FTP bounce

1. FTP圖示

http://120.118.165.46/tsnien/Teach_Manu/F7858/F7858_HTML/chap14/chap14-2.htm

FTP 控制連線

FTP 資料連線

• 伺服端主動

• 客戶端主動 (Passive Mode, PASV)

2. 解析FTP協定的兩種工作模式

http://www.superpay.com.tw/a/5481.html

Ftp協定的兩種工作模式:主動模式active和被動模式passive

FTP 是一種資料傳輸協定 (File Transfer Protocol)，它的連接模式有兩種： 主動模式( active )和被動模式( passive )。

以下說明FTP的連接是怎樣建立的：

在 active 模式下 (一般預設的模式)：

FTP client 開啟一個隨機選擇的TCP port 呼叫 FTP server 的 port 21請求建立連接。當完成 Three-Way Handshake 之後，連接就成功建立，但這僅是命令通道的建立。
當兩端需要傳送資料資料的時候，client 透過命令通道用一個 port command 告訴 server ，client可以用另一個TCP port 做資料通道。
然後 server 用 port 20 和剛才client 所告知的 TCP port 建立資料連接。注意：連接方向是從server 到 client 的，TCP 分組中會有一個 SYN flag。
然後 client 會返回一個帶 ACK flag的確認分組，並完成另一次的 Three-Way Handshake 過程。這時候，資料連接才能成功建立。開始資料傳送。

在 passive 模式下：

FTP client 開啟一個隨機選擇的TCP port 呼叫 FTP server 的 port 21請求建立連接，完成命令通道的建立。
當兩端需要傳送資料的時候，client 通過命令通道發送一個 PASV command 給server，要求進入 passive 傳輸模式。
然後 server 像上述的正常模式之第 2 步驟那樣，挑一個TCP port ，並用命令通道告訴 client。
然後 client 用另一個TCP port 呼叫剛才 server 告知的 TCP port 來建立資料通道。此時分組中帶有 SYN flag。
server 確認後回送一個 ACK 分組。並完成所有握手過程、成功建立資料通道。
開 始資料傳送。 在實際使用中, active mode 用來登入一些架設在主機上沒有安裝防火牆的 FTP server，或是架設在 client side 的 FTP server！ Passive mode （簡稱 PASV）用來登陸一些架設於防火牆保護下而又是開設於主機上的 FTP server！

