FTP Enumeration

I LOVE DOING THIS :)

  • While pentesting a box or an application, we get to see port 21 is open. The first thing that should strike us is : 

anonymous login checks
ftp <IP>
username : anonymous
password : blank / anonymous
file upload => put shell.php     // Uploads a malacious file with a .php extension.

And if nothing works !
# searchsploit <the ftp version>     // via commandline (kali or parrot)
# <ftp version name> insite: exploitdb.com,rapid7     // Google Dorking

  • Check for the read-write permissions for the directories to edit a file or put a file !

  • Sometimes clues are put here.

  • Old version of ftp might be vulnerable

  • Look at the version

  • Search the exploit using Google / Searchsploit / Rapid7

  • If you find some credential, try it on SSH / Login page / database

Connection

ncftp $ip
ftp $ip

Many ftp-servers allow anonymous users. anonymous:anonymous

Nmap script enumeration

nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip

Vulnerability scanning

nmap --script=ftp-* -p 21 $ip

Bruteforce password known username

hydra -l $user -P /usr/share/john/password.lst ftp://$ip:21
hydra -l $user -P /usr/share/wordlistsnmap.lst -f $ip ftp -V
medusa -h $ip -u $user -P passwords.txt -M ftp

Enumeration of users

ftp-user-enum.pl -U users.txt -t $ip
ftp-user-enum.pl -M iu -U users.txt -t $ip

Command

send # Send single file
put # Send one file.
mput # Send multiple files.
mget # Get multiple files.
get # Get file from the remote computer.
ls # list 
mget * # Download everything

binary = Switches to binary transfer mode.
ascii = Switch to ASCII transfer mode

Configuration Files

ftpusers
ftp.conf
proftpd.conf

Vulnerable versions

  • ProFTPD-1.3.3c Backdoor

  • ProFTPD 1.3.5 Mod_Copy Command Execution

  • VSFTPD v2.3.4 Backdoor Command Execution

Exploitation

  • Gather version numbers

  • Searchsploit

  • Default Creds

  • Creds previously gathered

  • Download the software

Common Credentials

A few common passwords or usernames such as admin, administrator, root, ftpuser, test etc. should be tried if anonymous authentication is disabled on the remote FTP server. This is safer than brute-forcing and it should always be tried when possible.

An FTP authentication can also be performed using the auxiliary/scanner/ftp/ftp_login Metasploit module.

msfconsole -q
search scanner ftp_login
use auxiliary/scanner/ftp/ftp_login
show options
exploit
nc -vv <IP> 21     // Banner Grabbing via netcat

Once the Banner discloses the the version running on that FTP server, now lets use the searchsploit <FTP name and version>, to get some manual or automated exploits

PreviousDNS EnumerationNextSSH Enumeration

Last updated