0

I'm looking at an IP range as a part of a project and discovered several FTP server. They all run vsftpd (3.0.2) on port 21.

I do not have login credentials and anonymous logins are disabled. Can I somehow identify whether the server would encrypt the actual file transfer (e.g. FTPS/SFTP) or not (Plaintext FTP)?

As suggested by Moonsik Park, I've attempted to identify the used protocol. My result differs from the suggestion, as it seems that I can't use AUTH TLS before authentication.

telnet <TARGET-IP> 21
Trying <TARGET-IP>...
Connected to <TARGET-IP>.
Escape character is '^]'.
220 (vsFTPd 3.0.2)
AUTH TLS
530 Please login with USER and PASS.

edit2: The same applies to vsFTPd 3.0.3. The default configuration has SSL disabled, but I'm yet to find out how I can identify this as an unauthenticated user.

SaAtomic
  • 989
  • 2
  • 15
  • 27

1 Answers1

2

Plain FTP

[root@mainserver ~]# telnet **** 21
Trying 10.0.0.10...
Connected to ****.
Escape character is '^]'.
220 **** FTP server ready.
AUTH TLS
504 AUTH: security mechanism 'TLS' not supported.

FTPS

[root@mainserver ~]# telnet **** 21
Trying 10.0.0.10...
Connected to ****.
Escape character is '^]'.
220 **** FTP server ready.
AUTH TLS
234 AUTH SSL command successful.

SFTP

[root@mainserver ~]# telnet **** 22
Trying 10.0.0.4...
Connected to ****.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
NO COMMAND AVAILABLE
Protocol mismatch.
Connection closed by foreign host.

The command AUTH TLS can be done before authentication.

Plain FTP servers can't AUTH TLS, FTPS servers can, and SFTP can be identified by port and ssh version.

Do note that you can connect to FTPS server insecurely because ftps is just ftp with some encryption commands. We can tell if the server is forcing to use AUTH TLS, thus can assume users will only use FTPS.

But if it accept both, then we can only assume the users will use both FTP and FTPS.

  • But this will tell you what it could do, not whether it can also do it without, right? Can you run `AUTH` to attempt non-secure login? – schroeder Sep 14 '18 at 12:27
  • 2
    @schroeder True. We can tell if the server is forcing `AUTH TLS` but we can't tell if it accepts both. –  Sep 14 '18 at 12:33
  • Fantastic suggestion, but the server appears to require authentication before running `AUTH TLS` for me, as it responds with `530 Please login with USER and PASS.`. I've added the process to the question. – SaAtomic Sep 14 '18 at 13:31
  • 1
    @SaAtomic: If the server requires login first then it likely does not support AUTH TLS since the main point of TLS in FTP is to protect the authentication. – Steffen Ullrich Sep 14 '18 at 15:18
  • @SteffenUllrich that makes sense. Thanks for the feedback! – SaAtomic Sep 14 '18 at 16:06
  • @SteffenUllrich No, FTPS server with non-encryption mode enabled is also able to login w/o auth. –  Sep 14 '18 at 16:19
  • 1
    I think what he meant is when the server doesn't allow `AUTH TLS` before the login, it doesn't encrypt the login and therefore probably doesn't offer FTPS. Or am I missing something? – SaAtomic Sep 14 '18 at 16:29
  • 1
    That's exactly what I meant. It makes not really sense to offer AUTH TLS later but require first the user to log in and thus send the password without any protection. While the standard would make this possible in theory the standard is actually primary about protecting the password - there is an explicit CCC command to downgrade from TLS again which is intended to be used after a protected authentication so that any FTP helpers can still sniff the PORT and PASV commands and responses in order to dynamically open the needed ports in the firewall. – Steffen Ullrich Sep 14 '18 at 16:34