3
1
I'm trying to use "ls" command on a anonymous FTP session, but when I'm typing the "ls" command I get:
200 PORT command successfull. Consider using PASV.
And it hangs like this (no return to the ftp prompt).
I restarted the ftp session and entered in passive mode (quote PASV), but I get another problem: "No route to host"
Do you have any suggestion ?
Addon
Posted 2016-08-10T08:01:02.407
Reputation: 75
3
quote PASV doesn't enter passive mode the way you think it does – "PASV" is an immediate command (that precedes each and every transfer) instead of a permanent mode-switch command.
Rather, the client must be told to use PASV instead of PORT whenever ls or a file transfer is requested.
With inetutils-ftp, use the passive command, or run the client as pftp or ftp --passive.
user1686
Posted 2016-08-10T08:01:02.407
Reputation: 283 655
I'm running Kali Rolling and I tryied "pftp" direclty on the terminal, but still the same problem. One question: inetutils-ftp is already in Kali Rolling right ? – Addon – 2016-08-10T13:01:18.583
Sorry I updated my question, because I already tried to be in persistent passive mode, but I get another issue – Addon – 2016-08-10T13:05:41.033
0
I remember seeing this issue once when I forgot to open up port 20 in the firewall. While the port usually associated with FTP is 21, data is usually sent via port 20.
Ensure that both 20 and 21 are open on both client and server, so that whoever initiates the connection on port 20 can get through.
Jarmund
Posted 2016-08-10T08:01:02.407
Reputation: 5 155
I forgot to say "ls" work on another FTP server, so It must come from the server, but unfortunately I can't change its configuration – Addon – 2016-08-10T09:12:19.747
Jarmund : For a non-passive connection, data is usually sent using a connection that has the server's port as 20, but the client's port number is random. FTP uses TCP. TCP has two port numbers associated with each connection. The first FTP TCP connection typically goes from a random "source port" (from the FTP client) to destination port 21 (on the FTP server). The second FTP TCP connection usually has a "source port" of 20 (on the FTP server), and a random-ish (high) destination port on the machine with the FTP client. Blindly accepting all traffic from port 20 is a notable security hole – TOOGAM – 2016-08-11T03:14:30.380
-3
Do you have any suggestion ?
Yeah, ditch FTP.
I know that probably wasn't the answer you were wanting to hear, but let me explain why it is actually necessary, and then you may be more inclined to do this. I will also give you another alternative.
FTP was written when the Internet was considered to be an experimental project. The major universities and large organizations had rules of conduct, enforced by the respected institutions, and so people on the Internet (actually called the ARPAnet back then) were trusted.
FTP was designed to have the client use a TCP connection to send a request for a file. Then the server received the request, and initiated a separate TCP connection to the client.
This broke when clients started using firewalls to protect their stuff. So FTP clients could make outgoing connections, but incoming connections were blocked.
A way around that was passive mode: The client sends a request using TCP port 21, then the server says it wants another connection using some random TCP port (e.g., 43728), and then the client makes a second connection using the specified random TCP port (e.g., 43728).
That worked if the client had a firewall. Many people started to learn that "passive mode" fixed the FTP problems. However, what "passive mode" actually fixed was just that one specific problem. If the server has a firewall that only allows incoming traffic on specific port numbers, like port 21 for FTP, then even "passive mode" doesn't fix everything that is required to work.
In theory this could be fixed if the FTP server's firewall supports an FTP proxy which monitors traffic and opens up another port if needed. Many people consider that to be a bit hard to set up.
As more organizations cared more about security, and cared less about FTP, people began to learn that FTP was becoming typically broken (meaning that more and more FTP servers were being challenging to use from more and more locations that people might try to use an FTP client at). FTP problems started to become more widespread.
For a while, people learned that "passive mode" seemed to be a magic "cure-all" technique that fixed the FTP problems. (Many people didn't understand why FTP stopped working. They just learned that if FTP started acting weird, "passive mode" seemed to fix that weird problem that FTP experienced. Later, the believe that "passive mode" was magic "cure-all" got commonly replaced with a different belief, which is that FTP just commonly doesn't seem to work anymore (not nearly as well as it used to). Even if many people didn't understand why FTP broke, what they did understand is that life did seem to work more successfully when they tried another technique, which is to just start moving onto using other protocols. As HTTPS uploading began to get more popular, people just stopped using FTP nearly as much.
So your best solution is to actually just ditch the old FTP protocol which doesn't work with modern Internet security measures. FTP just wasn't designed for that. NAT is also used to help multiple devices use one IP address.
NAT is often implemented by a firewall, although it can have purposes other than just security (like increasing the number of supported devices). Whatever the purpose might be for using NAT, the end result is that NAT basically breaks the FTP connection for the same reasons (not allowing the connection to reach the desired device). So, FTP also wasn't designed to support NAT.
Back in the day, FTP was just an experimental effort to try to get file transferring working. FTP accomplished its original goal. So, despite not working well with today's Internet designed, FTP wasn't really designed poorly. Its design really was a good success, at the time. It was just designed for a different style of Internet than one that uses today's common technologies.
HTTP doesn't have as many problems, since it uses one TCP connection instead of multiple. Nor do many secure alternatives: HTTPS, SFTP, FTPS, SCP.
