FTP Enumeration
I LOVE DOING THIS :)
While pentesting a box or an application, we get to see
port 21
isopen
. The first thing that should strike us is :
anonymous login checks
ftp <IP>
username : anonymous
password : blank / anonymous
file upload => put shell.php // Uploads a malacious file with a .php extension.
And if nothing works !
# searchsploit <the ftp version> // via commandline (kali or parrot)
# <ftp version name> insite: exploitdb.com,rapid7 // Google Dorking
Check for the read-write permissions for the directories to edit a file or put a file !
Sometimes clues are put here.
Old version of ftp might be vulnerable
Look at the version
Search the exploit using Google / Searchsploit / Rapid7
If you find some credential, try it on SSH / Login page / database
Connection
ncftp $ip
ftp $ip
Many ftp-servers allow anonymous users. anonymous:anonymous
Nmap script enumeration
nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip
Vulnerability scanning
nmap --script=ftp-* -p 21 $ip
Bruteforce password known username
hydra -l $user -P /usr/share/john/password.lst ftp://$ip:21
hydra -l $user -P /usr/share/wordlistsnmap.lst -f $ip ftp -V
medusa -h $ip -u $user -P passwords.txt -M ftp
Enumeration of users
ftp-user-enum.pl -U users.txt -t $ip
ftp-user-enum.pl -M iu -U users.txt -t $ip
Command
send # Send single file
put # Send one file.
mput # Send multiple files.
mget # Get multiple files.
get # Get file from the remote computer.
ls # list
mget * # Download everything
binary = Switches to binary transfer mode.
ascii = Switch to ASCII transfer mode
Configuration Files
ftpusers
ftp.conf
proftpd.conf
Vulnerable versions
ProFTPD-1.3.3c Backdoor
ProFTPD 1.3.5 Mod_Copy Command Execution
VSFTPD v2.3.4 Backdoor Command Execution
Exploitation
Gather version numbers
Searchsploit
Default Creds
Creds previously gathered
Download the software
Common Credentials
A few common passwords or usernames such as admin, administrator, root, ftpuser, test etc. should be tried if anonymous authentication is disabled on the remote FTP server. This is safer than brute-forcing and it should always be tried when possible.
An FTP authentication can also be performed using the auxiliary/scanner/ftp/ftp_login Metasploit module.
msfconsole -q
search scanner ftp_login
use auxiliary/scanner/ftp/ftp_login
show options
exploit
Banner Grabbing ?
nc -vv <IP> 21 // Banner Grabbing via netcat
Once the Banner discloses the the version running on that FTP server, now lets use the searchsploit <FTP name and version>
, to get some manual or automated exploits
Last updated