myNetWatchman KnowledgeBase
Pooling knowledge to
secure the internet.
|
 |
FTP primatives:
- USER - send FTP username
- PASS - send password (note: in clear text)
- CWD - change working directory
- TYPE I - set transfer mode to (I)mage
- PORT w,x,y,z,p1,p2 - server: connect back to me at IP w.x.y.z, port (p1*256+p2) for data transfer
- STOR filename.typ - upload file filname.typ
Client IP: 24.1.1.1
Server IP: 64.238.113.123
Transaction: Client wants to upload lisa.zip to server.
Problem: Client can login to the FTP server, but after issuing 'put lisa.zip' transfer fails.
No. Time Source Destination Protocol Info
1 0.000000 24.1.1.1 64.238.113.123 TCP 37590 > ftp [SYN] Seq=2583193268 Ack=0 Win=16384 Len=0
2 0.001767 64.238.113.123 24.1.1.1 TCP ftp > 37590 [SYN, ACK] Seq=4013232525 Ack=2583193269 Win=17424 Len=0
3 0.015366 64.238.113.123 24.1.1.1 FTP Response: 220 idiot2 Microsoft FTP Service (Version 5.0).
4 0.018651 24.1.1.1 64.238.113.123 TCP 37590 > ftp [ACK] Seq=2583193269 Ack=4013232526 Win=17424 Len=0
5 0.182373 24.1.1.1 64.238.113.123 TCP 37590 > ftp [ACK] Seq=2583193269 Ack=4013232575 Win=17375 Len=0
6 3.511044 24.1.1.1 64.238.113.123 FTP Request: USER user_name
7 3.512216 64.238.113.123 24.1.1.1 FTP Response: 331 Password required for netwatch.
8 3.683313 24.1.1.1 64.238.113.123 TCP 37590 > ftp [ACK] Seq=2583193284 Ack=4013232612 Win=17338 Len=0
9 6.453877 24.1.1.1 64.238.113.123 FTP Request: PASS pass_word
10 6.468057 64.238.113.123 24.1.1.1 FTP Response: 230 User user_name logged in.
11 6.693527 24.1.1.1 64.238.113.123 TCP 37590 > ftp [ACK] Seq=2583193299 Ack=4013232642 Win=17308 Len=0
12 40.242806 24.1.1.1 64.238.113.123 FTP Request: CWD pub
13 40.244408 64.238.113.123 24.1.1.1 FTP Response: 250 CWD command successful.
14 40.378212 24.1.1.1 64.238.113.123 TCP 37590 > ftp [ACK] Seq=2583193308 Ack=4013232671 Win=17279 Len=0
15 44.340156 24.1.1.1 64.238.113.123 FTP Request: CWD incoming
16 44.341754 64.238.113.123 24.1.1.1 FTP Response: 250 CWD command successful.
17 44.477812 24.1.1.1 64.238.113.123 TCP 37590 > ftp [ACK] Seq=2583193322 Ack=4013232700 Win=17250 Len=0
18 45.961752 24.1.1.1 64.238.113.123 FTP Request: TYPE I
19 45.962932 64.238.113.123 24.1.1.1 FTP Response: 200 Type set to I.
20 46.178409 24.1.1.1 64.238.113.123 TCP 37590 > ftp [ACK] Seq=2583193330 Ack=4013232720 Win=17230 Len=0
21 93.509865 24.1.1.1 64.238.113.123 FTP Request: PORT 24,1,1,1,146,215
22 93.511147 64.238.113.123 24.1.1.1 FTP Response: 200 PORT command successful.
23 93.562895 24.1.1.1 64.238.113.123 FTP Request: STOR lisa.zip
24 93.565026 64.238.113.123 24.1.1.1 FTP Response: 150 Opening BINARY mode data connection for lisa.zip.
25 93.565566 64.238.113.123 24.1.1.1 TCP 6004 > 37591 [SYN] Seq=1232074734 Ack=0 Win=16384 Len=0
26 93.772935 24.1.1.1 64.238.113.123 TCP 37590 > ftp [ACK] Seq=2583193373 Ack=4013232805 Win=17145 Len=0
27 96.830239 64.238.113.123 24.1.1.1 TCP 6004 > 37591 [SYN] Seq=1232074734 Ack=0 Win=16384 Len=0
28 103.392901 64.238.113.123 24.1.1.1 TCP 6004 > 37591 [SYN] Seq=1232074734 Ack=0 Win=16384 Len=0
Q/A:
1) Is the FTP client requesting an active or passive connection?
2) What port is the client requesting that the server use to do the file transfer? (see: PORT 24,1,1,1,146,215 )
3) Does the server attempt to connect to the client on the requested port?
4) Does the client accept the connection?
5) Why does the transfer fail?
6) How can we re-configure the FTP client so to allow this transfer?
Bonus:
7) How do firewalls support this type of transfer?
myNetWatchman Security Research |