I promised another alternative. It is: make FTP work. Strategies include: * Have your client side firewall run an FTP proxy * Have the FTP server's firewall run an FTP proxy
The problem is that you often don't have control over one side of the connection. So one of those may not be an option for you.
You might want to try just removing your firewall altogether. However, this is likely to introduce security risks that most people consider to be NOT work the benefit. Instead, just scrap the idea of using the old FTP protocol that doesn't work so well with the modern Internet, and get some modern software to use file transfers over HTTPS or FTPS (or SCP). It will typically work better with firewalls, work better with NAT, and give you the benefits of privacy. (You didn't really want to be broadcasting your password, unencrypted, over the Internet, did you?)
Unless you are trying to grab public files, in which case HTTPS or HTTP may be the easier route.
TOOGAM
Posted 2016-08-10T08:01:02.407
Reputation: 12 651
Very interesting answer, thank you. But the thing is that I can only access to port 21 on the remote machine. So how would I use HTTPS on port 21 ? And if it's possible how do I list file in a the same way I wanted to do with "ls" command in ftp ? – Addon – 2016-08-10T14:31:02.200
The server determines what port is listened on. (Or, a device in between, like a firewall or proxy, if PAT (Port Address Translation) is used. But to keep things simple, let's say: the server.) An HTTPS client cannot effectively communicate with an FTP server, because FTP and HTTPS are different protocols. The way to use HTTPS is to have the server run "HTTPS server" software, not (just) "FTP server" software. If you have no control over the server, you may have no options except getting your FTP client to cooperate. Best common approach for that: make your firewall use an FTP (client) proxy. – TOOGAM – 2016-08-11T02:44:38.273
I should also add that some FTP servers probably exist which permit incoming connections, but which are basically abandoned and unmaintained. In such cases, there are cases where there may be no legitimate method you can use to successfully list files ("ls") and/or transfer files. – TOOGAM – 2016-08-11T02:46:42.423
What if you are using PuTTY or a vpn to tunnel ports through the net. Then FTP would be perfect. – Nick Sotiros – 2017-11-24T17:59:54.510
@NickSotiros : The primary advantage I can think of FTP offering is compatibility with older software (particularly 20th century software), and not encrypting (possibly preferred for hardware slower than the first Pentium chips). When using modern operating systems, and modern hardware, FTP offers no real advantages. Therefore, I don't see it as being perfect when creating modern day designs/solutions. I would say that it's best to just familiarize yourself with more versatile tools, rather than trying to use FTP in some scenarios and remember to not use FTP in other scenarios. – TOOGAM – 2017-11-24T20:17:37.993
Oh, and to elaborate further, a VPN might work, since offhand I believe those tend to work on the IP address level, and so would handle multiple ports (all ports on one of the IP addresses). I think creating tunnels with PuTTY would be particularly challenging, since there is some randomization of the port numbers that get used. (I wouldn't really want to go through the effort to use PuTTY's GUI to manually create a tunnel every time you start a new file transfer. Unless there's a faster method you know of.) – TOOGAM – 2017-11-24T20:19:55.903
@PIMP_JUICE_IT Hi, thank you for your help. I'm connecting to the FTP server with "pftp 10.11.1.8 21" command. So I guess the passive mode is maintain. quote pasv gives "227: Entering passive mode 10,11,1,8,78,2". If I type "passive" just after this it says "passive mode off", but when I use a normal ftp session (ftp 10.11.1.8 21) and type "passive", this time it's on.... – Addon – 2016-08-10T13:34:32.927
@PIMP_JUICE_IT I'm on Kali Linux and checked the iptables rules, no port seems to be blocked (policy ACCEPT everywhere)... – Addon – 2016-08-10T13:35:40.190
@PIMP_JUICE_IT with the debug option: passive on => "---> PASV" + "227 Entering Passive mode 10,11,1,8,78,2" + "ftp: connect: no route to host" – Addon – 2016-08-10T13:49:52.893
@PIMP_JUICE_IT with the debug option: passive off => "---> PORT 10,11,0,159,225,78" + "200 PORT command succesful. Consider using PASV" + "--->LIST" then it hangs up... – Addon – 2016-08-10T13:51:47.783
For passive port formula is P1 x 256 + P2 where for example
10,11,0,159is the IP address of the FTP server and after that the225isP1and the78isP2so you calculate 225 X 256 = 57600 + 78 = 57678 so this is the port its trying to use and having issues with I suppose. I maintain FW, routers, FTP connections and all in my environments but I'm not sure what your constraints are in yours. Sure using SSH FTP on TCP port 22 would work better since all communications use the same TCP port but I'm not sure what options you have. I'd ask the FTP admins to help you figure this out. – Pimp Juice IT – 2016-08-10T14:32:08.080@PIMP_JUICE_IT I'm using a VPN to connect to a remote Lab, this is why there are private IPs, and I can ping the remote server (10.11.1.8), this is not this issue – Addon – 2016-08-10T14:32:59.560
@PIMP_JUICE_IT I can't ask any admin because I'm training for a famous security certification ;) , so this is actually one of the challenges. Can you explain what is "SSH FTP on port 22", do you mean SSH tunneling ? If yes, port 22 is indeed open on the remote machine. – Addon – 2016-08-10T14:35:58.497
Let us continue this discussion in chat.
– Pimp Juice IT – 2016-08-10T14:36:27.063