3. FTP的工作方式：Active FTP 及 Passive FTP (中文)

http://vbb.twftp.org/showthread.php?t=9095

為何常常連上 FTP 站台後，進去後就停留且無法列表？防火牆有很多種，其中有一些會禁止那些不是從內部網路IP發出的連接請求。而FTP協議是個很老的東東，沒有考慮這個問題。可以這樣簡單描述一般FTP的 工作原理：Client對Server發出請求：「嗨，我的xx Port正等著你傳送資料呢，Sever聽到這個請求，就會建立一個連接，指向這個Port，並且開始傳送資料。這就回到了我們的問題，如果發出請求的 Client在防火牆的後面，而這個防火牆禁止外部IP建立連接，那麼當然Server（在外部）不能建立與Client的連接。所以，過了幾年，人們修改了FTP協議以應付這種情況。這就是Passive Mode，工作原理如下：Client向Server發出Passive命令，Server回答說：「資料在xx Port等你，自己來拿。」而這回則由Client建立指向Server的連接，從而取得資料。這就避免了防火牆的限制。 FTP是一種文件傳輸協議，它支持兩種模式，一種方式叫做Standard(也就是Active，主動方式)，一種是Passive(也就是PASV，被 動方式)。Standard模式FTP的客戶端發送PORT命令到FTP Server。Passive模式FTP的客戶端發送PASV命令到FTP Server。 而在大部份的防火牆設定中，使用 FTP 傳輸檔案時經常會遇到需要設定使用 Passive Mode 的 FTP，但大部份的 FTP client 軟體，default 大都是 Active Mode FTP，這二種 FTP 模式在傳輸上有何不同？先了解 FTP 的工作方式，有助於了解 active FTP 及 passive FTP 的不同。 一般的 FTP 使用 TCP port 20 及 21 二個 port，正常來說， port 20 是傳輸資料用，而 port 21 傳輸命令，但事實上並不是一直使用 port 20 來傳輸資料。 Active Mode FTP (主動模式 FTP) 在 Active 模式的 FTP client 一開始時會先使用一個大於 1024(N) 的 TCP port 連結至 FTP server 的port 21，然後 FTP client 會打開該 port 的下一個數字的 port (N+1) 並送至 FTPserver 說期望下次的溝通可以經由新的 port (N+1)，這樣比較不會占用到 FTP server 的 port 21 而影響別的 FTP sessions，同時 FTP server 會使用 port 20 連結至 FTP client 新送過來的 port 號來傳資料。 所以在防火牆上需要打開： FTP server port 21 from anywhere # 給 FTP client 開始連接 FTP server port 21 to port > 1024 # 給 FTP server 回應 client 命令 FTP server port 20 to port > 1024 # 給 FTP server 開始資料傳輸 FTP server port 20 from port > 1024 # 給 FTP cleint 傳送 data ACK 給 server 所以連接順序為： 1. FTP client use TCP port 1026 for command to FTP server command port 21 2. FTP server use TCP port 21 responed to FTP client command port 1026 3. FTP server use TCP port 20 for sending data to FTP client data port 1027 (1026 + 1) 4. FTP client use TCP port 1027 ( 1026 + 1) for data ACK to FTP server port 20 問題在於使用 Active Mode FTP 時主控權在 FTP client，FTP client 並不是真正的連至 FTP server 的data port (TCP port 20)，它只是告訴 FTP server 它準備在那個 port 接收資料及port+1 傳送 ACK，並期望 FTP server 可以主動連接至 FTP client 所期望的 port，這在使用防火牆的環境中就會造成問題。 Passive Mode FTP (被動模式 FTP) 解決主動模式在防火牆外面時所發生無法連接的問題，可以用被動模式 FTP，在Passive Mode FTP 下，FTP client一開始和 Active Mode FTP 一樣，打開二個 port (N > 1024 及 N+1)，使用第一個port 連接至 FTP server的 port 21，並送出命令 PORT 讓 server 連至 N port 再送出 PASV 命令給 server，這樣會造成 server使用 一個大於 1024 的 port 連接至 client 並送出命令 PORT N ( N >1024 ) 給client，這樣 client 就會使用 N + 1 並開始傳輸資料。 這樣子在防火牆上需要設定： FTP server TCP port 21 from anywhere # FTP client 開始連接至 FTP server FTP server TCP port 21 to port > 1024 # FTP server 回應 client 控制 FTP server TCP port > 1024 from anywhere # FTP client 資料傳輸 FTP server TCP port > 1024 to client port > 1024 # FTP server 回應資料 ACK至 client data port 連接順序為： 1. FTP client use TCP port 1026 to FTP server command port 21 via command PASV 2. FTP server use TCP port 21 to FTP client 1026 command port for reply data port 2024 3. FTP client use TCP port 1027 (N+1) to FTP server 2024 for data transmit and ACK 4. FTP server use TCP port 2024 to FTP client for data transmit and ACK 因為 Passive Mode FTP 是由 FTP server 發起一個大於 1024 的 port 至 client，在防火牆上的設定就相對簡單，而可以傳輸資料而不會被防火牆 block。因為FTP Server會開放一個隨機的高Port，儘管在IIS4和IIS5裡面Port的範圍是1024－5000，但是許多FTP Server的Port範圍卻可達到了1024－65535，這個時候在這個主動開放的隨機Port上是有完全的訪問權限喔，如果IIS也要設置成開放的 Port為1024－65535，設置方法如下： 1. regedt32 2. 找到HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters 3. 編輯→新增→數值→ValueName:MaxUserPortDataType:REG_DWORDValue：65534 現在的FTP軟體裡面包括在IE5以上的版本裡面，也已經支持這兩種模式了。一般一些FTP客戶端的軟體就比較好設置了，一般都有一個PASV的選項，比 如CuteFTP，傳輸的方式都有Standard和PASV的選項，可以自己進行選擇；另外在IE裡面如果要設置成PASV模式的話，可以在工具→網際 網路選項→進階→使用被動式FTP(啟用)，否則就採用Standard模式。 所以如果遇到了有防火牆或者怕配置麻煩的話，還是採用PASV模式比較好些，但是如果真的對安全的需求很高的話，建議採用Standard模式。如何設置 Standard模式？首先要建立一條規則就是允許內部的IP連接外部的IP的21 Port；第二條就是禁止外部IP的TCP 20 Port連接內部IP小於1024的Port，這條是為了防止外部連接內部的一般Port；第三條驗證ACK是否等於1，這個的原理就要參見TCP建立連 接的三方交握了。 在 Windows 下原來的 ftp client 並沒有 passive 這個指令，但可以利用 literal 指今來下給 FTP server FTP session 為 Passive Mode。方法如下： C：\>ftp 10.10.100.121 Connected to 10.10.100.121. 220 (vsFTPd 2.0.1) User (10.10.100.121：(none))： ftp 331 Please specify the password. Password： 230 Login successful. ftp> literal pasv 227 Entering Passive Mode (10，10，100，121，242，172) ftp> 可以看到進入 Passive Mode 了.使用的 port 號碼是 (242*256)+172= 62124 若是 UNIX，但 FTP client 不支援 Passive Mode 指令，可以用 quote pasv。 Linux 作業系統的話，則可以利用 Passive 指令來切換。

