07 Apr, 2023

File Transfer Protocol + SSL (FTPS)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

File Transfer Protocol Secure (FTPS) is a protocol used for secure file transfers over the Internet. It is a combination of the traditional File Transfer Protocol (FTP) and the security features of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

FTPS common ports

Port 21: This is the default port for FTPS. It is used for the control channel, which is responsible for sending commands and responses between the client and the server.

Port 990: This port is also used for FTPS, but it is used for the control channel when the server is configured to use explicit SSL/TLS encryption.

Port 989: This port is used for FTPS, but it is used for the control channel when the server is configured to use implicit SSL/TLS encryption.

Ports 1024-65535: These ports are used for the data channel, which is responsible for transferring files between the client and the server. The actual port number used for the data channel is negotiated between the client and the server during the connection setup process.

Standard  commands from unauthorised

Recon or Non Standard command

curl ftps://177.92.65.168 -v –insecure

Tools for using protocol FTPS

Automated Tools:

  • Nmap – A network exploration and security auditing tool that can be used to scan for open FTPS ports and gather information about FTPS servers.

  • Metasploit – A powerful exploitation framework that includes modules for testing FTPS servers.

  • Burp Suite – A web application security testing tool that includes a scanner for FTPS servers.

  • OpenVAS – An open source vulnerability scanner that can be used to test the security of FTPS servers.

  • QualysGuard – A cloud-based vulnerability management and compliance platform that includes a scanner for FTPS servers.

  • Nessus – A commercial vulnerability scanner that can be used to test the security of FTPS servers.

  • Acunetix – A web application security testing tool that includes a scanner for FTPS servers.

  • Nikto – An open source web server scanner that can be used to test FTPS servers for vulnerabilities.

  • ZAP – An open source web application security testing tool that includes a scanner for FTPS servers.

  • w3af – A web application attack and audit framework that includes a scanner for FTPS servers.

  • FuzzDB – A comprehensive database of attack patterns and techniques that can be used to test the security of FTPS servers.

Manual Tools:

  • FileZilla – A popular open source FTP client that supports FTPS and can be used to manually test the security of FTPS servers.

  • WinSCP – A free and open source SFTP and FTP client for Windows that supports FTPS and can be used to manually test the security of FTPS servers.

  • Curl – A command line tool and library for transferring data with URLs that supports FTPS and can be used to manually test the security of FTPS servers.

  • FTP Voyager – A commercial FTP client that supports FTPS and can be used to manually test the security of FTPS servers.

  • SmartFTP – A commercial FTP client that supports FTPS and can be used to manually test the security of FTPS servers.

  • Core FTP – A free and commercial FTP client that supports FTPS and can be used to manually test the security of FTPS servers.

  • FireFTP – A free and open source FTP client add-on for Mozilla Firefox that supports FTPS and can be used to manually test the security of FTPS servers.

  • CrossFTP – A free and commercial FTP client that supports FTPS and can be used to manually test the security of FTPS servers.

  • Cyberduck – A free and open source FTP client for Mac and Windows that supports FTPS and can be used to manually test the security of FTPS servers.

Last five known CVE for FTPS

• CVE-2019-5537: Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3a and 6.5 before 6.5u3d) may allow a malicious actor to intercept sensitive data in transit over FTPS and HTTPS. A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during File-Based Backup and Restore operations. 

• CVE-2019-12753: An information disclosure vulnerability in Symantec Reporter web UI 10.3 prior to 10.3.2.5 allows a malicious authenticated administrator user to obtain passwords for external SMTP, FTP, FTPS, LDAP, and Cloud Log Download servers that they might not otherwise be authorized to access. The malicious administrator user can also obtain the passwords of other Reporter web UI users. 

• CVE-2015-5361: Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensions option (which is disabled by default) is to provide similar functionality when the SRX secures the FTP/FTPS client. As the control channel is encrypted, the FTP ALG cannot inspect the port specific information and will open a wider TCP data channel (gate) from client IP to server IP on all destination TCP ports. In FTP/FTPS client environments to an enterprise network or the Internet, this is the desired behavior as it allows firewall policy to be written to FTP/FTPS servers on well-known control ports without using a policy with destination IP ANY and destination port ANY. Issue The ftps-extensions option is not intended or recommended where the SRX secures the FTPS server, as the wide data channel session (gate) will allow the FTPS client temporary access to all TCP ports on the FTPS server. The data session is associated to the control channel and will be closed when the control channel session closes. Depending on the configuration of the FTPS server, supporting load-balancer, and SRX inactivity-timeout values, the server/load-balancer and SRX may keep the control channel open for an extended period of time, allowing an FTPS client access for an equal duration.​ Note that the ftps-extensions option is not enabled by default. 

• CVE-2010-4221: Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.

• CVE-2009-3702: Multiple absolute path traversal vulnerabilities in PHP-Calendar 1.1 allow remote attackers to include and execute arbitrary local files via a full pathname in the configfile parameter to (1) update08.php or (2) update10.php. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL. 

Useful information

– Two ports for communication: 21 for the control channel and 990 for the data channel.

