DiscordHackTheBoxTryHackMeGitHub

FTP

About

File Transfer Protocol is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model, and by default is using port 21

Usage

Connect

ftp 13.13.13.13

Commands

get or mput - download a file or files
put or mput - upload a file or files
status - more info about server
ls cd - moving in directories

TFTP

vsFTPd is one of the most used FTP servers on Linux-based distributions. The default configuration of vsFTPd can be found in /etc/vsftpd.conf. Users, for which access to FTP server is forbidden could be found at /etc/ftpusers file

Dangerous Config Settings

  • anonymous_enable=YES - Allowing anonymous login?

  • anon_upload_enable=YES - Allowing anonymous to upload files?

  • anon_mkdir_write_enable=YES - Allowing anonymous to create new directories?

  • no_anon_password=YES - Do not ask anonymous for password?

  • anon_root=/home/username/ftp - Directory for anonymous.

  • write_enable=YES - Allow the usage of FTP commands

Bruteforcing

We could do a FTP server bruteforcing or password spraying with Medusa

medusa -u carni17 -P /usr/share/wordlists/rockyou.txt -h 13.13.13.13 -M ftp

Options:

  • -u for username and -U for list

  • -p for password and -P for list

  • -h for host

  • -M for protocol

FTP Bounce Attack

We are using a ftp PORT command to trick ftp server into running command and getting information from device other than ftp server. As example we could use this to scan the network through ftp. You could look here for more explanation [LINK]. For making ftp bounce attack nmap scan we could use -b option:

nmap -Pn -v -n -p80 -b carni17:amogus@13.13.13.13 69.69.69.69
Where 13.13.13.13 is ftp server

Tips2Hack

  1. Try to use anonymous login, config allows that, you could lurk for some juicy info. For this just use anonymous as login name, and left password empty.

  2. If config allows, you could lurk even faster through directories with recursive listing ls -R

  3. To download a file you need to use get command and to upload you need put and also you could use status to get more info about server and FTP state

  4. To download all files you need to use

wget -m --no-passive ftp://anonymous:anonymous@13.13.13.13

  1. Check all available nmap ftp scripts:

find / -type f -name ftp* 2>/dev/null | grep scripts
PreviousProtocolsNextSMB

Last updated