FTP whats That ????

This file is basically intended for newbies, but gurus can benefit from it too (read everything, 
even the newbies corner. You might come across something you've missed when you first started 
studying).
The next tutorials will be mostly for gurus, so bear with us.
If you have any comments or questions regarding this tutorial (no flames(10) or spam, please) 
Email me at [email protected]



Contents
========
What Is FTP and What Is It Good For?
* What does the acronym FTP stands for?
* What can I do with FTPs anyway? What are they good for anyway?
FTP Commands
* How to use FTP with raw FTP commands
* How to use FTP with a GUI (Graphical User Interface) / text client(5)
FTP Hacking
* Finding out information about your target and finding security holes using that info
* Example FTP-related security holes
The Stupid Bug Corner
* An "elite" bug
Newbies Corner
* What is a protocol
* What is a port
* What is a mirror site
* What is a path (complete path + relative path)
* What is a client program and what is a server program
* How to find information about remote hosts
* What is a daemon
* What is root
* What is a core dump
* What is a DoS attack
* What is DUN
* What is an ISP
* What is flaming

Bibliography

What Is FTP and What Is It Good For?
------------------------------------
The word FTP (see footnote 1 below) stands for File Transfer Protocol(1).
FTP servers will let you to both download (retrieve a file from the server) and upload (send a 
file to the server) files from the server with great ease (if you have permission to do so).
You browse through a remote FTP site the same way you browse through your own computer's files 
and directories (of course, you don't have read and/or write access to every file on the system, 
and some files you can't even see).

FTP Commands
------------
The following are several basic FTP commands. To communicate with FTP daemons(7), connect to 
port(2) 21 and then use the following commands (see footnote 2 below) to communicate with the FTP 
server:
cd      change directory (on the server)
lcd     change local directory (when sending a file, the path(4) of the specified file will be 
the path you specify on lcd)
dir,ls  directory listing
binary  change mode to binary transfer
get     retrieve a file
mget    retrieve many files
put     send a file
mput    send many files
pwd     print working directory on the server



FTP Hacking
-----------
Since there are so many FTP holes for so many FTP server programs and so many Operating Systems, 
I decided that the best way it simply to explain to you how to find information about security 
holes by yourself.
I will also introduce several interesting FTP security holes near the end of this section.
To find FTP exploits, try searching the following websites (or join the BugTraq mailing list at 
www.securityfocus.com):
CERT (Computer Emergency Response Team) - http://cert.org
X-Force Search (simplest) - http://www.iss.net/cgi-bin/xforce/xforce_index.pl
Packet Storm - packetstorm.genocide2600.com
BugTraq Archives - http://www.securityfocus.com/level2/bottom.html?go=search
Fyodor's Exploit World - http://www.insecure.org/sploits.html
Spikeman's Denial Of Service Website (for DoS(9) attacks against FTP servers) - 
http://www.genocide2600.com/~spikeman/
RootShell - http://www.rootshell.com
Slashdot - http://www.slashdot.org
Data - http://www.hideaway.net/data.html(later update: this URL was down at the time these words 
were written)
(Please report all dead links to [email protected])

Note: one might think that the above sites are considered illegal, since they feature 
explanations about security holes and how to exploit them.
Well, screw one. These things are called "advisories" and they allow you to find holes on your 
own PC and fix them. Whether you use this information to secure yourself or hack others is your 
own choice. It's the difference between legitimate and illegal.

After you get to one of the following search sites (I recommend the BugTraq Archives) search for 
the keywords you want.
For example: you find out(5) that your target is using this OS with this FTP server and this 
Webserver program etc'. Try combining all of those pieces of information and I'm sure you'll find 
the holes that fit you the most.
You can also try searching holes on your own computer.
Speaking about holes, we will explain about many security holes on the upcoming Sendmail tutorial 

Now, for several selected FTP holes.

Selected FTP Holes
******************
The following FTP holes aren't new or extraordinary or incredibly fantastic or anything of that
sort of matter. They're just good for learning.
I picked some interesting FTP holes and written a small explanation about them just to get the
newbies started.
Note: the sites I got these from aren't "evil hacking sites". These explanations are called
advisories and they are meant to be used by people who want to fix bugs on their systems. Whether
you use them for that purpose or others is none of our business.

1) Some FTP daemons allows a premature PASV command, which can cause some FTP daemons to crash
with a core dump(9). FTP core dumps can be used to salvage encrypted passwords, bypassing any
shadow password scheme.
It is not known exactly which servers are immune to this and which are not, and the only
workaround right now is to get a newer FTP server program.
Also see http://www.genocide2600.com/~spikeman/bisonware3.html for a DoS(9) attack against
BisonWare FTP Server 3.5 similar to this hole.

