Unlike SFTP, FTP uses the plain-text file transfer method. This means any username or password transferred through the wire can be detected by an unrelated third-party. Even though FTP is a very popular file transfer protocol, people frequently use this for transferring a file from their PCs to the remote servers.
In Python, ftplib is a built-in module used for transferring the files to and from the remote machines. You can create an anonymous FTP client connection with the FTP() class.
ftp_client = ftplib.FTP(path, username, email)
Then you can invoke the normal FTP commands, such as CWD. In order to download a binary file, you need to create a file-handler such as the following:
file_handler = open(DOWNLOAD_FILE_NAME, 'wb')
In order to retrieve the binary file from the remote host, the syntax shown here can be used along with the RETR command:
ftp_client.retrbinary('RETR remote_file_name', file_handler.write)In the following code snippet, an example of a full FTP file download can be seen:
#!/usr/bin/env python
import ftplib
FTP_SERVER_URL = 'ftp.kernel.org'
DOWNLOAD_DIR_PATH = '/pub/software/network/tftp'
DOWNLOAD_FILE_NAME = 'tftp-hpa-0.11.tar.gz'
def ftp_file_download(path, username, email):
# open ftp connection
ftp_client = ftplib.FTP(path, username, email)
# list the files in the download directory
ftp_client.cwd(DOWNLOAD_DIR_PATH)
print("File list at %s:" %path)
files = ftp_client.dir()
print(files)
# downlaod a file
file_handler = open(DOWNLOAD_FILE_NAME, 'wb')
#ftp_cmd = 'RETR %s ' %DOWNLOAD_FILE_NAME
ftp_client.retrbinary('RETR tftp-hpa-0.11.tar.gz', file_handler.write)
file_handler.close()
ftp_client.quit()
if __name__ == '__main__':
ftp_file_download(path=FTP_SERVER_URL, username='anonymous', email='[email protected]')The preceding code illustrates how an anonymous FTP can be downloaded from ftp.kernel.org, which is the official website that hosts the Linux kernel. The FTP() class takes three arguments, such as the initial filesystem path on the remote server, the username, and the email address of the ftp user. For anonymous downloads, no username and password is required. So, the script can be downloaded from the tftp-hpa-0.11.tar.gz file, which can be found on the /pub/software/network/tftp path.
If we capture the FTP session in Wireshark on port 21 of the public network interface, then we can see how the communication happens in plain-text. This will show you why SFTP should be preferred. In the following figure, we can see that, after successfully establishing connection with a client the server sends the banner message: 220 Welcome to kernel.org. Following this, the client will anonymously send a request for login. In response, the server will ask for a password. The client can send the user's e-mail address for authentication.
To your surprise, you can see that the password has been sent in clear-text. In the following screenshot, the contents of the password packet have been displayed. It shows the supplied fake e-mail address, [email protected].
