07 Apr, 2023

Trivial File Transfer Protocol (TFTP)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

TFTP stands for Trivial File Transfer Protocol, which is a simple protocol used for transferring files between network devices. It is a less secure and less robust protocol than FTP (File Transfer Protocol) and is commonly used for transferring configuration files between network devices like routers, switches, and firewalls. TFTP operates on UDP (User Datagram Protocol) port 69 and does not require authentication or encryption, making it vulnerable to security threats. However, its simplicity and ease of use make it a popular choice for network administrators.

TFTP common ports

Port 69: This port is used for TFTP requests.

Ports between 1024 and 65535: TFTP uses these individually assigned port numbers for communication, which are sent by the TFTP server to the requesting client in the form of Transfer Identifiers (TIDs).

Port 8099: This TCP port is used for user interface to TFTP service traffic.

Standard commands from unauthorized users

GET: This command allows a user to download a file from the TFTP server. Unauthorized users can use this command to access sensitive files without permission.

PUT: This command allows a user to upload a file to the TFTP server. Unauthorized users can use this command to upload malicious files or overwrite important files.

LIST: This command allows a user to view a list of files available on the TFTP server. Unauthorized users can use this command to gather information about the server’s files and directory structure, which can be useful for launching further attacks.

MODE: This command allows a user to specify the transfer mode (binary or ASCII) for file transfers. Unauthorized users can use this command to circumvent security measures and transfer files in an unsafe manner.

Tools for using protocol TFTP

Manual tools:

  1. tftp – A simple command-line tool for transferring files using TFTP. It is commonly available on Linux and other Unix-like systems.

  2. Wireshark – A network protocol analyzer that can capture and display TFTP traffic. Wireshark can be used to analyze TFTP packets and diagnose network issues.

  3. nc – A versatile command-line utility that can be used to send and receive data over a network. nc can be used to test TFTP servers by sending TFTP requests manually.

  4. nmap – A network exploration and security auditing tool that can be used to scan networks for TFTP servers. It can be used to identify TFTP servers and check for open ports.

  5. hping3 – A command-line tool that can be used to send and receive custom packets over a network. It can be used to send TFTP requests manually and test TFTP servers.

  6. tcpdump – A command-line packet analyzer that can capture and display TFTP traffic. It is commonly used to diagnose network issues and analyze TFTP packets.

  7. telnet – A protocol used to provide command-line access to remote computers. It can be used to test TFTP servers by sending TFTP requests manually.

Automated tools:

  1. TFTP-Bruteforcer – A tool that can be used to test the security of TFTP servers by attempting to brute-force TFTP credentials.

  2. TFTP-Client – A GUI-based tool that can be used to test TFTP servers by uploading and downloading files. It also has an option to test TFTP servers for security vulnerabilities.

  3. Tftpd32 – A free TFTP server and client that can be used to test TFTP servers by uploading and downloading files. It also includes a syslog server and a TFTP security scanner.

  4. TFTPdmin – A lightweight TFTP server that can be used to test TFTP servers by uploading and downloading files. It also includes a built-in TFTP client for testing.

  5. TFTP-Proxy – A tool that can be used to test TFTP servers by intercepting TFTP traffic and forwarding it to another server. It can be used to test the reliability and security of TFTP servers.

  6. Metasploit – A penetration testing framework that includes a module for exploiting TFTP servers. It can be used to test the security of TFTP servers and identify vulnerabilities.

Browser plugins:

  1. TFTP Server Plugin for Chrome – A browser extension that allows you to run a TFTP server in your browser. It can be used for testing TFTP clients and servers.

  2. Packet Capture for Chrome – A browser extension that allows you to capture and analyze network traffic. It can be used to capture and analyze TFTP traffic.

Last five known CVE for TFTP

• CVE-2023-27078 – A command injection issue was found in TP-Link MR3020 v.1_150921 that allows a remote attacker to execute arbitrary commands via a crafted request to the tftp endpoint. 

• CVE-2022-46143 – Affected devices do not check the TFTP blocksize correctly. This could allow an authenticated attacker to read from an uninitialized buffer that potentially contains previously allocated data.

• CVE-2022-38742 – Rockwell Automation ThinManager ThinServer versions 11.0.0 – 13.0.0 is vulnerable to a heap-based buffer overflow. An attacker could send a specifically crafted TFTP or HTTPS request, causing a heap-based buffer overflow that crashes the ThinServer process. If successfully exploited, this could expose the server to arbitrary remote code execution.

• CVE-2022-28194 – NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot module tegrabl_cbo.c, where, if TFTP is enabled, a local attacker with elevated privileges can cause a memory buffer overflow, which may lead to code execution, loss of Integrity, limited denial of service, and some impact to confidentiality.

• CVE-2021-44429 – Serva 4.4.0 allows remote attackers to cause a denial of service (daemon crash) via a TFTP read (RRQ) request, aka opcode 1, a related issue to CVE-2013-0145.

Useful information

– TFTP stands for Trivial File Transfer Protocol, and it is a simple protocol used for transferring files over a network.

