FTP - Port 21
Become VeryLazyTech member! 🎁
Follow us on:
✖ Twitter @VeryLazyTech.
👾 Github @VeryLazyTech.
📜 Medium @VeryLazyTech.
Visit our shop for e-books and courses. 📚
Support us and buy me a coffee. ☕
Penetration testing (pentesting) of FTP (File Transfer Protocol) involves assessing and exploiting vulnerabilities within an FTP server to gain unauthorized access or escalate privileges. To effectively pentest FTP services, you'll need to understand FTP operations, common misconfigurations, and weaknesses. Below is a comprehensive guide covering enumeration, exploitation, and various tricks you can use.
Understanding FTP Basics
FTP is a protocol used to transfer files over a network. It operates on two primary ports:
Port 21 (Command): Handles the command/control connections.
Port 20 (Data): Used for data transfer in Active Mode.
Checklist for FTP Pentesting
Enumerate the FTP service:
Use Nmap and banner grabbing. Service Discovery
Check for anonymous login. Anonymous Login
Explore FTP directories.
Test for common vulnerabilities:
Brute force credentials. Brute Force Attack
Upload malicious files. Exploiting Weak Permissions
Look for directory traversal vulnerabilities. Directory Traversal Vulnerability
Search for known exploits:
Identify software version. Vulnerable Software Versions
Use exploit-db or Metasploit. Vulnerable Software Versions
Escalate privileges: Escalation via FTP Misconfigurations
Search for sensitive files.
Use local exploits.
Post-exploitation:
Capture credentials.
Look for pivoting opportunities. Tunneling FTP Traffic
Common FTP Commands
lcd
Change local directory.
lcd /path/to/directory
cd
Change server directory.
cd /path/to/directory
ls
List server directory files.
ls
get
Download file from server.
get filename.txt
mget
Download multiple files.
mget *.txt
put
Upload file to server.
put filename.txt
mput
Upload multiple files.
mput *.txt
bin
Set binary transfer mode.
bin
ascii
Set ASCII transfer mode.
ascii
quit
Exit FTP client.
quit
Download all files from FTP
wget -m ftp://anonymous:anonymous@Victim_IP
wget -m --no-passive ftp://anonymous:anonymous@Victim_IPIf your user/password has special characters:
wget -r --user="USERNAME" --password="PASSWORD" ftp://Victim_IP/Enumeration of FTP
Service Discovery
The first step in penetration testing FTP is identifying if the service is running on the target machine. You can use network scanning tools like Nmap to detect FTP services.
nmap -p 21 -sV <target-ip>-p 21scans port 21 where FTP is typically running.-sVdetects the version of the FTP service.
Nmap Script for FTP Enumeration: Nmap has several useful scripts for FTP enumeration:
nmap --script "ftp*" -p 21 <target-ip>This command runs all FTP-related scripts against the target.
Anonymous Login
FTP servers often allow anonymous login, which could lead to unauthorized access.
Test for anonymous login:
ftp <target-ip>Try logging in with the username anonymous and an empty password or any random string. If successful, it means the server allows anonymous access, which can be used to browse, upload, and download files depending on permissions.
Banner Grabbing
Banner grabbing helps identify the software version running on the server. Once identified, you can look for specific exploits related to that version.
telnet <target-ip> 21Look for version information in the banner. If the banner is hidden, tools like Netcat can also be used:
nc -v <target-ip> 21Directory Traversal Vulnerability
FTP misconfigurations may allow you to navigate outside the intended directory. Try moving up directories using cd ... If you can navigate to system files like /etc/passwd, it indicates a directory traversal vulnerability.
Exploitation
Once you’ve gathered information from enumeration, the next step is exploitation. Below are some common FTP vulnerabilities that you can exploit.
Brute Force Attack
If anonymous access is not allowed, you can attempt a brute force attack to guess the FTP credentials. Hydra is a popular tool for this:
hydra -l <username> -P /path/to/password/list.txt ftp://<target-ip>-lspecifies the username.-Pspecifies the wordlist file.
Make sure to limit the number of attempts to avoid detection by the target.
Exploiting Weak Permissions
If the FTP server allows you to upload files and execute them, you can upload malicious scripts or binaries (e.g., PHP, Python) to gain access to the system.
Steps:
Upload a reverse shell to the FTP server.
Set up a listener on your machine to catch the connection.
Execute the shell script from the FTP directory (if allowed).
For example, using Netcat:
nc -lvnp 4444Upload a reverse shell script to the server and execute it to gain a connection.
Misconfigurations and Default Credentials
Check if the FTP server is using default credentials. Many FTP services come with default usernames and passwords. Refer to lists of default credentials for popular FTP software like ProFTPD, vsftpd, or FileZilla.
Vulnerable Software Versions
Once you have identified the software version of the FTP server, search for known vulnerabilities and exploits. Exploit-DB is a great resource for this. Look for CVEs related to the FTP server software and version.
For example, vsftpd 2.3.4 has a famous backdoor vulnerability (CVE-2011-2523).
Search for available exploits:
searchsploit vsftpd 2.3.4This will provide potential exploit paths, like uploading a backdoored file or leveraging default credentials.
Privilege Escalation and Post-Exploitation
Once you gain access, the next step is privilege escalation, where you aim to increase your privileges on the system to become an administrator or root.
Escalation via FTP Misconfigurations
If you can access sensitive system files like /etc/passwd through FTP, you may be able to escalate your privileges by modifying files, creating new users, or gathering valuable information like password hashes.
Using Local Exploits
If the FTP service allows file uploads, you can upload local privilege escalation scripts to the server. Look for kernel exploits that match the target system’s version.
Example:
Upload a local exploit to the FTP server.
Use the exploit to elevate privileges once executed.
Capturing Credentials
If the FTP server logs user activity, you might be able to retrieve plaintext credentials from log files. Search for logs related to authentication or session data.
Use grep to search for specific strings in log files:
grep -i "user" /var/log/auth.logLook for stored passwords or session tokens that can be used for further access.
Bypassing Firewalls and Filters
Some FTP servers are configured with firewalls or filters that prevent direct exploitation. Here are some techniques to bypass them:
Active vs Passive Mode
FTP operates in two modes: Active and Passive. If one mode is blocked by a firewall, you can try switching modes.
Active Mode: Client opens a port for the server to connect.
Passive Mode: Server opens a port for the client to connect.
Use the passive command in FTP clients if the active mode is blocked.
Tunneling FTP Traffic
You can tunnel FTP traffic through SSH or use proxy servers to bypass firewalls. This is useful when dealing with secure environments.
Example of tunneling FTP through SSH:
ssh -L 2121:<target-ip>:21 user@<ssh-server-ip>This command forwards your local port 2121 to the target server's port 21, allowing you to bypass network restrictions.
Tools for FTP Penetration Testing
Here is a list of tools commonly used for FTP pentesting:
Nmap: For port scanning and service enumeration.
Hydra: For brute force attacks on FTP credentials.
Metasploit: Contains modules for FTP exploitation.
Netcat: For banner grabbing and reverse shells.
Searchsploit: For finding available exploits.
Wireshark: For capturing and analyzing FTP traffic.
Burp Suite: Can be used to intercept FTP traffic if using proxies.
Last updated
Was this helpful?