FTP - Port 21

Penetration testing (pentesting) of FTP (File Transfer Protocol) involves assessing and exploiting vulnerabilities within an FTP server to gain unauthorized access or escalate privileges. To effectively pentest FTP services, you'll need to understand FTP operations, common misconfigurations, and weaknesses. Below is a comprehensive guide covering enumeration, exploitation, and various tricks you can use.

Understanding FTP Basics

FTP is a protocol used to transfer files over a network. It operates on two primary ports:

  • Port 21 (Command): Handles the command/control connections.

  • Port 20 (Data): Used for data transfer in Active Mode.

Checklist for FTP Pentesting

  1. Enumerate the FTP service:

  2. Test for common vulnerabilities:

  3. Search for known exploits:

  4. Escalate privileges: Escalation via FTP Misconfigurations

    • Search for sensitive files.

    • Use local exploits.

  5. Post-exploitation:

Common FTP Commands

Command
Description
Usage

lcd

Change local directory.

lcd /path/to/directory

cd

Change server directory.

cd /path/to/directory

ls

List server directory files.

ls

get

Download file from server.

get filename.txt

mget

Download multiple files.

mget *.txt

put

Upload file to server.

put filename.txt

mput

Upload multiple files.

mput *.txt

bin

Set binary transfer mode.

bin

ascii

Set ASCII transfer mode.

ascii

quit

Exit FTP client.

quit

Download all files from FTP

wget -m ftp://anonymous:anonymous@Victim_IP 
wget -m --no-passive ftp://anonymous:anonymous@Victim_IP

If your user/password has special characters:

wget -r --user="USERNAME" --password="PASSWORD" ftp://Victim_IP/

Enumeration of FTP

Service Discovery

The first step in penetration testing FTP is identifying if the service is running on the target machine. You can use network scanning tools like Nmap to detect FTP services.

nmap -p 21 -sV <target-ip>
  • -p 21 scans port 21 where FTP is typically running.

  • -sV detects the version of the FTP service.

Nmap Script for FTP Enumeration: Nmap has several useful scripts for FTP enumeration:

nmap --script "ftp*" -p 21 <target-ip>

This command runs all FTP-related scripts against the target.

Anonymous Login

FTP servers often allow anonymous login, which could lead to unauthorized access.

Test for anonymous login:

ftp <target-ip>

Try logging in with the username anonymous and an empty password or any random string. If successful, it means the server allows anonymous access, which can be used to browse, upload, and download files depending on permissions.

Banner grabbing helps identify the software version running on the server. Once identified, you can look for specific exploits related to that version.

telnet <target-ip> 21

Look for version information in the banner. If the banner is hidden, tools like Netcat can also be used:

nc -v <target-ip> 21

Directory Traversal Vulnerability

FTP misconfigurations may allow you to navigate outside the intended directory. Try moving up directories using cd ... If you can navigate to system files like /etc/passwd, it indicates a directory traversal vulnerability.

Exploitation

Once you’ve gathered information from enumeration, the next step is exploitation. Below are some common FTP vulnerabilities that you can exploit.

Brute Force Attack

If anonymous access is not allowed, you can attempt a brute force attack to guess the FTP credentials. Hydra is a popular tool for this:

hydra -l <username> -P /path/to/password/list.txt ftp://<target-ip>
  • -l specifies the username.

  • -P specifies the wordlist file.

Make sure to limit the number of attempts to avoid detection by the target.

Exploiting Weak Permissions

If the FTP server allows you to upload files and execute them, you can upload malicious scripts or binaries (e.g., PHP, Python) to gain access to the system.

Steps:

  1. Upload a reverse shell to the FTP server.

  2. Set up a listener on your machine to catch the connection.

  3. Execute the shell script from the FTP directory (if allowed).

For example, using Netcat:

nc -lvnp 4444

Upload a reverse shell script to the server and execute it to gain a connection.

Misconfigurations and Default Credentials

Check if the FTP server is using default credentials. Many FTP services come with default usernames and passwords. Refer to lists of default credentials for popular FTP software like ProFTPD, vsftpd, or FileZilla.

Vulnerable Software Versions

Once you have identified the software version of the FTP server, search for known vulnerabilities and exploits. Exploit-DB is a great resource for this. Look for CVEs related to the FTP server software and version.

For example, vsftpd 2.3.4 has a famous backdoor vulnerability (CVE-2011-2523).

Search for available exploits:

searchsploit vsftpd 2.3.4

This will provide potential exploit paths, like uploading a backdoored file or leveraging default credentials.

Privilege Escalation and Post-Exploitation

Once you gain access, the next step is privilege escalation, where you aim to increase your privileges on the system to become an administrator or root.

Escalation via FTP Misconfigurations

If you can access sensitive system files like /etc/passwd through FTP, you may be able to escalate your privileges by modifying files, creating new users, or gathering valuable information like password hashes.

Using Local Exploits

If the FTP service allows file uploads, you can upload local privilege escalation scripts to the server. Look for kernel exploits that match the target system’s version.

Example:

  1. Upload a local exploit to the FTP server.

  2. Use the exploit to elevate privileges once executed.

Capturing Credentials

If the FTP server logs user activity, you might be able to retrieve plaintext credentials from log files. Search for logs related to authentication or session data.

Use grep to search for specific strings in log files:

grep -i "user" /var/log/auth.log

Look for stored passwords or session tokens that can be used for further access.

Bypassing Firewalls and Filters

Some FTP servers are configured with firewalls or filters that prevent direct exploitation. Here are some techniques to bypass them:

Active vs Passive Mode

FTP operates in two modes: Active and Passive. If one mode is blocked by a firewall, you can try switching modes.

  • Active Mode: Client opens a port for the server to connect.

  • Passive Mode: Server opens a port for the client to connect.

Use the passive command in FTP clients if the active mode is blocked.

Tunneling FTP Traffic

You can tunnel FTP traffic through SSH or use proxy servers to bypass firewalls. This is useful when dealing with secure environments.

Example of tunneling FTP through SSH:

ssh -L 2121:<target-ip>:21 user@<ssh-server-ip>

This command forwards your local port 2121 to the target server's port 21, allowing you to bypass network restrictions.

Tools for FTP Penetration Testing

Here is a list of tools commonly used for FTP pentesting:

  • Nmap: For port scanning and service enumeration.

  • Hydra: For brute force attacks on FTP credentials.

  • Metasploit: Contains modules for FTP exploitation.

  • Netcat: For banner grabbing and reverse shells.

  • Searchsploit: For finding available exploits.

  • Wireshark: For capturing and analyzing FTP traffic.

  • Burp Suite: Can be used to intercept FTP traffic if using proxies.

Last updated

Was this helpful?