– TFTP is a UDP-based protocol that operates on port 69. It is a lightweight protocol that does not provide any authentication or encryption mechanisms.

– TFTP is commonly used for network booting and firmware updates, particularly in embedded systems.

– TFTP operates in a client-server model, where the client sends a request to the server to transfer a file, and the server responds with the requested file.

– TFTP supports only two modes of transfer: netascii and octet (binary).

– TFTP is a very simple protocol with only five commands: RRQ (read request), WRQ (write request), DATA, ACK (acknowledge), and ERROR.

– TFTP does not provide any security mechanisms, which makes it vulnerable to attacks such as packet sniffing, packet injection, and denial-of-service (DoS) attacks.

– To mitigate the security risks associated with TFTP, it is recommended to use it only within trusted networks, implement access control lists (ACLs), and disable unnecessary TFTP services.

– Alternative file transfer protocols that provide stronger security mechanisms include SCP (Secure Copy Protocol), SFTP (SSH File Transfer Protocol), and FTPS (FTP over SSL/TLS).

– TFTP is widely supported by various operating systems, including Windows, Linux, and macOS, and is often included as part of network booting tools and firmware update utilities.

Known banners

“TFTPD32, Version x.x.x.x” – This banner is from TFTPD32, a popular TFTP server and client for Windows.

“Cisco IOS Software” – This banner is from Cisco IOS, a popular networking operating system that includes TFTP server functionality.

“Free TFTP Server” – This banner is from Free TFTP Server, a popular TFTP server software for Windows.

“PXE Boot Server x.x.x.x” – This banner is from a PXE (Preboot Execution Environment) boot server that uses TFTP for network booting.

“SolarWinds TFTP Server” – This banner is from SolarWinds TFTP Server, a popular TFTP server software for Windows.

“WinAgents TFTP Server” – This banner is from WinAgents TFTP Server, a popular TFTP server software for Windows.

“PumpKIN TFTP Server” – This banner is from PumpKIN TFTP Server, a free TFTP server software for Windows.

“Atftpd x.x.x.x” – This banner is from atftpd, a popular TFTP server software for Linux.

“Hercules SETUP utility TFTP server” – This banner is from Hercules SETUP utility, a popular TFTP server software for Windows.

“BSDP/iPXE” – This banner is from the Bootstrap Protocol (BSDP) and iPXE, which use TFTP for network booting on macOS and other Unix-like operating systems.

Books for studies TFTP

TCP/IP Illustrated, Volume 1: The Protocols by W. Richard Stevens – This book provides a detailed overview of the TCP/IP protocol suite and includes a section on TFTP.

Network Warrior: Everything You Need to Know That Wasn’t on the CCNA Exam by Gary A. Donahue – This book covers a wide range of networking topics, including TFTP.

Cisco Networking Essentials by Troy McMillan – This book covers networking essentials and provides an overview of TFTP.

Network Security Essentials: Applications and Standards by William Stallings – This book covers network security and includes a section on TFTP vulnerabilities.

TCP/IP Protocol Suite by Behrouz A. Forouzan – This book provides a comprehensive overview of the TCP/IP protocol suite and includes a chapter on TFTP.

List of Payload for TFTP

  • Read Request (RRQ) – This payload is used by the client to request a file from the TFTP server.

  • Write Request (WRQ) – This payload is used by the client to write a file to the TFTP server.

  • Data – This payload contains the actual data being transferred between the client and the server. The size of the data can vary between 1 and 512 bytes.

  • Acknowledgment (ACK) – This payload is sent by the client to acknowledge receipt of a data packet from the server.

  • Error – This payload is sent by the server to indicate that an error has occurred during the file transfer.

Mitigation

  1. TFTP does not provide any authentication mechanisms by default, which can make it vulnerable to unauthorized access. To mitigate this risk, use secure authentication methods such as Kerberos or SSL/TLS to ensure that only authorized users can access the TFTP server.

  2. Limit access to the TFTP server to only those systems and users that need it. This can be done by using firewalls or access control lists (ACLs) to restrict access to the TFTP server.

  3. Ensure that all software associated with the TFTP server is up to date with the latest security patches. This includes both the operating system and any applications that use the TFTP protocol.

  4. To protect sensitive data transmitted over the network, consider using encryption to ensure that data is not intercepted or manipulated in transit.

  5. Disable any features of the TFTP server that are not needed to reduce the attack surface.

  6. Monitor network traffic for any unusual activity or traffic patterns that could indicate a potential security breach. This can be done through the use of intrusion detection systems (IDS) or security information and event management (SIEM) tools.

Conclusion

TFTP (Trivial File Transfer Protocol) is a simple protocol that is used to transfer files between a client and server over a network. It was designed to be lightweight and easy to implement, making it ideal for use in situations where a full-featured protocol like FTP would be too complex or resource-intensive.

TFTP lacks many of the advanced features of FTP, such as authentication, encryption, and directory listing, but it is still widely used in various applications, such as firmware updates, operating system installations, and network device configuration. TFTP is often used in combination with other protocols, such as DHCP and PXE, to automate the process of deploying new network devices or updating existing ones.

Other Services

Ready to secure?

Let's get in touch