– Supports two modes of operation: implicit and explicit. In implicit mode, the SSL/TLS negotiation happens immediately after the client connects to the server on port 990. In explicit mode, the client first establishes an unencrypted control channel on port 21 and then issues a command to switch to encrypted mode.

– Provides authentication and encryption for both the control and data channels.

– Vulnerable to attacks such as FTP bounce, where an attacker can use the server to scan other hosts or networks.

– Tested using a variety of tools, including both manual and automated tools.

– Clients and servers can be configured to use different SSL/TLS cipher suites, which can impact the security and performance of the connection.

– Some common SSL/TLS cipher suites used in FTPS include AES128-SHA, AES256-SHA, and RC4-MD5.

– Often used in enterprise environments to securely transfer files between servers and clients.

– Also be used in web development to transfer files between a local machine and a web server.

– Supported by many popular FTP clients and servers, including FileZilla, WinSCP, and ProFTPD.

Known banners

“220-“ – This banner may appear in the FTPS handshake response, indicating that the server is ready to receive commands.

“AUTH TLS” – This banner may appear in the FTPS handshake response, indicating that the server requires TLS/SSL encryption for authentication.

“234 AUTH TLS successful” – This banner may appear in the FTPS handshake response, indicating that the server has successfully authenticated with the client using TLS/SSL encryption.

“220 FTPS Server Ready” – This banner may appear in the FTPS handshake response, indicating that the server is ready to receive FTPS commands.

Books for studies the File Transfer Protocol Secure (FTPS)

FTP, JCL, and Utilities by Doug Lowe – This book provides an introduction to mainframe FTP, including FTPS.

FTP: File Transfer Protocol by William Stallings – This book provides a comprehensive overview of FTP, including the secure version FTPS.

Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications by Ivan Ristic – While not specifically about FTPS, this book covers SSL/TLS in-depth, which is the underlying security protocol used in FTPS.

Windows Server 2012 R2 Pocket Consultant: Storage, Security, & Networking by William R. Stanek – This book includes a section on configuring FTPS on a Windows Server.

Pro FTPd by Peter Bortas – This book is a comprehensive guide to the popular FTP server software ProFTPd, which includes support for FTPS.

Secure FTP: Managed File Transfer Solutions by Mark L. Trusty – This book provides an overview of secure FTP solutions, including FTPS.

FTP Mastery: A Complete Guide to Using FTP by Sia Mohajer – This book covers all aspects of FTP, including FTPS.

The Accidental Administrator: Linux Server Step-by-Step Configuration Guide by Don R. Crawley – This book includes a section on configuring ProFTPd with FTPS support on a Linux server.

Bulletproof Web Design: Improving flexibility and protecting against worst-case scenarios with XHTML and CSS by Dan Cederholm – While not specifically about FTPS, this book covers web design and development best practices, including securing file transfers with FTPS.

Practical Packet Analysis, 3E: Using Wireshark to Solve Real-World Network Problems by Chris Sanders – This book provides an introduction to packet analysis, including analyzing FTPS traffic.

List of Payload for the File Transfer Protocol Secure (FTPS)

  • STOR – Used to store a file on the server

  • RETR – Used to retrieve a file from the server

  • APPE – Used to append a file to an existing file on the server

  • DELE – Used to delete a file from the server

  • RNFR / RNTO – Used to rename a file on the server

  • MKD – Used to create a new directory on the server

  • RMD – Used to remove a directory from the server

  • LIST – Used to list the files and directories on the server

  • NLST – Used to list only the names of the files and directories on the server

  • SIZE – Used to get the size of a file on the server

  • MDTM – Used to get the modification date and time of a file on the server

Mitigation

  1. Implement strong access controls: Limit access to FTPS servers to only authorized users and ensure that passwords and other credentials are stored securely.

  2. Use encryption: Ensure that FTPS is configured to use strong encryption methods such as AES (Advanced Encryption Standard) to protect data in transit.

  3. Monitor and log FTPS activities: Implement logging and monitoring solutions to track FTPS activities and detect any suspicious behavior or unauthorized access.

  4. Regularly update and patch FTPS servers: Keep FTPS servers updated with the latest security patches and updates to prevent known vulnerabilities from being exploited.

  5. Use firewalls and other network security measures: Implement firewalls and other network security measures to prevent unauthorized access to FTPS servers.

  6. Use secure FTP clients: Ensure that FTPS clients are configured to use secure encryption methods and that they are updated regularly with the latest security patches.

  7. Use multi-factor authentication: Implement multi-factor authentication (MFA) for FTPS servers to provide an additional layer of security beyond passwords.

  8. Limit file permissions: Restrict file permissions to prevent unauthorized access to sensitive data transferred via FTPS.

Conclusion

FTPS (FTP over SSL/TLS) is a secure version of the FTP protocol that provides encryption and authentication for data transfers. FTPS is commonly used in industries such as finance, healthcare, and government, where data security and compliance are critical. However, as with any protocol, there are potential security risks associated with FTPS that must be mitigated through best practices such as strong access controls, encryption, monitoring, and regular updates and patching. By following these best practices, organizations can ensure that data transferred via FTPS is secure and protected from unauthorized access or interception.

Other Services

Ready to secure?

Let's get in touch