the test is a real server on the public, the address is called. Chapter 2 Safety Hidden
We discussed the specific transmission process of the FTP protocol itself and FTP. In this process, there are safety hazards in many places. With the Internet and popularity, the network security is more and more attention, here I put it here. Some common security hidden dangers about FTP, it is desirable to attract people's attention to FTP security, making FTP servers and data transmission processes more secure. I. The security hazard of the FTP server is not the focus of this article discussed. However, it must be raised here because it is a nightmare for FTP service providers, but also the focus of the hackers, commonly used FTP The service software has WU-FTPD, PrOFTPD, VSFTPD, and the SERV-U, the most common also used, the most common vulnerability is the buffer overflow, and the overflow vulnerability of WU-FTPD and SERV-U is endless. The buffer overflows, and is currently more secure or VSFTP, which must be a very secure FTP.
Second, the expressing text has been speaking, and the design of the TCP / IP protocol is based on mutual trust and security. Of course, there is certainly no encryption transfer. In this way, FTP customers are all previously transmitted before the server. It is of course a password through a clear manner. After the data listening from the exchange environment, this plaintext transfer is very dangerous because others may capture some sensitive information from the transmission process, such as user names and passwords. This issue is solved like HTTPS and SSH. The FTP is still expressing, and the FTP account of UINX and Linux systems is usually the system account, (vsftp is doing this). This hacker can obtain the system's account by capturing the username and password of the FTP. If the account can be logged in remotely, it usually uses local overflow to obtain root privileges. This way this FTP server is controlled by hackers. The following is the data I captured by the express delivery: = = = = = = = = = = = = = = = = = = = = = = = = = = = = = 08 / 24-15: 24: 13.511233 0: E0: 4C: F0 : E0: EA -> 0: D0: F8: 51: FC: 81 TYPE: 0X800 LEN: 0x4f 192.168.10.8:8:32790 -> xxx.xxx.xxx.xxx:21 TCP TTL: 64 TOS: 0x10 ID: 36423 iPlen : 20 DGMLEN: 65 DF *** ap *** SEQ: 0x407f7f77 ACK: 0x1BD963BF WIN: 0x16D0 TCPLEN: 32 TCP Options (3) => NOP NOP TS: 848536 1353912910 55 53 45 52 20 78 70 6C 6F 72 65 0D 0A User xinhe ..
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
08 / 24-15: 24: 13.557058 0: D0: F8: 51: FC: 81 -> 0: E0: 4C: F0: E0: EA TYPE: 0X800 LEN: 0X42 xxx.xxx.xxx.xxx: 21-> 192.168.10.8:8:32790 TCP TTL: 56 TOS: 0x0 ID: 29145 iplen: 20 dgmlen: 52 df *** a **** SEQ: 0x1BD963BF ACK: 0x407f7f84 win: 0x16a0 TCPlen: 32 TCP Options (3) => NOP NOP TS: 1353916422 848536 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
08 / 24-15: 24: 13.560516 0: D0: F8: 51: FC: 81 -> 0: E0: 4C: F0: E0: EA TYPE: 0X800 LEN: 0x64 xxx.xxx.xxx.xxx:21 -> 192.168.10.8:8:32790 TCP TTL: 56 TS: 0x0 ID: 29146 iplen: 20 dgmlen: 86 DF *** ap *** SEQ: 0x1bd963bf Ack: 0x407f7f84 win: 0x16a0 TCPlen: 32 TCP Options (3) => NOP NOP Ts: 1353916426 848536 33 33 65 65 73 70 65 63 69 331 PLEase SPECI 66 79 20 74 68 65 20 70 61 73 73 77 6F 72 64 2E Fe THE Password. 0d 0a..
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
08 / 24-15: 24: 13.571556 0: E0: 4C: F0: E0: EA -> 0: D0: F8: 51: FC: 81 TYPE: 0X800 LEN: 0X42 192.168.10.8:32790 -> xxx.xxx. xxx.xxx: 0x10 ID: 64 TOS: 0x10 ID: 36424 Iplen: 20 DGmlen: 52 DF *** A **** SEQ: 0x407f7f84 ACK: 0x1BD963E1 WIN: 0x16D0 TCPLEN: 32 TCP Options (3) => NOP NOP TS: 848542 1353916426 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
08 / 24-15: 24: 21.364315 0: E0: 4C: F0: E0: EA -> 0: D0: F8: 51: FC: 81 TYPE: 0X800 LEN: 0X54 192.168.10.8:32790 -> xxx.xxx. XXX.XXX: 21 TCP TTL: 64 TOS: 0x10 ID: 36425 Iplen: 20 DGmlen: 70 DF *** ap *** SEQ: 0x407f7f84 ACK: 0x1BD963E1 WIN: 0x16D0 TCPLEN: 32 TCP Options (3) => NOP NOP TS: 849321 1353916426 50 41 53 53 20 78 70 6C 6F 72 65 5F 32 30 30 34 Pass Test 0D 0A..
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = This will see the username on the FTP server is: xinhe and password: Test.