4. FTP的工作方式：Active FTP 及 Passive FTP

http://slacksite.com/other/ftp.html

Active FTP

In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server’s command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client’s specified data port from its local data port, which is port 20.

From the server-side firewall’s standpoint, to support active mode FTP the following communication channels need to be opened:

• FTP server’s port 21 from anywhere (Client initiates connection)
• FTP server’s port 21 to ports > 1023 (Server responds to client’s control port)
• FTP server’s port 20 to ports > 1023 (Server initiates data connection to client’s data port)
• FTP server’s port 20 from ports > 1023 (Client sends ACKs to server’s data port)

When drawn out, the connection appears as follows:

In step 1, the client’s command port contacts the server’s command port and sends the command PORT 1027. The server then sends an ACK back to the client’s command port in step 2. In step 3 the server initiates a connection on its local data port to the data port the client specified earlier. Finally, the client sends an ACK back as shown in step 4.

The main problem with active mode FTP actually falls on the client side. The FTP client doesn’t make the actual connection to the data port of the server–it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client–something that is usually blocked.

Passive FTP

In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall’s standpoint, to support passive mode FTP the following communication channels need to be opened:

• FTP server’s port 21 from anywhere (Client initiates connection)
• FTP server’s port 21 to ports > 1023 (Server responds to client’s control port)
• FTP server’s ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
• FTP server’s ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client’s data port)

When drawn, a passive mode FTP connection looks like this:

In step 1, the client contacts the server on the command port and issues the PASV command. The server then replies in step 2 with PORT 2024, telling the client which port it is listening to for the data connection. In step 3 the client then initiates the data connection from its data port to the specified server data port. Finally, the server sends back an ACK in step 4 to the client’s data port.

While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side. The biggest issue is the need to allow any remote connection to high numbered ports on the server. Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. See Appendix 1 for more information.

The second issue involves supporting and troubleshooting clients which do (or do not) support passive mode. As an example, the command line FTP utility provided with Solaris does not support passive mode, necessitating a third-party FTP client, such as ncftp.

With the massive popularity of the World Wide Web, many people prefer to use their web browser as an FTP client. Most browsers only support passive mode when accessing ftp:// URLs. This can either be good or bad depending on what the servers and firewalls are configured to support.

