330    Chapter 5 • Communication Security: Web Based Services

             FTP Security


             Another part of Internet-based security that should be considered is FTP-based
             traffic. FTP is an application layer protocol within the TCP/IP protocol suite that
             allows transfer of data primarily via ports 20 and 21 and then rolls over past port
             1023 to take available ports for needed communication.This being said, FTP is no
             different from Telnet where credentials and data are sent in cleartext so that, if cap-
             tured via a passive attack such as sniffing, the information could be exploited to
             provide unauthorized access.Although FTP is an extremely popular protocol to use
             for transferring data, the fact that it transmits the authentication information in a
             cleartext format also makes it extremely insecure.This section explores FTP’s
             weaknesses and looks at a FTP-based hack in progress with a sniffer.

             Active and Passive FTP

             When FTP is used, it may run in one of two modes: active or passive.Whether
             active or passive FTP is used depends on the client. It is initiated by a client, and
             then acted upon by the FTP server.An FTP server listens and responds through
             port 21 (the command port), and transmits data through port 20 (the data port).
             During the TCP handshake, unless a client requests to use a specific port, the
             machine’s IP stack will temporarily designate a port that it will use during the ses-
             sion, which is called an ephemeral port.This is a port that has a number greater
             than 1023, and is used to transfer data during the session. Once the session is com-
             plete, the port is freed, and will generally be reused once other port numbers in a
             range have all been used.
                 When active FTP is used, the client will send a PORT command to the server
             saying to use the ephemeral port number + 1. For example, if the FTP client used
             port 1026, it would then listen on port 1027, and the server would use its port 20
             to make a connection to that particular port on the client.This creates a problem
             when the client uses a firewall, because the firewall recognizes this as an external
             system attempting to make a connection and will usually block it.
                 With passive FTP, this issue isn’t a problem because the client will open con-
             nections to both ports.After the TCP handshake, it will initiate one connection to
             port 21 but include a PASV (passive FTP) command. Because this instructs the
             server that passive FTP is used, the client doesn’t then issue a PORT command
             that instructs the server to connect to a specific port. Instead, the server opens its
             own ephemeral port and sends the PORT command back to the client through
             port 21, which instructs the client which port to connect to.The client then uses




          www.syngress.com