Results 1 to 9 of 9

Thread: FTP tunnel through PuTTY

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    183

    FTP tunnel through PuTTY

    I'm trying to get my head around using PuTTY to tunnel FTP between two computers (connected via a cross-over cable) at home. I can connect using PuTTY and interrogate the remote PC and I can use "ordinary" (insecure) ftp.exe to access the reomte FTP folder but I'm having trouble setting up the FTP to go through the tunnel.

    Here are the settings in PuTTY:

    In the Session, I have set the Host IP address to be the remote PC (169.254.17.175) and Port 22. The connection type is SSH.

    In the SSH Tunnels, I have set the Source Port to be 9999 and the Destination to be 169.254.17.175:21 with Local, Remote and Dynamic (I have tried using just one of these but it didn't work either). I added each of these to the list of forwarded ports and saved the session.

    I opened PuTTY and connected to the remote PC using a login User and Password on that PC (Win2000). I tried using ftp.exe on the local PC (XP Pro) by issuing the commands:

    ftp
    open 127.0.0.1 9999 (I also tried open localhost 9999)

    It asked for a user and password and I gave one of several on the remote PC. It confirmed the connection and, when I checked the remote PCs FTP site's Current Sessions, it confirmed that the correct user was connected to the FTP site, apparantly from itself (169.254.17.175) and that, as far as I'm aware, is as it should be.

    I issued the commands dir or ls from the ftp.exe and it stalled. I issued CTRL-C and it reported back:

    500 Invalid PORT Command
    150 Opening ASCII mode data connection for /bin/ls

    I wondered if the problem was the fact that I was using ftp.exe so I tried using IE7. I entered ftp://127.0.0.1:9999 in the address bar and it asked me for the username and password which I entered correctly. It attempted to retrieve the data but nothing was displayed in IE7 ("Internet Explorer cannot display the webpage"). When I checked the FTP site Current Sessions, it confirmed that I was connected.

    It seems that I can connect to the FTP directory on the remote PC but data can't be retrieved and displayed on the local PC, using either the Command Screen or Web Browser. I've tried having c:\Inetpub\ftproot sharing on and off but the doesn't make any difference. I have also disabled ZoneAlarm and I don't have Windows Firewall enabled in any case.

    I hope I've explained everything. Any ideas? I know that there are better ways to access FTP securely (WinSCP etc.) but I just want to be able to get this simple (pah!) setup working to make sure that I can, before I move on to more complicated tunnels, such as getting my e-mail.

    Thanks for your time (and patience!).

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Never tried this but I think maybe this might be an issue with active vs passive FTP? There are always two ports in use with FTP, one for command, one for data...seems like the command is working (port 21), which is why you can log in and issue a command but then they are failing when they try to send data back (the data port, depends on whether active or passive)...

    Quick google turns up: http://slacksite.com/other/ftp.html

    Hope that winds up being useful...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    Many thanks. I was aware that FTP uses 20 and 21 and, whilst I'd heard of Active and Passive modes, I'd never gone into it in detail. This might just be the missing link and what I need. It seems that ftp.exe doesn't support passive mode but I'm perplexed as to why I can use ("normal") IE7 or ftp.exe to access the FTP site but not if I try to tunnel the traffic through the SSH tunnel. It's almost as if I need to make some changes to the configuration of PuTTY but I'll investigate changing the FTP settings within IE7 (Tools>Internet Options>Advanced) first. If I can't get it to work, I'm sure I'll be back!

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Why not make it easier for yourself and use WinSCP
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member wolfman1984's Avatar
    Join Date
    Aug 2007
    Location
    fangtastic.org
    Posts
    191
    Quote Originally Posted by SirDice
    Why not make it easier for yourself and use WinSCP
    The Wolfman loves the WinSCP. SirDice is right, WinSCP is the way to go.

    http://winscp.net/
    I AM... THE WOLFMAN!!
    The Wolfman's Homepage: http://www.fangtastic.org
    Do you dig the Wolfman?? Sign his Ghoulbook or listen to him Howl

  6. #6
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    I do have (older) NAS devices, which offers ftp but not scp/sftp. Thus, since in
    various scenarios, a ssh-server is publicly available, the ftp-device is not.
    Hence, the question is valid. I first propose a solution to the tunneling problem,
    then an alternative approach (even alternative to scp/sftp/...).