2) FTP Bounce Attack (too long, see
http://www.netspace.org/cgi-bin/wa?A2=ind9507B&L=bugtraq&P=R1425 (From BugTraq))

3) Local bug in FTP Daemon (too long, see
http://www.netspace.org/cgi-bin/wa?A2=ind9507B&L=bugtraq&P=R1345 (From BugTraq))

4) (Quotes in partfrom BugTraq) Impact: Anybody from outside can shutdown your pc ftp server. And
if u are under win3.1 the system will crash.
Program: WinQVT/NET
Version: All versions.. 16 and 32 bits
Solution.. dont use it or upgrade
Exploit: Just Send a OOB (Out of Band) to port 21,
Exploit for dummies: Take any winnuke, start it, and when u find a "139" change it to "21"
instead.
OK, I know this is stupid....... :P. But maybe somebody will need it.. who knows...
Note: A patched version of NT 4.0 isn't vulnerable to this running MS's FTP server. I haven't
had a chance to test an unpatched server, but IIRC, I did check the FTP port when the OOB problem
was first reported and it didn't cause a crash.
I would suspect that this could be a DOS/Win problem in general, and might not be specific to the
WinQVT package.

I hope this helped you learn how to find holes. There will be much more examples in the Sendmail
tutorial.

The Stupid Bug Corner
---------------------
I found this on an "elite" website made by a bunch of "elite" "hackers".
They said that in order to "hack an FTP" you need to connect to it and send the following
commands:
quote user ftp
quote cwd ~root
quote pass ftp
Basically, what the so-called hacker is trying to do here is to enter a username to get into the
system, change the user to root(7) and then enter a password for the username.
This only works on VERY badly-configured FTP servers (the author mentioned that "this doesn't
work on every FTP server". Well, I've got news for you - this doesn't work. Period. Unless you're
talking about some 5 years old boy who just got a computer and clicked on some buttons and
accidently set up an FTP server).

Newbies Corner
--------------
1. Protocol - a set of rules and regulations, similar to a language. When two computers know the
same protocol, they can use it to communicate with each other.

2. Port - (for the more technical explanation of what ports are, see the end of this explanation)
ports are like holes that enable things (data, in this case) to come in or out of them.
There are physical ports and software ports on your computer. Physical ports are those slots on
the back of your computer, your monitor etc'. Now, software ports are used when connecting to
other computers.
For example: I just bought a new computer and I want to turn it into a webserver (I want to
enable people to access selecetd web pages, pictures, cgi and java scripts or applets, programs
etc' that are located on my computer). In order for that to happen, I need to install a webserver
software.
The webserver software opens a port on my computer and names it port 80. Then it listens to
incoming connections on that port.
When someone starts his Internet browser (Netscape, Lynx, Microsoft Explorer etc') and surfs to
my website, his browser connects to my computer on port 80 and then sends HTTP commands that my
webserver program can understand into it.
My webserver program quickly picks up the incoming data and then sends it back into a port that
the surfer's browser opened on the surfer's computer. The browser will listen on that port and
wait for the data (the HTML page, the picture, the program etc') to come in through it.
There are different ports for different services (we'll get to that) so data won't mix up.
Imagine your browser getting data your FTP client was supposed to get.
I hope you got the main idea of what a port is.
Now, there are three kinds of ports: well-known ports, registered ports and dynamic/private
ports.
The well known ports are those from 0 through 1023. These are default ports for several services
(a webserver is a service because it listens for connections from remote computers and then sends
something back). For example: the default port for webservers is 80. Else, how would your browser
know which port he has to access?
Now, the registered ports are those from 1024 through 49151. These ports are reserved for several
programs. For example: ICQ (www.icq.com) reserves a port and listens to incoming messages on it.
The dynamic and/or private ports are those from 49152 through 65535, and can be used by anyone
for any given purpose.

"Techy Explanation" - To grant simultaneous access to the TCP module, TCP provides a user
interface called a port.
Ports are used by the kernel to identify network processes. These are strictly transport layer
entities (that is to say that IP could care less about them).
Together with an IP address, a TCP port provides provides an endpoint for network communications.
In fact, at any given moment *all* Internet connections can be described by 4 numbers: the source
IP address and source port and the destination IP address and destination port.
Servers are bound to 'well-known' ports so that they may be located on a standard port on
different systems.
For example, the telnet daemon sits on TCP port 23, the FTP daemon sits on TCP port 21, the
rlogin daemon sits on TCP port 513 etc'.

