Port Party is meant to be a quick-read series highlighting some of the more common things particular ports are used for and exploring around a bit.  It is not meant to be exhaustive!

TL;DR: Transfers files, but it's not all that secure.

What is FTP?

File Transfer Protocol.  Okay, we know what "Files" are and we know what "Transfer" is, but what is a protocol?  In order for the internet and general networks to behave nicely, there needs to be sets of rules on how certain things can act — or else everything is just going to be screaming at everything else.  So FTP defines a set of rules which allows for file transfer across computers or the internet.

Back in the day, there were FTP clients that you had to open (like, legit programs, it was wild) and connect to an FTP server just to get your music or games from some weird sketchy server.  Now-a-days, the browser can do most of this stuff for you.  Nice.

What's it look like?  What's it do?

I think a cool way to see this in action would be to make our own local server and try to hit it and see what happens.

I'm using Docker to make this local server so I'll link the Dockerfile below and the command to built and run it.  Copy and paste it into a file called Dockerfile.  I'd recommend looking into docker commands if you don't know them well.

FROM ubuntu:19.04

RUN useradd --create-home --shell /bin/bash testuser \
    && echo 'testuser:verysecure' | chpasswd \
    && mkdir -p /home/testuser/ftp_files

RUN export DEBIAN_FRONTEND=noninteractive; \
    echo 'tzdata tzdata/Zones/Etc select UTC' | debconf-set-selections \
    && apt-get update && apt-get install -y \
    vsftpd \
    net-tools \

RUN echo "write_enable=YES" >> /etc/vsftpd.conf \
    && echo "user_sub_token=testuser\nchroot_local_user=YES\nchroot_list_enable=YES" >> /etc/vsftpd.conf \
    && echo "chroot_list_file=/etc/vsftpd.chroot_list\nlocal_root=/home/testuser/ftp_files\nallow_writeable_chroot=YES" >> /etc/vsftpd.conf \
    && echo "log_ftp_protocol=YES" >> /etc/vsftpd.conf \
    && echo "testuser" >> /etc/vsftpd.chroot_list \
    && echo "hey what's up everyone" > /home/testuser/ftp_files/mycoolfile.txt \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

CMD ["/bin/bash", "-c", "/etc/init.d/vsftpd start && tail -f /var/log/vsftpd.log" ]

Looks pretty wild, but it's mostly installing vsftpd and configuring it, then running it.  We can build this by putting the file in some folder (NOT the home folder, make a tmp folder for it or something) and run the following:

# To build it...
docker build -f Dockerfile -t ftp_local .

# Then to run it...
docker run -p 2100:21 -p 2000:20 ftp_local

This maps port 21 in docker to 2100 on your local machine so there's no conflicts.  It also maps port 20 to 2000, though this doesn't seem to do much.

From here, I used Filezilla to connect.  The URL is, the port is 2100, the username is testuser, the password is verysecure.  As we'll see soon, it's not all that secure.  Upsetting at best.

You'll see some logs on the terminal in the docker, and you can check out what that's doing.  Here, it looks like it's just loggin' us in.  That's pretty cool.  You can see the file in the lower right-hand side that's sitting in our FTP (we made it in the Dockerfile above).  If you double-click on it, you can download it.  We'll do that in a minute.


Before we do anything else, I want to see what's actually happening when stuff is being sent back and forth between our local machine and docker.  I'll use Wireshark to check out the stuff being sent around.  I'm gonna look at my docker network on it so I can see what's happenin' on that end.

Logging in to the FTP server from local, we see a bunch of packets being sent:

One of these looks kind of interesting.  Notice that near the end we get PASS verysecure.  I guess it wasn't all that secure.  So, that's our password over the wire in plain text.  Not great.

Let's try to download a file and see what Wireshark sees.  I'll leave this as an exercise, but at some point we'll get to the FTP-DATA protocol which is the most interesting one since it has this piece:

Neat, that's our data!

Wait, why two ports for this?

Yeah, good question.  The gist is that port 21 does all the "control traffic" type things and port 20 actually pushes the data back and forth.  The rationale was: if I'm sending data, I still want to be able to have control traffic passing back and forth on the port.  Would this be necessary if FTP was made today?  Probably not.  Either way, 20 = Control Traffic, 21 = Data Transfer.  

Okay, so, not very secure, but what can it do well?

One thing that FTP is really, really good at is working with large files.  Not only is it easy to transfer extremely large files over FTP without a hitch, but you can even pause and resume transfers — and, if a transfer breaks, you can normally "pick up where you left off".  This is great news if you have terrible internet but need to download something that's 500GB or something.

Anything cool I missed here?  Lemme know below!