What Is FTP and What Is It For?
FTP stands for File Transfer Protocol. FTP servers will let you both download (retrieve a file from the server) and upload (send a file to the server) files from a server with ease (if you have permission). You browse through a remote FTP site the same way you browse through your own computer's files and directories (of course, you don't have read and/or write access to every file on the system, and some files you can't even see).
The following are several basic FTP commands. To communicate with FTP daemons, connect to port 21 and then use the following commands to communicate with the FTP server
CD – change directory (on the server)
lcd – change local directory (when sending a file, the path of the specified file will be the path you specify on lcd)
dir,ls – directory listing
binary – change mode to binary transfer
get – retrieve a file
mget – retrieve many files
put – send a file
mput – send many files
pwd – print working directory on the server
http://blacksun.box.sk contains thousands of computer-related acronyms and abbreviations, download the file called acros.txt from the projects page. If you don't feel like typing commands, there are lots of FTP clients that will do all the work for you, but some will still show you all the commands they use so you'll be able to learn new commands.
Since there are so many FTP holes for so many FTP server programs and so many Operating Systems, I decided that the best way it simply to explain to you how to find information about security holes by yourself.
I will also introduce several interesting FTP security holes near the end of this section.
To find FTP exploits, try searching the following websites (or join the BugTraq mailing list at http://www.securityfocus.com)
- BugTraq Archives
- Spikeman's Denial Of Service Website (for DoS attacks against FTP servers)
Note: You might think that the above sites are considered illegal, since they feature explanations about security holes and how to exploit them, Well they're not! These things are called "advisories" and they allow you to find holes on your own PC and fix them. Whether you use this information to secure yourself or exploit others is your own choice. It's the difference between legitimate and illegal.
Selected FTP Holes
The following FTP holes aren't new or extraordinary or incredibly fantastic or anything like that, they're just good for learning. I picked some interesting FTP holes and wrote a small explanation about them to get you started. Note: I didn't write these, I got them from websites.
Some FTP daemons allows a premature PASV command, which can cause some FTP daemons to crash with a core dump. FTP core dumps can be used to salvage encrypted passwords, bypassing any shadow password scheme. It is not known exactly which servers are immune to this and which are not, and the only workaround right now is to get a newer version of the program. Also see http://www.genocide2600.com/~spikeman/bisonware3.html for a DoS attack against BisonWare FTP Server 3.5 similar to this hole.
FTP Bounce Attack (too long, see http://www.netspace.org/cgi-bin/wa?A2=ind9507B&L=bugtraq&P=R1425 (From BugTraq))
The SYST command
Entering the SYST command while connected to an FTP server often reveals valuable information about a system, such as the OS, which version and information about the FTP server. Get access to an FTP server somehow (by using a username and a password you know or by using anonymous login – login: anonymous, password: youremailaddy@host. You could also enter someone else's Email address, the server doesn't actually verify the address you send) and then type SYST.