September 7th, 2007, 12:55 AM
FTP tunnel through PuTTY
I'm trying to get my head around using PuTTY to tunnel FTP between two computers (connected via a cross-over cable) at home. I can connect using PuTTY and interrogate the remote PC and I can use "ordinary" (insecure) ftp.exe to access the reomte FTP folder but I'm having trouble setting up the FTP to go through the tunnel.
Here are the settings in PuTTY:
In the Session, I have set the Host IP address to be the remote PC (169.254.17.175) and Port 22. The connection type is SSH.
In the SSH Tunnels, I have set the Source Port to be 9999 and the Destination to be 169.254.17.175:21 with Local, Remote and Dynamic (I have tried using just one of these but it didn't work either). I added each of these to the list of forwarded ports and saved the session.
I opened PuTTY and connected to the remote PC using a login User and Password on that PC (Win2000). I tried using ftp.exe on the local PC (XP Pro) by issuing the commands:
open 127.0.0.1 9999 (I also tried open localhost 9999)
It asked for a user and password and I gave one of several on the remote PC. It confirmed the connection and, when I checked the remote PCs FTP site's Current Sessions, it confirmed that the correct user was connected to the FTP site, apparantly from itself (169.254.17.175) and that, as far as I'm aware, is as it should be.
I issued the commands dir or ls from the ftp.exe and it stalled. I issued CTRL-C and it reported back:
500 Invalid PORT Command
150 Opening ASCII mode data connection for /bin/ls
I wondered if the problem was the fact that I was using ftp.exe so I tried using IE7. I entered ftp://127.0.0.1:9999 in the address bar and it asked me for the username and password which I entered correctly. It attempted to retrieve the data but nothing was displayed in IE7 ("Internet Explorer cannot display the webpage"). When I checked the FTP site Current Sessions, it confirmed that I was connected.
It seems that I can connect to the FTP directory on the remote PC but data can't be retrieved and displayed on the local PC, using either the Command Screen or Web Browser. I've tried having c:\Inetpub\ftproot sharing on and off but the doesn't make any difference. I have also disabled ZoneAlarm and I don't have Windows Firewall enabled in any case.
I hope I've explained everything. Any ideas? I know that there are better ways to access FTP securely (WinSCP etc.) but I just want to be able to get this simple (pah!) setup working to make sure that I can, before I move on to more complicated tunnels, such as getting my e-mail.
Thanks for your time (and patience!).
September 7th, 2007, 01:43 AM
Never tried this but I think maybe this might be an issue with active vs passive FTP? There are always two ports in use with FTP, one for command, one for data...seems like the command is working (port 21), which is why you can log in and issue a command but then they are failing when they try to send data back (the data port, depends on whether active or passive)...
Quick google turns up: http://slacksite.com/other/ftp.html
Hope that winds up being useful...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
September 7th, 2007, 10:43 AM
Many thanks. I was aware that FTP uses 20 and 21 and, whilst I'd heard of Active and Passive modes, I'd never gone into it in detail. This might just be the missing link and what I need. It seems that ftp.exe doesn't support passive mode but I'm perplexed as to why I can use ("normal") IE7 or ftp.exe to access the FTP site but not if I try to tunnel the traffic through the SSH tunnel. It's almost as if I need to make some changes to the configuration of PuTTY but I'll investigate changing the FTP settings within IE7 (Tools>Internet Options>Advanced) first. If I can't get it to work, I'm sure I'll be back!
September 7th, 2007, 03:04 PM
Why not make it easier for yourself and use WinSCP
Experience is something you don't get until just after you need it.
September 7th, 2007, 04:21 PM
The Wolfman loves the WinSCP. SirDice is right, WinSCP is the way to go.
Originally Posted by SirDice
September 7th, 2007, 05:12 PM
I do have (older) NAS devices, which offers ftp but not scp/sftp. Thus, since in
various scenarios, a ssh-server is publicly available, the ftp-device is not.
Hence, the question is valid. I first propose a solution to the tunneling problem,
then an alternative approach (even alternative to scp/sftp/...).
Public IP SSH Server:
A few words about active/passive mode.
In active mode, the client connects from port '1423' to server Port 21. The client
binds port '1424' and informs the server accordingly. The server then connect from
port 20 to Port '1424'.
In passive mode, the client connects from Port '1423' to server Port 21. The server
binds a random Port '1654' and informs the client accordingly. The client then connects
from port '1424' to Port '1654'.
Hence, in order to create a working tunnel, passive mode is the only reasonably
configurable solution (Internet explorer can use both, active and passive mode:
Tools -> Internet Options -> Advanced -> Use Passive FTP).
I never succeeded to create such a connection with putty. The reason for this is
I only can configure putty as follows:
Connection -> SSH -> Tunnels
source port: 21
local / auto
This will establish an encrypted control channel (21).
By connecting with my ftp-client to ftp://localhost, the control channel is available
and I can login. The data channel however is not configured. Thus, the ftp-client
tries to establish a connection to 192.168.1.100:21, which certainly will fail.
A "solution" to this is the following:
The ftp-server has to be publicly available (e.g. 126.96.36.199). The destination
then can be specified as 188.8.131.52:21 - if the ssh-server (184.108.40.206) is able to connect
to 220.127.116.11, everything will work. However - see the drawbacks/WARNING section.
ssh secure shell
The ssh secure shell has a nice option: while creating an outgoing connection,
one can specify the type (ftp / tcp). If one specifies ftp, tunnels for the
data channel are automagically created. The ftp-client connects to a local port
(The passive connection specification is part of the ftp-protocol).
With the ssh secure shell ftp option, both channels are encrypted, ie the control
channel (21) and the data channel (20).
With the above description with putty, only the control channel (21) is encrypted.
The data channel (20) still is unencrypted, since the ftp-client creates a direct connection
to the ftp server.
a simple alternative approach
You might also have a look at samba over ssh - this is a description of forwarding port 139
(netbios over tcp) - you could replace this also by 445 (smb over tcp).
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
September 7th, 2007, 08:00 PM
Thanks. I mentioned familiarity with WinSCP in my original post. I wanted to get FTP through a PuTTY tunnel working to make sure that I can, before I move on to more complicated (and useful) tunnels.
Originally Posted by SirDice
Many thanks for the detailed comments. Playing around with this is a great learning experience and I'm grateful to you (and others here) for the support.
Originally Posted by sec_ware
September 9th, 2007, 07:45 PM
September 9th, 2007, 08:27 PM
Thank you. I've been researching further and came across this article. I realise now that I'll have to use other techniques and applications to do this. As I mentioned initially, I wanted to do this simply so I could confirm that I could set everything up myself and FTP through a tunnel seemed the most simple option. I've been looking into Remote Desktop and also VNC through a tunnel so I'll get on with that before I look at HTTP and mail access through a tunnel.
Originally Posted by zeruelx
By Godsrock37 in forum Operating Systems
Last Post: January 10th, 2007, 11:35 PM
By ThePreacher in forum Miscellaneous Security Discussions
Last Post: December 14th, 2006, 09:37 PM
By DjM in forum Miscellaneous Security Discussions
Last Post: April 21st, 2006, 06:10 PM
By HTRegz in forum Network Security Discussions
Last Post: August 5th, 2004, 12:00 AM
By don in forum Network Security Discussions
Last Post: January 19th, 2003, 04:46 AM