FTP

ftp, enum

Initial #

# kickoff nmap nse ftp scripts
nmap -p21 --script ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum 10.10.10.130

# or just simply
	

FTP Commands #

# Make sure you include hidden files and directories
ls -la

Interesting Files and Directories #

# Contains list of disallowed users
/etc/ftpusers

# FTP Root location in Windows
c:\inetpub\ftproot

Username enumeration #

# https://raw.githubusercontent.com/pentestmonkey/ftp-user-enum/master/ftp-user-enum.pl
~/data/tools/ftp-user-enum.pl -U users.txt -t 172.16.177.4

Credentials #

# manual authentication
anonymous / anonymous
anonymous /
ftp / ftp
ftpuser / ftpuser

# via nmap
nmap -p21 --script ftp-anon 10.10.51.236
# user and pass list can be extracted from
# /usr/share/legion/wordlists/ftp-betterdefaultpasslist.txt
cat /usr/share/legion/wordlists/ftp-betterdefaultpasslist.txt | cut -d':' -f1 > users.txt
cat /usr/share/legion/wordlists/ftp-betterdefaultpasslist.txt | cut -d':' -f2 > passwords.txt
hydra -V -f -L users.txt -P passwords.txt ftp://10.10.10.46 -u -vV

# try also nmap
nmap -p21 10.10.10.46 --script ftp-brute

Downloading files #

# Make sure turn on binary mode on files such as
# executables
ftp> binary
200 Type set to I.
ftp> mget *
mget chatserver.exe? y

# using wget
wget -m --no-passive ftp://anonymous:anonymous@access.htb

# Recursive - sometimes this hangs, so just retry again
wget -r ftp://user:pass@server.com
wget -r --no-passive ftp://user:pass@server.com/
wget -r ftp://user:pass@server.com/etc

Uploading files #

Finding Exploits #

# via expoitdb
searchsploit vsftpd

Troubleshooting #

Connected to 10.120.15.10.
220 (vsFTPd 3.0.3)
Name (10.120.15.10:root): 
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
500 Illegal PORT command.
ftp: bind: Address already in use
ftp>

Other resources #