Third, the FTP flag is relatively serious, and now many service software have such problems, and hackers should first determine the version number used by the other party before launching an attack. This makes it easy to select an attack program. The following is an example: [xinhe @ xinhe xinhe] $ ftp xxx.xxx.xxx.xxx connection to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx). 220-Serv-U FTP Server V5.1 for Winsock Ready ... 220 s Team This information We can know that the service software used by the server may be Serv-U 5.1
4. The port command transmitted by the FTP server is sent by the FTP server to tell the server FTP server to transfer data to the IP and ports, usually, this is the IP address of the FTP client and its bonded port. However, the FTP protocol itself does not require the customer to send the port command must specify the own IP. With this, hackers can perform port scans to target machines through third-party FTP servers. This method is generally referred to as FTP reflection. For hackers, this scanning method has the following two advantages: (1) Provide anonymity due to The source address of the port scan is the IP address of the FTP server, not a hacker's machine, so this way is very good hidden hacker's true IP. (2) Avoid blocking due to scanning by a third-party FTP server, even if the target machine is scanned by the IC ACL or the invalid routing, the hacker can have an excessive FTP server to complete its scan. NMAP can implement this scanning process, the following is an example of scanning using an FTP server. [xinhe @ xinhe xinhe] $ nmap -b xinhe: test@xxx.xxx.xxx.xxx: 21 -V xxx.xxx.xxx.xxx hint: if you bounce scan target hosts aren't reachable from here, Remember To Use -P0 so we don't try and ping them prior to the scan
Starting NMap 3.48 (http://www.insecure.org/nmap/) AT 2004-08-24 20:16 Cst Resolved FTP Bounce Attack Proxy to XXX.xxx.xxx.xxx (xxx.xxx.xxx.xxx). Machine XXX.XXX.XXX.XXX Might Actually Be listtening on Probe Port 80 Host XXX.XXX.XXX.XXX APPEARS to Be Up ... Good. Attempting Connection To ftp: // xinhe: Test@xxx.xxx.xxx. xxx: 21 Connected:.! 220 Welcome to FTP service Login credentials accepted by ftp server Initiating TCP ftp bounce scan against xxx.xxx.xxx.xxx at 20:16 Adding open port 237 / tcp Deleting port 237 / tcp, which we thought was open Changed my mind about port 237 Adding open port 434 / tcp Deleting port 434 / tcp, which we thought was open Changed my mind about port 434 Adding open port 1509 / tcp Deleting port 1509 / tcp, which we thought was open Changed my mind about port 1509 Adding open port 109 / tcp Deleting port 109 / tcp, which we thought was open Changed my mind about port 109 Adding open port 766 / tcp Deleting port 766 / tcp, which we thought was open Changed my mind about port 766 AD ding open port 1987 / tcp Deleting port 1987 / tcp, which we thought was open Changed my mind about port 1987 Adding open port 5998 / tcp Deleting port 5998 / tcp, which we thought was open Changed my mind about port 5998 Adding open port 1666 / tcp Deleting port 1666 / tcp, which we thought was open Changed my mind about port 1666 Adding open port 506 / tcp Deleting port 506 / tcp, which we was open Changed my mind about port 506 caught SIGINT signal, cleaning up thought
5. Data hijacking us in the previous FTP data transfer process, the same FTP protocol itself does not require the customer IP of the command to transfer commands, such a hacker is likely to hijack the customer and server. The data. The data is hijacked into active data hijacking and passive data hiring according to the mode of data transmission. 1. Passive data hijacking the passive transmission process before, we can see that there is an vulnerable window after the FTP client issued a PASV or Port command and before issuing a data request. If the hacker can guess this port, you can connect and load or replace the data being transmitted. To achieve passive data hirking, you must know the temporary port number on the server, and then many servers are not randomly select port, but use the incremental way so that hackers have to guess this port number is not very difficult. 2. Active data hijacking active data is hijacked more difficult than passive data, because in the active transmission mode, the customer opens the temporary port to perform data transmission, and the hacker is difficult to find the customer's IP and temporary port. Chapter III Safety Strategy 1. Using a more secure system and FTP service software This security system is mainly best not to use a Windows system as a server, because the security of the system itself is very problematic, Windows has nful each year. Vulnerability, once the overflow vulnerability is likely to get administrator privileges. Once the system is invaded, the service running over this system is not safe. Linux and BSD will be a good choice. Service software uses less vulnerabilities, such as VSFTP, and ensures version update.
Second, using Ciphertext Transmission Username and Password We can use SCP and SFTP, or use SSH to forward. This is even if the hacker can listen to the data exchange between the customer and the server, there is no password without the key. Use SSH to forward some conditional limits, first requiring server and clients to active mode, then the server must allow the machine to send the port command to it outside the command channel.
Third, the flag change of the service software changes the feature of the service software to confuse the attacker's role, at least confuse a lot of scanners, causing the scanner's false positives, but change the flag is not a fundamental approach to solving security issues. Safety vulnerabilities will not disappear because the flag is different, but the changes will always be better than to change. Most of the server software can now change the FTP flags in the configuration file.
4. Strengthening the security of the agreement is that the provider of service software needs to do, one is to check the port command, the IP of the port should be the same IP after the client host, and we have a special attack on FTP. The port command is implemented, so the use of the port command is especially important for the attacker. It is not very easy to do this, and Wu-ftpd spent a few years. At present, there is no perfect defense method for data hijacking. It is currently not consistent with the IP address of the command channel and the data channel, but this is not 100% to prevent data hijacking. Because clients and hackers may be in the same intranet.
After the network has been deeply roof, network security is also more important. The security of FTP protocol is only a small part of network security. There are still many jobs in network security. This article is written by time. It is more shallow, and there is no source code of the FTP service software (a lot of good things are open source), I think if I can take the source code to tell the source code to the source code, so we will have a transmission process of FTP. Essential understanding is also easier to find some unknownight security hazards.
Completion time: 2004-10-24
