FTP Enumeration
I LOVE DOING THIS :)
While pentesting a box or an application, we get to see
port 21
isopen
. The first thing that should strike us is :
Check for the read-write permissions for the directories to edit a file or put a file !
Sometimes clues are put here.
Old version of ftp might be vulnerable
Look at the version
Search the exploit using Google / Searchsploit / Rapid7
If you find some credential, try it on SSH / Login page / database
Connection
Many ftp-servers allow anonymous users. anonymous:anonymous
Nmap script enumeration
Vulnerability scanning
Bruteforce password known username
Enumeration of users
Command
Configuration Files
Vulnerable versions
ProFTPD-1.3.3c Backdoor
ProFTPD 1.3.5 Mod_Copy Command Execution
VSFTPD v2.3.4 Backdoor Command Execution
Exploitation
Gather version numbers
Searchsploit
Default Creds
Creds previously gathered
Download the software
Common Credentials
A few common passwords or usernames such as admin, administrator, root, ftpuser, test etc. should be tried if anonymous authentication is disabled on the remote FTP server. This is safer than brute-forcing and it should always be tried when possible.
An FTP authentication can also be performed using the auxiliary/scanner/ftp/ftp_login Metasploit module.
Banner Grabbing ?
Once the Banner discloses the the version running on that FTP server, now lets use the searchsploit <FTP name and version>
, to get some manual or automated exploits
Last updated