5. 說明FTP bounnd

http://www.cert.org/tech_tips/ftp_port_attacks.html

---

1. Introduction :   In the past few years, there have been ongoing discussions about problems related to the PORT command in the FTP protocol. These problems are based on the misuse of the PORT command in the FTP protocol.
2. The FTP Protocol : To understand these attacks, it is necessary to have a basic understanding of the FTP protocol [1]. A client opens a connection to the FTP control port (port 21) of an FTP server. So that the server will be later able to send data back to the client machine, a second (data) connection must be opened between the server and the client. To make this second connection, the client sends a PORT command to the server machine. This command includes parameters that tell the server which IP address to connect to and which port to open at that address – in most cases this is intended to be a high numbered port on the client machine. The server then opens that connection, with the source of the connection being port 20 on the server and the destination being the port identified in the PORT command parameters. The PORT command is usually used only in the “active mode” of FTP, which is the default. It is not usually used in passive (also known as PASV [2]) mode. Note that FTP servers usually implement both modes, and the client specifies which method to use [3].
3. The FTP Bounce Attack : To conform with the FTP protocol, the PORT command has the originating machine specify an arbitrary destination machine and port for the data connection. However, this behavior also means that an attacker can open a connection to a port of the attacker’s choosing on a machine that may not be the originating client. Making this connection to an arbitrary machine for unauthorized purposes is the FTP bounce attack. For illustrative purposes only, several examples of how attackers can use FTP bounce follow.

   1. Port scanning : An attacker wishing to carry out a port scan against a site can do so from a third-party FTP server acting as a stage for the scan. The victim site sees the scan as coming from the FTP server rather than the true source (the FTP client). Under some circumstances, this technique offers the attacker more benefits that just hiding the true source of the probe. When the intended victim site is on the same subnet as the FTP server, or when it does not filter traffic from the FTP server, the attacker can use the server machine as the source of the port scan rather than the client machine, thus managing to bypass access controls that might otherwise apply.
   2. Bypassing basic packet filtering devices : An attacker may bypass a firewall (or other boundary protection measures) in certain network configurations. For instance, assume that a site has its anonymous FTP server behind the firewall. Using the port scan technique above, an attacker determines that an internal web server at that site is available on port 8080, a port normally blocked by a firewall. By connecting to the public FTP server at the site, the attacker initiates a further connection between the FTP server and an arbitrary port on a non-public machine at that site (for instance the internal web server at port 8080). As a result, the attacker establishes a connection to a machine that would otherwise be protected by the firewall.
   3. Bypassing export restrictions : An example of how to bypass export restrictions was described by Hobbit in a posting to the bugtraq mailing list in 1995 [4]. This description is available from
      

      ftp://avian.org/random/ftp-attack

4. Bypassing Dynamic Packet Filtering Devices : Another problem involves client sites that have implemented firewalls that use dynamic packet filters to protect themselves. The sites are open to attack because the firewall trusts the information it receives. In this example, the victim site houses all of its systems behind a firewall that uses dynamic packet filters. A person at the victim site browses web pages and downloads a Java applet constructed by the attacker. Without that person’s knowledge, the Java applet then opens an outbound FTP connection to the attacker’s machine. The applet then issues an FTP PORT command, instructing the server machine to open a connection to, say, the telnet port at some otherwise protected system behind the victim firewall. Because the dynamic packet filtering firewall examines outbound packets to determine if any action is required on its part, it notes the PORT command and allows an incoming connection from the remote web server to the telnet port on the victim machine. This connection normally is not allowed by the firewall; it was allowed in this case because the PORT command was issued by the client. Martin et al [5] discuss this particular attack, variations of it, and specific defense strategies.
5. Solutions : The example attacks in this tech tip demonstrate the core component of the vulnerability: the contents of the FTP PORT command are not trustworthy as they are under the control of a potential attacker. The FTP bounce example demonstrates what happens when a server trusts the information. The dynamic filter example demonstrates what happens when a firewall trusts the information. Because the core element of the FTP bounce attack is required for RFC compliance, there is no clear-cut solution. An important point to remember, though, is that the RFC states that the feature must be present in the server software and usable to be RFC compliant. It does not state that the end user must actually be under constraint of using this feature.