    Situation


    Private IP:
    NAS: 192.168.1.100
    SSH: 192.168.1.10

    Public IP SSH Server:
    1.2.3.4


    ftp: active/passive

    A few words about active/passive mode.

    In active mode, the client connects from port '1423' to server Port 21. The client
    binds port '1424' and informs the server accordingly. The server then connect from
    port 20 to Port '1424'.

    In passive mode, the client connects from Port '1423' to server Port 21. The server
    binds a random Port '1654' and informs the client accordingly. The client then connects
    from port '1424' to Port '1654'.

    Hence, in order to create a working tunnel, passive mode is the only reasonably
    configurable solution (Internet explorer can use both, active and passive mode:
    Tools -> Internet Options -> Advanced -> Use Passive FTP).


    putty


    I never succeeded to create such a connection with putty. The reason for this is
    the following:
    I only can configure putty as follows:
    Connection -> SSH -> Tunnels
    source port: 21
    destination: 192.168.1.100:21
    local / auto

    This will establish an encrypted control channel (21).

    By connecting with my ftp-client to ftp://localhost, the control channel is available
    and I can login. The data channel however is not configured. Thus, the ftp-client
    tries to establish a connection to 192.168.1.100:21, which certainly will fail.


    A "solution" to this is the following:
    The ftp-server has to be publicly available (e.g. 1.2.3.5). The destination
    then can be specified as 1.2.3.5:21 - if the ssh-server (1.2.3.4) is able to connect
    to 1.2.3.5, everything will work. However - see the drawbacks/WARNING section.



    ssh secure shell


    The ssh secure shell[1] has a nice option: while creating an outgoing connection,
    one can specify the type (ftp / tcp). If one specifies ftp, tunnels for the
    data channel are automagically created. The ftp-client connects to a local port
    127.0.0.1:1654.

    (The passive connection specification is part of the ftp-protocol).



    drawbacks/WARNING


    With the ssh secure shell ftp option, both channels are encrypted, ie the control
    channel (21) and the data channel (20).

    With the above description with putty, only the control channel (21) is encrypted.
    The data channel (20) still is unencrypted, since the ftp-client creates a direct connection
    to the ftp server.



    a simple alternative approach

    You might also have a look at samba over ssh[2] - this is a description of forwarding port 139
    (netbios over tcp) - you could replace this also by 445 (smb over tcp).



    Good luck!

    Cheers

    [1] http://www.ssh.com
    [2] http://antionline.com/showthread.php?t=261812
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  7. #7
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    Quote Originally Posted by SirDice
    Why not make it easier for yourself and use WinSCP
    Thanks. I mentioned familiarity with WinSCP in my original post. I wanted to get FTP through a PuTTY tunnel working to make sure that I can, before I move on to more complicated (and useful) tunnels.

    Quote Originally Posted by sec_ware
    .... Good luck!
    Many thanks for the detailed comments. Playing around with this is a great learning experience and I'm grateful to you (and others here) for the support.

  8. #8

  9. #9
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    Thank you. I've been researching further and came across this article. I realise now that I'll have to use other techniques and applications to do this. As I mentioned initially, I wanted to do this simply so I could confirm that I could set everything up myself and FTP through a tunnel seemed the most simple option. I've been looking into Remote Desktop and also VNC through a tunnel so I'll get on with that before I look at HTTP and mail access through a tunnel.

Similar Threads

  1. tunnel with ssh?
    By Godsrock37 in forum Operating Systems
    Replies: 4
    Last Post: January 10th, 2007, 11:35 PM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  3. Putty Problems
    By DjM in forum Miscellaneous Security Discussions
    Replies: 4
    Last Post: April 21st, 2006, 05:10 PM
  4. PuTTY Vuln Released
    By HTRegz in forum Network Security Discussions
    Replies: 2
    Last Post: August 4th, 2004, 11:00 PM
  5. HTTP tunnel
    By don in forum Network Security Discussions
    Replies: 3
    Last Post: January 19th, 2003, 04:46 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •