FTP - Port 21
Last updated
Was this helpful?
Last updated
Was this helpful?
Become VeryLazyTech ! 🎁
Follow us on:
✖ Twitter .
👾 Github .
📜 Medium .
Visit our for e-books and courses. 📚
Support us and . ☕
Penetration testing (pentesting) of FTP (File Transfer Protocol) involves assessing and exploiting vulnerabilities within an FTP server to gain unauthorized access or escalate privileges. To effectively pentest FTP services, you'll need to understand FTP operations, common misconfigurations, and weaknesses. Below is a comprehensive guide covering enumeration, exploitation, and various tricks you can use.
FTP is a protocol used to transfer files over a network. It operates on two primary ports:
Port 21 (Command): Handles the command/control connections.
Port 20 (Data): Used for data transfer in Active Mode.
Enumerate the FTP service:
Use Nmap and banner grabbing. Service Discovery
Check for anonymous login. Anonymous Login
Explore FTP directories.
Test for common vulnerabilities:
Brute force credentials. Brute Force Attack
Upload malicious files. Exploiting Weak Permissions
Look for directory traversal vulnerabilities. Directory Traversal Vulnerability
Search for known exploits:
Identify software version. Vulnerable Software Versions
Use exploit-db or Metasploit. Vulnerable Software Versions
Escalate privileges: Escalation via FTP Misconfigurations
Search for sensitive files.
Use local exploits.
Post-exploitation:
Capture credentials.
Look for pivoting opportunities. Tunneling FTP Traffic
lcd
Change local directory.
lcd /path/to/directory
cd
Change server directory.
cd /path/to/directory
ls
List server directory files.
ls
get
Download file from server.
get filename.txt
mget
Download multiple files.
mget *.txt
put
Upload file to server.
put filename.txt
mput
Upload multiple files.
mput *.txt
bin
Set binary transfer mode.
bin
ascii
Set ASCII transfer mode.
ascii
quit
Exit FTP client.
quit
If your user/password has special characters:
The first step in penetration testing FTP is identifying if the service is running on the target machine. You can use network scanning tools like Nmap to detect FTP services.
-p 21 scans port 21 where FTP is typically running.
-sV detects the version of the FTP service.
Nmap Script for FTP Enumeration: Nmap has several useful scripts for FTP enumeration:
This command runs all FTP-related scripts against the target.
FTP servers often allow anonymous login, which could lead to unauthorized access.
Test for anonymous login:
Try logging in with the username anonymous and an empty password or any random string. If successful, it means the server allows anonymous access, which can be used to browse, upload, and download files depending on permissions.
Banner grabbing helps identify the software version running on the server. Once identified, you can look for specific exploits related to that version.
Look for version information in the banner. If the banner is hidden, tools like Netcat can also be used:
FTP misconfigurations may allow you to navigate outside the intended directory. Try moving up directories using cd ... If you can navigate to system files like /etc/passwd, it indicates a directory traversal vulnerability.
Once you’ve gathered information from enumeration, the next step is exploitation. Below are some common FTP vulnerabilities that you can exploit.
If anonymous access is not allowed, you can attempt a brute force attack to guess the FTP credentials. Hydra is a popular tool for this:
-l specifies the username.
-P specifies the wordlist file.
Make sure to limit the number of attempts to avoid detection by the target.
If the FTP server allows you to upload files and execute them, you can upload malicious scripts or binaries (e.g., PHP, Python) to gain access to the system.
Steps:
Upload a reverse shell to the FTP server.
Set up a listener on your machine to catch the connection.
Execute the shell script from the FTP directory (if allowed).
For example, using Netcat:
Upload a reverse shell script to the server and execute it to gain a connection.
Check if the FTP server is using default credentials. Many FTP services come with default usernames and passwords. Refer to lists of default credentials for popular FTP software like ProFTPD, vsftpd, or FileZilla.
Once you have identified the software version of the FTP server, search for known vulnerabilities and exploits. Exploit-DB is a great resource for this. Look for CVEs related to the FTP server software and version.
For example, vsftpd 2.3.4 has a famous backdoor vulnerability (CVE-2011-2523).
Search for available exploits:
This will provide potential exploit paths, like uploading a backdoored file or leveraging default credentials.
Once you gain access, the next step is privilege escalation, where you aim to increase your privileges on the system to become an administrator or root.
If you can access sensitive system files like /etc/passwd through FTP, you may be able to escalate your privileges by modifying files, creating new users, or gathering valuable information like password hashes.
If the FTP service allows file uploads, you can upload local privilege escalation scripts to the server. Look for kernel exploits that match the target system’s version.
Example:
Upload a local exploit to the FTP server.
Use the exploit to elevate privileges once executed.
If the FTP server logs user activity, you might be able to retrieve plaintext credentials from log files. Search for logs related to authentication or session data.
Use grep to search for specific strings in log files:
Look for stored passwords or session tokens that can be used for further access.
Some FTP servers are configured with firewalls or filters that prevent direct exploitation. Here are some techniques to bypass them:
FTP operates in two modes: Active and Passive. If one mode is blocked by a firewall, you can try switching modes.
Active Mode: Client opens a port for the server to connect.
Passive Mode: Server opens a port for the client to connect.
Use the passive command in FTP clients if the active mode is blocked.
You can tunnel FTP traffic through SSH or use proxy servers to bypass firewalls. This is useful when dealing with secure environments.
Example of tunneling FTP through SSH:
This command forwards your local port 2121 to the target server's port 21, allowing you to bypass network restrictions.
Here is a list of tools commonly used for FTP pentesting:
Nmap: For port scanning and service enumeration.
Hydra: For brute force attacks on FTP credentials.
Metasploit: Contains modules for FTP exploitation.
Netcat: For banner grabbing and reverse shells.
Searchsploit: For finding available exploits.
Wireshark: For capturing and analyzing FTP traffic.
Burp Suite: Can be used to intercept FTP traffic if using proxies.