21 ) FTP
Penetration Testing on FTP
01. Common Enumeration
## ------------------| Nmap scans
find / -type f -name ftp* 2>/dev/null | grep scripts
nmap --script ftp-brute -p 21 $IP
nmap --script ftp-vsftpd-backdoor -p 21
nmap --script ftp-vuln-cve2010-4221 -p 21 $IP
nmap --script ftp-anon.nse -p 21 $IP
nmap --script ftp-bounce.nse -p 21 $IP
nmap --script ftp-brute.nse -p 21 $IP
nmap --script ftp-libopie -p 21 $IP
nmap --script ftp-brute -p 21 $IP
## ------------------| Anonymous Login
anonymous
## ------------------| Login
ftp://<username>:'<password>'@ip
Vulnerable versions
ProFTPD-1.3.3c Backdoor
ProFTPD 1.3.5 Mod_Copy Command Execution
VSFTPD v2.3.4 Backdoor Command Execution
Enumerate users.
# Create php script (Change the ip address and file name shoud be index.php)
nano index.php
<?php
system("echo ". $_REQUEST['username'] ." | timeout 2 ftp 10.10.10.197");
?>
# Then host it (but it is too slow)
sudo php -S 127.0.0.1:80
# Or you can host it on apache2 (much faster than above one)
cp index.php /var/www/html/index.php
service apache2 start
# Then run wfuzz tool
wfuzz -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt -u http://127.0.0.1/index.php?username=FUZZ
Download all files at ones
wget -m --user=username --password=password ftp://<hostIP>
wget -m --no-passive ftp://anonymous:anonymous@<hostIP>
Service Interaction
## ------------------| NetCat
nc -nv <hostIP> 21
## ------------------| Telnet
telnet <hostIP> 21
## ------------------| OpenSSL
openssl s_client -connect <hostIP>:21 -starttls ftp
Useful links
Last updated