FTP protocol analysis

Depending on whether the Port or Passive mode is used, FTP uses different TCP Port numbers. Before describing FTP in detail, let's briefly discuss some basic concepts of TCP Port numbers. TCP uses the port number to identify the sent and received applications. The port number can help TCP to separate byte streams and transmit corresponding bytes to the correct application.

The TCP port number can be semi-permanent or temporary. The server listens to the semi-permanent port to allow access from the client. The client uses a temporary port to identify a dialog locally. The client port exists only when the TCP Service is used, and the server port is listened as long as the server is running.

TCP ports can be classified into three categories:

1. Well-known ports are used to identify standard services running on TCP, including FTP, HTTP, ELNET, and SMTP. These port numbers range from 0 to 1023;

2. The registered port number is used to identify applications that have been registered with IANA (Internet Assigned Numbers Authority). The registered port number is 1024-49151;

3. The private port number is not registered and can be dynamically allocated to any application. The private port number is 49152-65535. The registered port number is intended only for the registered application, but in recent years, the port number has reached the limit, and you may see that the registration port used by the registration application is used as the temporary port by the non-registration application.

FTP Port mode and FTP Passive mode

When you troubleshoot an FTP problem, you must first ask whether the port mode or passive mode is used. Because of these two different behaviors, the problems caused by these two modes are also different. In the past, the client defaults to the active (port) mode. Recently, due to Port mode security problems, FTP applications on many clients use the Passive mode by default.

2.1 FTP Port Mode

The procedure for FTP in Port mode is as follows:

1. The client sends a tcp syn (TCP synchronization) packet to the well-known FTP control port 21 of the server segment, and the client uses the temporary port as its source port;

2. the server sends a syn ack (synchronous confirmation) packet to the client. The source port is 21 and the destination port is the temporary port used on the client;

3. The client sends an ACK packet. The client uses this connection to send FTP commands, and the server uses this connection to send FTP responses;

4. When a user requests a List request or initiates a request to send or accept files, the client software uses the PORT command, which contains a temporary PORT, the client wants the server to use this temporary PORT when opening a data connection. The PORT command also contains an IP address, which is usually the customer's own IP address, in addition, FTP supports the third-party mode. In the third-party mode, the client tells the server to open a connection with another host;

5. the server sends a SYN packet to the temporary PORT of the client. The source PORT is 20, and the temporary PORT is the temporary PORT number sent from the client to the server in the PORT command;

6. The client uses the source port as the temporary port, and the destination port is 20 to send a syn ack packet;

7. The server sends an ACK packet;

8. The host sending data sends data through this connection, and the data is sent in the form of a TCP segment (Note: segment, layer 4th PDU) (some commands, for example, STOR indicates that the client needs to send data, and RETR indicates that the server segment sends data). All these TCP segments need to be ACK confirmed by the other party (Note: Because TCP is a connection-oriented protocol)

9. After the data transmission is complete, the host sending the data ends the data connection with a FIN command. The FIN Command needs to be confirmed by ACK on another host, another host also sends a FIN command, which also needs to send data to the host with ACK for confirmation;

10. The client can send more commands on the control connection, which can enable and disable other data connections. Sometimes, after the client ends, the client uses the FIN command to close a control connection, the server uses an ACK packet to confirm the client's FIN. The server also sends its FIN, and the client uses ACK to confirm.

The following figure shows the first steps of ftp port mode:
/======================================================== ==================================
|
| [Ftp Client] [ftp Server] |
|
| (TCP: 21 connection initialization, control port) |
| SYN |
| Port xxxx ----------------------> Port 21 [TCP] |
| SYN + ACK |
| Port xxxx <---------------------- Port 21 |
| ACK |
| Port xxxx ----------------------> Port 21 |
|
| (Control operation: User column directory or file transfer) |
|
| Port, IP, Port yyyy |
| Port xxxx <---------------------- Port 21 |
| Port Seccussful |
| Port xxxx <---------------------- Port 21 |
| List, Retr or Stor |
| Port xxxx ----------------------> Port 21 |
|
|
| (TCP: 20 connection initialization, data port) |
| SYN |
| Port yyyy <---------------------- Port 20 |
| SYN + ACK |
| Port yyyy ----------------------> Port 20 |
| ACK |
| Port yyyy <---------------------- Port 20 |
|
|
| (Data operation: Data Transmission) |
| Data + ACK |
| Port yyyy <---------------------> Port 20 |
|. |
|. |
|. |
|
========================================================== =====================================/

The FTP Port mode brings many problems to network administrators. First, the encoding of IP addresses and PORT numbers in the Port command message is not straightforward. In addition, protocol commands at the application layer should not theoretically contain network address information (Note: IP address), because this breaks the protocol layer principle and may cause coordination and security problems.