   1. FTP Server Software : The best solution to the FTP bounce problem from a security perspective is to ensure that your FTP server software cannot establish connections to arbitrary machines. However, sites that rely on the RFC-compliant behavior may find that implementing this solution will affect applications that they use. (We have not received any first-hand reports of such cases.) Consequently, many vendors offer solutions that allow the site offering the FTP service to make the choice that best suits them. Vendor implementations fall into three groups:

      1. strict conformance with RFC functionality: The PORT command may be used to connect directly to a third-party machine, and this is the only functionality allowed. Some vendors who choose to maintain strict conformance have addressed this problem by modifying all other network services to reject connections originating from the FTP data port (port 20).
      2. strict suppression of the PORT command: The PORT command may be used to connect to the originating client, and this is the only functionality allowed.
      3. variable PORT command behavior: The PORT command may be used in either of the above two ways, with one way being the default. Switching between them is usually achieved with a command line parameter. You should be careful to verify which is the default.

      You should be aware which category your server software falls into. Our recommendation is to use option 2, or option 3 with suppression enabled.

   2. FTP Server Configuration : Some of the FTP bounce attacks described earlier rely on one or more server machines (depending on the attack) allowing uploaded files via FTP (usually anonymous FTP). Your site should offer anonymous upload facilities only if it is absolutely necessary. Even then, you must carefully configure the incoming area. For more details, see “Anonymous FTP Configuration Guidelines” at
      

      http://www.cert.org/tech_tips/anonymous_ftp_config.html

      Note that these steps only repel attacks that rely on intermediate uploads. The steps are not effective against other attacks (such as a port scan).

   3. Network Configuration : There are a few things to keep in mind when configuring your network boundaries (e.g., packet filtering routers and firewalls). Sites should ensure that they carefully design their network topology so that effective traffic boundaries exist between systems that offer distinct levels of service. For instance, a site typically has an anonymous FTP service, web service, and an incoming electronic mail hub. The site uses good security practice by separating the machines that provide these external services from those that perform internal services. It is important to have strong network boundaries (preferably using firewalls) between these two sets of machines. In this way, even if an FTP server is vulnerable internal machines can be protected at the intervening network boundary. For example, sites that have an FTP server that allows the PORT command to establish connections to third-party machines should block traffic between the FTP server and machines that offer services relying on hostname or IP address for authentication. Examples of such services are rlogin, rsh and NFS. While a firewall or filtering router should always prevent direct external access to such services, it should also filter traffic from an internal FTP server that behaves in this way. This prevents the FTP server being used as a relay machine to attack protocols with weak authentication mechanisms based on hostname or IP address. There are several references which can assist you in configuring your network boundaries. For example, the CERT Coordination Center includes the following in their recommended reading list at

      • http://www.cert.org/pub/other_sources/books.html
      • Chapman, D. B., and Zwicky. E. D. Building Internet Firewalls. Sebastopol, CA: O’Reilly & Associates, Inc., 1995.
      • Cheswick, William R., and Bellovin, Steven M. Firewalls and Internet Security: Repelling the Wily Hacker. New York: Addison-Wesley Publishing Company, 1994.

      Sites using dynamic packet filtering firewalls may need to take additional steps to ensure that third-party PORT commands are blocked by the firewall. If you need to address this problem, we encourage you to check with your vendor to determine the steps you should take.

6. 總結

會有active與passive的原因是來自於client端是否有防火牆, 因為server端的防火牆一定會將FTP service的port打開, 這樣才能開啟FTP服務

所以問題通常是在client端是否有firewall。

如果在active mode且client有防火牆:

1. client 傳送port command給server

2.server收到後要對剛才client所提供的資料, 發出連線要求,可是會被client端的firewall檔掉. 因為client的firewall可能沒有開啟這個port

所以改用passive

1.client 透過contrl連線送給server: PASV的訊息告知是passive mode

2.server傳送port command給client

3.client收到後要對剛才server所提供的資料, 發出連線要求, 此時是OK的. 因為server端的防火牆是會把該port打開的

solution1 : 修改ip_conntrack_ftp.c

http://lists.netfilter.org/pipermail/netfilter-devel/2006-May/024480.html