Important note about well-known ports: services (daemons waiting for incoming connections that
serve people in some way) on these ports can be only ran by root, so inferior users won't start
messing up with important ports.

3. Mirror site - a website which is an exact copy of the original website which is hosted by a
different server.
Mirror sites can be used to speed up downloads/uploads. For example: instead of
downloading/uploading from/to the main tucows webserver, located somewhere distantly from my
home, I can simply do it from one of their Israeli mirrors (mirror site located in Israel, my
country) and that way the downloads/uploads would go faster.

4. Path - UNIX example: if a file is located at /etc/passwd, the file's path would be /etc.
DOS/Windows example: if a file is located at c:\windows\win.exe, the file's path would
be c:\windows.
There are two kinds of paths: a complete path and a relative path.
Complete path on DOS/Windows: if the file is located on c:\program files\quickview
plus\ then this is the file's complete path.
Complete path on UNIX: if the file is located at /usr/local/sbin then this is the
file's complete path.
Relative path on DOS/Windows: if the current directory (the directory you are on at the
moment) is c:\windows and the target file is located at c:\windows\temp then the relative path to
this file is temp.
Relative path on UNIX: if the current directory is /usr/nobody and the file is located
at /usr/nobody/public_html/cgi-bin then the file's relative path is public_html/cgi-bin.

5. Client / Server programs - A client program is a program that uses a resource offered by
another program/computer.
A server program is a program that supplies resources to client programs.
Example: Client=Netscape Navigator. Server=Apache version 1.6.6 (a webserver, meaning a program
that lets people who use Internet browsers to download specific web pages, pictures, files etc'
from the computer it is installed on).

6. How to find out information about remote hosts - the best way to find out information is too
look at daemon(6) banners. Daemon banners are small pieces of information some daemons return
when connected to in order for the remote machine (the one connecting to the daemon) to know how
to interact with them better.
Try connecting to port 80 (webserver) and sending some commands like get and then looking at the
banner. You may also try Sendmail (see next tutorial) on port 25, Telnet on port 23, FTP on port
21 or whatever you can come up with.

7. Daemon - a program that listens for incoming connections from remote machines on a specified
port(2) and interacts with them.

8. Root - also referred as superuser, because his permissions are endless. His UID (User ID
number, an identification number and user on a UNIX system has) and GID (Group ID. You can create
groups and give them several permissions. For example: everyone from the accounting department
can read and execute all the files on this directory, etc') are always 0 (except on very altered
boxes).
Once you are root, you can do practically anything on a system.
Core Dump - when a program crashes it dumps all the core (all the info it handles that isn't
saved on disk, meaning all of the program's stuff that are on the RAM chip) into a temporary
file.

9. DoS - Denial of Service. A nuke in dummies language. Some kind of an attack that causes the
target computer to deny some/all kinds of services to the users of that computer (including
remote users).
For example: Winnuke (also known as OOB), the simplest DoS in the world.
(Taken from Spikeman's DoS site) This denial of service program affects Windows clients by
sending an "Out of Band" exception message to port 139, which does not know how to handle it.
This is a standard listening port on Windows operating systems. Users of Win 3.11, Win95, and
Win NT are vulnerable to this attack. This program is basically a nuisance program, but it is
being widely circulated over the internet now. It has become a bother in chatrooms and on IRC. By
using your IP# and sending OOB data to port 139, malicious users can disconnect you from
the net, often leaving you with low resources and the blue tinted screen. Some of you may have
been victims already. If this happens to you on Win 95, you will see a Windows fatal error
message similar to the following:
Fatal exception 0E at 0028: in VxD MSTCP(01) + 000041AE.
This was called from 0028: in VxD NDIS(01) + 00000D7C.
Rebooting the comp should return it to normal state.

10. Flames - the action of flaming someone (send him angry mail about things he has done,
opinions he has etc' which you do not agree with).

11. DUN - Dial Up Adapter. Basically it's the Windows program that dials to your ISP(12).

12. ISP - Internet Service Provider. A company that provides Internet services, such as Internet
connectivity, web hosting, Email services etc'.

13. Distro - Distribution. Since UNIX is not a registered patent, trademark, copyrighted or
whatever there are many distributions (software packages) of it. Every distro has it's own
advantages and disadvantages (example: Redhat is the best for beginners).

F T P