It is the address parameter of the port command decoded by the WildPackets EtherPeek protocol analyzer. The address parameter is the PORT number. For details, see PORT 192,168, 10,232, 6,127. The first Arabic digit in part 1 is multiplied by 6,127, then add 2nd Arabic numbers to get the port number, so the client specifies the port number to 6*256 + 127 = 1663;

/======================================================== ==================================
| IP Header-Internet Protocol datasync |
| Version: 4 |
| Header Length: 5 (20 bytes) |
|
| ...... |
|
| Time To Live: 128 |
| Protocol: 6 TCP-Transmission Control Protocol |
| Header Checksum: 0xAA36 |
| Source IP Address: 192.168.0.1 DEMO |
| Dest. IP Address: 192.168.0.3 VI |
| No IP Options |
|
| TCP-Transport Control Protocol |
| Source Port: 2342 manage-exec |
| Destination Port: 21 ftp |
| Sequence Number: 2435440100 |
| Ack Number: 9822605 |
| Offset: 5 (20 bytes) |
| Reserved: % 000000 |
| Flags: % 011000 |
| 0... (No Urgent pointer) |
|. 1... Ack |
|... 1... Push |
|... 0... (No Reset) |
|... 0. (No SYN) |
|... 0 (No FIN) |
|
| Window: 65150. |
| Checksum: 0x832A |
| Urgent Pointer: 0 |
| No TCP Options |
|
| FTP Control-File Transfer Protocol |
| Line 1: PORT 192,168, 9, 39 <CR> <LF> |
|
| FCS-Frame Check Sequence |
| FCS (Calculated): 0xF4C04A4F |
========================================================== =====================================/

Verify that the server does open the TCP connection from Port 20 to port 1663:
/======================================================== ==================================
| TCP-Transport Control Protocol |
| Source Port: 20 ftp-data |
| Destination Port: 1663 |
| Sequence Number: 2578824336 |
| Ack Number: 0 |
| Offset: 6 (24 bytes) |
| Reserved: % 000000 |
| Flags: % 000010 |
| 0... (No Urgent pointer) |
|. 0... (No Ack) |
|... 0... (No Push) |
|... 0... (No Reset) |
|... 1. SYN |
|... 0 (No FIN) |
|
| Window: 3731. |
| Checksum: 0x8A4C |
| Urgent Pointer: 0 |
| No TCP Options |
|
| TCP Options |
| Options Type: 2 Maxinum Segment Size |
| Length: 4 |
| Message Service: 1460 |
|
| FCS-Frame Check Sequence |
| FCS (Calculated): 0x5A1BD023 |
========================================================== =====================================/

When using FTP, the firewall in the network must declare the corresponding PORT, and the firewall must track the FTP conversation and then check the PORT command, the firewall must be involved in the establishment of the PORT connection specified in the PORT command from the server to the client. If NAT is used in the network (Note: Network Address Translation), the NAT Gateway also needs to declare the corresponding port, the gateway needs to allocate the IP address translation component specified in the PORT command to the customer's address and re-calculate the TCP Checksum. If the gateway does not correctly perform this operation, FTP will fail.

Hackers may use FTP to support third-party features, set the IP address and PORT number parameters in the port command to specify the address and PORT number of a target host (sometimes called FTP Bounce Attack ), for example, hackers can enable an FTP server to continuously send a tcp syn packet to a series of destination ports from its source port 20, making the FTP server seem to be performing port scanning, the target host does not know that the attack is from the hacker's host. It seems that the attack is from the FTP server. Some commonly used FTP applications set the IP address to 0.0.0.0 in the port command, so that the FTP server only needs to connect data with the same customers who open the control connection, setting the IP address 0.0.0.0 may make the firewall feel overwhelmed. For example, for a cisco pix ios 6.0 or a later version of the PIX (NOTE: For a CISCO hardware firewall device, version 6.0 or a later version fixes the related FTP protocol) the IP address of the data connection must be the same as the IP address of the existing control connection. The reason for this is to prevent hackers from using PORT commands to attack other machines. Although some FTP applications set the IP address to 0.0.0.0 is not an intentional attack, however, in the PIX protocol environment, some problems are indeed caused. This also causes the same problems for other firewalls that do not allow third-party mode and prevent FTP Bounce attacks.

2.2 FTP Passive mode

The following list describes the Passive FTP steps. Steps 1 to 3 are the same as those in Port mode FTP, and steps 9 to 11 are also the same as those in Port mode FTP.