Unlike SFTP, FTP uses the plain-text file transfer method. This means any username or password transferred through the wire can be detected by an unrelated third-party. Even though FTP is a very popular file transfer protocol, people frequently use this for transferring a file from their PCs to the remote servers.
In Python, ftplib
is a built-in module used for transferring the files to and from the remote machines. You can create an anonymous FTP client connection with the FTP()
class.
ftp_client = ftplib.FTP(path, username, email)
Then you can invoke the normal FTP commands, such as CWD
. In order to download a binary file, you need to create a file-handler such as the following:
file_handler = open(DOWNLOAD_FILE_NAME, 'wb')
In order to retrieve the binary file from the remote host, the syntax shown here can be used along with the RETR
command:
ftp_client.retrbinary('RETR remote_file_name', file_handler.write)
In the following code snippet, an example of a full FTP file download can be seen:
#!/usr/bin/env python import ftplib FTP_SERVER_URL = 'ftp.kernel.org' DOWNLOAD_DIR_PATH = '/pub/software/network/tftp' DOWNLOAD_FILE_NAME = 'tftp-hpa-0.11.tar.gz' def ftp_file_download(path, username, email): # open ftp connection ftp_client = ftplib.FTP(path, username, email) # list the files in the download directory ftp_client.cwd(DOWNLOAD_DIR_PATH) print("File list at %s:" %path) files = ftp_client.dir() print(files) # downlaod a file file_handler = open(DOWNLOAD_FILE_NAME, 'wb') #ftp_cmd = 'RETR %s ' %DOWNLOAD_FILE_NAME ftp_client.retrbinary('RETR tftp-hpa-0.11.tar.gz', file_handler.write) file_handler.close() ftp_client.quit() if __name__ == '__main__': ftp_file_download(path=FTP_SERVER_URL, username='anonymous', email='[email protected]')
The preceding code illustrates how an anonymous FTP can be downloaded from ftp.kernel.org, which is the official website that hosts the Linux kernel. The FTP()
class takes three arguments, such as the initial filesystem path on the remote server, the username, and the email address of the ftp
user. For anonymous downloads, no username and password is required. So, the script can be downloaded from the tftp-hpa-0.11.tar.gz
file, which can be found on the /pub/software/network/tftp
path.
If we capture the FTP session in Wireshark on port 21
of the public network interface, then we can see how the communication happens in plain-text. This will show you why SFTP should be preferred. In the following figure, we can see that, after successfully establishing connection with a client the server sends the banner message: 220
Welcome to kernel.org. Following this, the client will anonymously send a request for login. In response, the server will ask for a password. The client can send the user's e-mail address for authentication.
To your surprise, you can see that the password has been sent in clear-text. In the following screenshot, the contents of the password packet have been displayed. It shows the supplied fake e-mail address, [email protected]
.