active and passive ftp design and security...
TRANSCRIPT
Md Afzal Hossain
Active and Passive FTP design and security analysis
CSIT 560- Network SecuritySubmitted to- Prof. Dr. Stefan Robila
Afzal hossain
ID-10905552Montclair state university
Md Afzal Hossain
Table of Contents
1. Motivation of this project …………………………………………………………...…....3
2. Methodology …………………………………………………………………………......3
3. Key Challenges ……………………………………………………………………...…...3
4. Literature review ………………………………………………………………………...4
5. Abstract ………………………………………………………………………………….5
6. Definitions, Abbreviations and Acronyms ……………………………………………....5
7. FTP design …………………………………………………………………...….............5
8. FTP Types ……………………………………………………………………………….5
i. Active FTP ……………………………………………………………………….….5
ii. Passive FTP ………………………………………………………………………….6
9. Software and hardware requirements …………………………………………………... 6
10. Lab Setup for Live capture with Cisco Packet Tracer …………………………………. 6
11. Analysis Experiment with cisco packet tracer………………………………………. ….7
12. Lab Setup for Live capture with Wireshark ……………………………………………12
13. Wireshark analysis ……………………………………………………………………...12
i. Wireshark analysis of Active FTP………………….................................................12
ii. Wireshark analysis of passive FTP…………………………………………………16
14. FTP Vulnerabilities and Mitigation …………………………………………………….18
15. FTP based attacks ……………………………………………………………………....20
16. Conclusion ……………………………………………………………………………...20
17. References ……………………………………………………………………………...21
18. Appendix ……………………………………………………………………………….21
Md Afzal Hossain
1. Motivation of this project:
In today’s world security is one of the burning topics in the IT industry. Security is a major concern with any computer connected to the internet, therefore any computer connected to the internet should be protected. File transfer is among the most frequently used TCP/IP applications and it accounts for a lot of the network traffic on the Internet. File Transfer Protocol (FTP) is a TCP/IP protocol that exists to upload and download files between servers and clients. FTP is a transfer protocol designed to aid in the moving of files from one location to another over a network. Also FTPs are widely used to access the contents of web servers. By knowing those information, I have always the question, is the FTP is secure to use, what is its vulnerability. As a web developer I always to try understand how the FTP works. So I am more curious to learn about it and willing to know about its vulnerability and attacks.
This project presents me the opportunity to conduct a detailed analysis of the two different types of the FTP protocol, types of security vulnerability and attacks. The goal of this project is to detail describe FTP protocol processes to dispel some of the myths, analyze the two types of protocol, design, FTP vulnerability and attacks.
2. Methodology:
This is an analysis project. Therefore, I studied about what is FTP, FTP basic design, FTP types and how it works. For my project, I analyzed the security issues in the File Transfer Protocol (FTP) and specific security vulnerabilities and attacks in the FTP and how to mitigate those security issues. There is a lab setup topology explained for practical experiment also with appropriate instructions provided for practical experiment at the end of the project in the Appendix section. The main methodology is using the network monitor analyzer tool to analyze the FTP security analysis.
3. Key Challenges:
Key challenges in my project is identify the FTP vulnerabilities and FTP based attacks. Both the issues have discussed and proposed what would be the mitigation for those vulnerabilities.
Md Afzal Hossain
4. Literature Review:
For this project, I have researched and gathered many resources to help to construct my paper and to find out what is the purposes of FTP use, how to improve security using alternative method of FTP from hacking data and to guard to one’s privacy. I studied some articles in order to gain my knowledge. However, I cited some articles that I feel more important using IEEE citation, and following is the brief explanation.
The article “Why FTP may forever be a security hole, and what you can do about it” is written by Stephen Todd Redding [1] and published at SANS institute, year in 2002, he has explained in this article about FTP’s purposes, the vulnerabilities and attacks and how to reduce the risks of FTP issues.
Forouzan, B.A[2]in his article” TCP/IP: Protocol Suite” published in 2000, 1st ed. New Delhi, India: Tata McGraw-Hill Publishing Company Limited. He described the architecture of FTP and basic design of FTP. I have used this resource to defined the FTP type and FTP design.
"Securing FTP Using SSH — Nurdletech". [3] Nurdletech.com. Web. 21 Mar. 2016. That article gave me knowledge about alternative way to secure the FTP which I used to describe building the secure FTP process.
Allman, M. "FTP Security Considerations". NASA Glenn/Sterling SoftwareMay 1999, Web[4]. 21 Mar. 2016. From that article I have studied about the FTP security attacks, I get knowledge about different types FTP based attack and what does the attack do.
Warnicke, Ed.[5] "Wireshark User’S Guide" (2014, Nov) Wireshark.org, Web. 21 Mar. 2016. I have learned the network capture from that article which is really important and I will use that technique throughout my FTP analysis.
Md Afzal Hossain
5. Abstract
This project is based on File Transfer Protocol (FTP), about FTP’s type and its vulnerability. In this project the vulnerability of active FTP and passive FTP have shown by analysis the capture traffic with cisco packet tracer and Wireshark analyzer tools. At the end, different types of security attack and vulnerability has been explained and their mitigation process has been discussed. A practical lap has been described in the appendix section.
6. Defini tions, Abbrevia tions and Acronyms
FTP File Transfer ProtocolSSL Secure Sockets LayerTLS Transport Layer SecurityIP Internet ProtocolNAT Network Address TranslationDOS Denial-of-service
7. FTP Design:
FTP stands for File transfer protocol. The protocol is built based on the client server architecture and uses TCP at the transport layer. FTP is used for transferring data between systems. FTP uses two different TCP connections for communication [2].
1. FTP control: FTP control uses TCP port 21 for communication. The control connection is used by FTP client to initialize connection with the FTP server. User authentication process over FTP is also achieved over control connection.
2. FTP Data: FTP data uses TCP port 20 for communication. The data connection is used by FTP client to transfer data after the control connection is established.
Md Afzal Hossain
8. FTP Types: File Transfer protocol transfer data in two ways, them are followed
i. Active FTP:
In Active FTP, the client first establishes the TCP control connection on TCP port 21. The TCP 3-way handshake is used for this purpose. Once the control connection is established, the server initiates another TCP 3-way handshake from TCP port 20 which is the data connection on a port which was specified by the client during the control connection.
ii. Passive FTP:
In Passive FTP, the client initiates and establishes the control connection on TCP port 21. The TCP 3-way handshake is used for this purpose. Once the control connection is established, the client initiates another TCP 3-way handshake on the random port which is specified by the server.
9. Software and Hardware Requirement
To setup the lap for this experiment, need to those hardware and software below.1. Windows 7 or equivalent (2no’s)2. FileZilla FTP Server software / Built in FTP server featured installed3. Wireshark / Cisco Packet Tracer4. Switch.
Data connection from TCP port 20 from server to client
Control connection on TCP port 21 from client to server
Win 7FTP client
FTP server FileZilla
Data connection on Random TCP port specified by the server after control connection is established
Control connection on TCP port 21 from client to server
Win 7FTP client
FTP server (FileZilla
Md Afzal Hossain
10. Lab Setup for Live capture with Cisco Packet Tracer
Below this is a live demonstration which I have tested for this project.
My virtual PC IP address- 192.168.1.100
And Server IP address- 192.168.1.254
Below the file contain the simulation design.
The FTP simulation file
11. Analysis Experiement:
Figure: FTP lab setup
Md Afzal Hossain
Figure: Server configuration
Figure: FTP installed in server
Md Afzal Hossain
Figure: PC configuration
Figure: PC is connected with Server.
Md Afzal Hossain
Figure: PC communicating with Server through web browser.
Figure: FTP communication through PC to Server.
From Cisco packet tracer I can simulate the FTP communication and capture the traffic. Below I
have uploaded the simulation.
Md Afzal Hossain
Figure: FTP simulation and capture traffic.
As when I have installed the FTP server, I created the one account. Now in the simulation, I
opened the command prompt and connect ftp server. In meanwhile I turned on the capture traffic
the interfaces. So I can see the FTP protocol. In the command prompt, I typed username and
password, which I see from the analyzer tool.
Figure: Interfaces capture (username captured in plain text)
Md Afzal Hossain
So there is the username, which I have typed in order to login. The password also is viewable
from that traffic even though from command prompt it was invisible.
Figure: Interface captured (Password is in plain text)So I can see the FTP is very insecure protocol and it shows the confidential information in plain
text. FTP is not encrypted.
12. Lab Setup for Live capture with Wireshark
My PC IP address- 192.168.2.2
And Server IP address- 192.168.2.3
Md Afzal Hossain
I. Wireshark analysis of Active FTP: (Client 192.168.2.2, Server 192.168.2.3)
Below the file contain the simulation design.
For that analysis I start capturing the Wireshark capturing interface and for my case it is LAN Ethernet. For my analysis I have a user called test and password is test1. Once my capturing done I have a figure like below.
Figure: Active FTP capture
By filtering in the filter window ip.addr eq 192.168.2.2 and ip.addr eq 192.168.2.3, I can get the below figure.
Md Afzal Hossain
Figure: 192.168.2.2 is the FTP client and 192.168.2.3 is the FTP server
From the screenshot it is clearly understood that No 55-57 Frame in the file refers to the FTP client initiation and establishment of control connection of TCP port 21.
Md Afzal Hossain
It is clear that No 63 &67 frames in the file shows the exchange of username and password.
No 71 is the port command in which the client informs the server to which random port the server should initiate the connection from TCP port 20 for data connection. In this case the random port is 2352
Md Afzal Hossain
No 75, 77 and 78 frames are the establishment of data connection from the server TCP port 20 to the port specified in the port command 2352.
II. Wireshark analysis of Passive FTP: (Client: 192.168.2.2, Server: 192.168.2.3)
Below the passive FTP file simulation
By filtering in the filter window ip.addr eq 192.168.2.2 and ip.addr eq 192.168.2.3, I got the below figure.
Figure: Passive FTP capture
Md Afzal Hossain
It is clear that No: 127- 129 frames in the file – This shows the connection establishment between the FTP client (192.168.2.2) and the FTP server (192.168.2.3) on TCP port 21.
By looking at No: 185 and 188 – This is the username and password which is sent by the client to the server. The username is test and the password is test1.
From the frame No: 200 – The client informs the server that it wants to communicate in Passive mode.
Md Afzal Hossain
It is viewable from the frame No 201 – The server informs the client which port it needs to connect to establish the data connection. In this case the port (passive port is 1082).
Frmae No 203,205,206 – The client establishes data connection to port 1082 on the server from a random port on itself further to which data communication is initiated.
13. FTP Vulnerabilities and Mitigation:
Vulnerability: Username and password: Username and associated password in a FTP based transaction is sent in clear text. From the Active FTP. pcap. By filtering the file with the following criterion
Md Afzal Hossain
((ip.addr eq 192.168.2.2 and ip.addr eq 192.168.2.3)) the frames 63 and 67 in the file shown. The username is “test” and password is “test1” which is observed in clear text. From Cisco packet tracer the interface simulation, the inbound PDU, also shows clear user name Afzal and password NetworkCS560 in plain text.
Mitigation: FTP is to be used with TLS/SSL. This would encrypt the username and password.
Vulnerability:
Data: The data in a FTP based transaction is sent in clear text. Files, directory listing are some common examples of data in a FTP transaction.
Mitigation: Secure FTP connection which uses TLS/SSL has to be deployed to encrypt the data.
Vulnerability:
Port command: The port command is used in an active FTP connection. The port command contains the IP address and port number to which the server needs to initiate the data connection. This information can be arbitrary and the client can be configured to send other IP address and port number using the PORT command. This would enable the client to use the FTP server as a proxy to connect to the remote machine.
Mitigation:
The FTP server should not accept any other IP address in the port command apart from the client which establishes the control connection. This feature intelligence is to be provided in the FTP server implementation code.
Vulnerability:
NAT/Firewall Traversal: Active FTP connection uses port command which informs the server to which IP address and port number the server would need to establish the data connection. When the FTP client is behind a NAT/Firewall device, this would fail since the server would not have direct connection to the client.
