FTP Enumeration

I LOVE DOING THIS :)

While pentesting a box or an application, we get to see port 21 is open. The first thing that should strike us is :

anonymous login checks
ftp <IP>
username : anonymous
password : blank / anonymous
file upload => put shell.php     // Uploads a malacious file with a .php extension.

And if nothing works !
# searchsploit <the ftp version>     // via commandline (kali or parrot)
# <ftp version name> insite: exploitdb.com,rapid7     // Google Dorking

Check for the read-write permissions for the directories to edit a file or put a file !
Sometimes clues are put here.
Old version of ftp might be vulnerable
Look at the version
Search the exploit using Google / Searchsploit / Rapid7
If you find some credential, try it on SSH / Login page / database

Connection

ncftp $ip
ftp $ip

Many ftp-servers allow anonymous users. anonymous:anonymous

Nmap script enumeration

nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip

Vulnerability scanning

nmap --script=ftp-* -p 21 $ip

Bruteforce password known username

hydra -l $user -P /usr/share/john/password.lst ftp://$ip:21

hydra -l $user -P /usr/share/wordlistsnmap.lst -f $ip ftp -V

medusa -h $ip -u $user -P passwords.txt -M ftp

Enumeration of users

ftp-user-enum.pl -U users.txt -t $ip

ftp-user-enum.pl -M iu -U users.txt -t $ip

Command

send # Send single file
put # Send one file.
mput # Send multiple files.
mget # Get multiple files.
get # Get file from the remote computer.
ls # list 
mget * # Download everything

binary = Switches to binary transfer mode.
ascii = Switch to ASCII transfer mode

Configuration Files

ftpusers
ftp.conf
proftpd.conf

Vulnerable versions

ProFTPD-1.3.3c Backdoor
ProFTPD 1.3.5 Mod_Copy Command Execution
VSFTPD v2.3.4 Backdoor Command Execution

Exploitation

Gather version numbers
Searchsploit
Default Creds
Creds previously gathered
Download the software

Common Credentials

A few common passwords or usernames such as admin, administrator, root, ftpuser, test etc. should be tried if anonymous authentication is disabled on the remote FTP server. This is safer than brute-forcing and it should always be tried when possible.

An FTP authentication can also be performed using the auxiliary/scanner/ftp/ftp_login Metasploit module.

msfconsole -q
search scanner ftp_login
use auxiliary/scanner/ftp/ftp_login
show options
exploit

Banner Grabbing ?

nc -vv <IP> 21     // Banner Grabbing via netcat

Once the Banner discloses the the version running on that FTP server, now lets use the searchsploit <FTP name and version>, to get some manual or automated exploits

PreviousDNS Enumeration NextSSH Enumeration

Last updated 2 years ago

anonymous login checks ftp <IP> username : anonymous password : blank / anonymous file upload => put shell.php // Uploads a malacious file with a .php extension. And if nothing works ! # searchsploit <the ftp version> // via commandline (kali or parrot) # <ftp version name> insite: exploitdb.com,rapid7 // Google Dorking

Command

send # Send single file
put # Send one file.
mput # Send multiple files.
mget # Get multiple files.
get # Get file from the remote computer.
ls # list 
mget * # Download everything

binary = Switches to binary transfer mode.
ascii = Switch to ASCII transfer mode

Configuration Files

ftpusers
ftp.conf
proftpd.conf

Vulnerable versions

ProFTPD-1.3.3c Backdoor

ProFTPD 1.3.5 Mod_Copy Command Execution

VSFTPD v2.3.4 Backdoor Command Execution

Exploitation

Gather version numbers

Searchsploit

Default Creds

Creds previously gathered

Download the software

Common Credentials

An FTP authentication can also be performed using the auxiliary/scanner/ftp/ftp_login Metasploit module.

msfconsole -q
search scanner ftp_login
use auxiliary/scanner/ftp/ftp_login
show options
exploit

Banner Grabbing ?

nc -vv <IP> 21     // Banner Grabbing via netcat

Once the Banner discloses the the version running on that FTP server, now lets use the searchsploit <FTP name and version>, to get some manual or automated exploits