There are several data transfer commands which can be used during an FTP session. These include STOR (upload a file), RETR (download a file), LIST (get a full directory listing) and NLST (get a directory listing of filenames). Prior to a passive data transfer the client must send the PASV command to the server in order to request that the server open up a port for data transfer. The server will respond with the IP address and port the client should connect to in order to perform the data transfer. PASV connection theft occurs when the client requests that the server open a data port using the PASV command but before the original client can connect to this port another rogue client connects to this port thus hijacking the original client’s data connection. But how does the rogue client know what port to connect to you ask? The rogue client could use a brute force method of simply trying all available ports, or he could make an intelligent guess as to what ports may be opened next by looking at what ports were opened in previous sessions (many servers use a sequential method of opening ports for data transfer). What happens next depends on the following command issued by the original client.

If the original client issues a STOR command then the rogue client may then upload a file using the hijacked data stream, possibly overwriting a file or installing a trojan. If the original client issues a RETR command then the rogue client may receive the file requested for download. Both scenarios of course present a severe security risk. Most servers today, including JSCAPE Secure FTP Server, implement methods for preventing against PASV connection theft. These methods verify that the client who requested the PASV connection is the same as the client which eventually connects to the data port opened by the server.