Mitigation:
NAT devices which are capable of understanding and rewriting the information in the port command need to be deployed or Passive FTP should be deployed.
Md Afzal Hossain
Vulnerability:
Anonymous account: FTP Servers support anonymous accounts. When a user attempts to login to a FTP server and if anonymous access is allowed, email address can be provided in lieu of password and no authentication is performed. This can by-pass authentication mechanism and provide access to valid directories and files.
Mitigation:
Anonymous accounts should either be disabled or the access rights for anonymous users should be limited.
15. FTP Based attacks:
Eavesdropping:
This attack exploits the vulnerability that the information is send in clear text. Eavesdropping is the process of obtaining sensitive information on a communication channel. Attackers can eaves drop on a FTP control and data connection to capture information’s like username, password and critical data.
Brute Force:
This is the technique of guessing passwords for specific accounts configured on the FTP server. Scripts and tools can be used for triggering random values. The server should be configured for a maximum retry attempts for defense against this attack.
Anonymous Access:
This attack exploits the anonymous access supported on FTP servers. Attackers use this account to navigate to valid directory files, password files, copy and transfer malicious content.
Bounce attack:
This attack exploits the port command in Active FTP connection. The attacker uses the valid FTP server for the attack and provides the IP address and port number of the machine which is to be attacked in the port command. The attacker can now use the FTP server for various activities likes a port scanner, DOS attacker etc.
Md Afzal Hossain
16. Conclusion:
FTP has been very popular for long but now a days it has decreased as it has many vulnerabilties. FTP is still using by many network administartor because of its easy use and upload files in the web server, file data transfer and back up servers. It would be useful for administrator if the FTP would encrypted.
17. References:[1] Stephen Todd Redding (2002) Why FTP may forever be a security hole, and what you can do
about it, Published at SANS institute 2002. Available: 25 Feb 2016.
https://www.giac.org/paper/gsec/748/ftp-security-hole-about/101645
[2] Forouzan, B.A(2000) TCP/IP: Protocol Suite” 1st ed. New Delhi, India: Tata McGraw-Hill
Publishing Company Limited, Published in 2000.
[3] Securing FTP Using SSH — Nurdletech". [online] Available: 21 Mar. 2016.http://www.nurdletech.com/linux-notes/ftp/ssh.html
[4] Allman, M (1999, May) FTP Security Considerations. NASA Glenn/Sterling SoftwareMay 1999. [online] Available: 21 Mar. 2016.https://tools.ietf.org/html/rfc2577
[5] Warnicke, Ed (2014, Nov) Wireshark User’S Guide. Wireshark.org. [online] Available: 21 Mar. 2016.https://www.wireshark.org/docs/wsug_html_chunked/index.html
Md Afzal Hossain
18. Appendix:
Lab Setup for Live capture with Wireshark
1. Download and install FileZilla Server software on the first windows 7 system. This would become the FTP server.
2. Configure a user account on the FileZilla Server software. The details of configuration would be available on the FileZilla help menu.
3. Download and install Wireshark software on the second Windows 7 system. Windows 7 has FTP client functionality as part of the operating system.
4. Start Wireshark (The details of configuration is available on the website).5. Open command prompt window on the FTP client system and connect to the ftp
server using ftp “IP address” where IP address is the FTP Servers IP address. This is an Active FTP implementation
6. To enable Passive mode, refer the below link. Passive FTP is enabled on the browser.
a. http://support.microsoft.com/kb/323446
7. Filter Wireshark for FTP protocol.
Lab Setup for Live capture with Cisco Packet tracer
1. Download and install cisco packet tracer. 2. In the real-time mode design the PC and server connected with switch. Configure the PC
and Server.3. FTP service should active on at server. Open command prompt window on the PC and
connect ftp server using server IP address. 4. In the simulation mode capture the traffic and examine the ftp traffic record. This will be
Passive FTP implementation.5. To enable Active Mode, refer the below link.
a. https://learningnetwork.cisco.com/docs/DOC-7832 6. Filter Cisco capture for FTP protocol.