FTP
Initial #
# kickoff nmap nse ftp scripts
nmap -p21 --script ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum 10.10.10.130
# or just simply
FTP Commands #
# Make sure you include hidden files and directories
ls -la
Interesting Files and Directories #
# Contains list of disallowed users
/etc/ftpusers
# FTP Root location in Windows
c:\inetpub\ftproot
Username enumeration #
# https://raw.githubusercontent.com/pentestmonkey/ftp-user-enum/master/ftp-user-enum.pl
~/data/tools/ftp-user-enum.pl -U users.txt -t 172.16.177.4
Credentials #
- Try some anonymous logins
# manual authentication
anonymous / anonymous
anonymous /
ftp / ftp
ftpuser / ftpuser
# via nmap
nmap -p21 --script ftp-anon 10.10.51.236
- Try bruteforce
# user and pass list can be extracted from
# /usr/share/legion/wordlists/ftp-betterdefaultpasslist.txt
cat /usr/share/legion/wordlists/ftp-betterdefaultpasslist.txt | cut -d':' -f1 > users.txt
cat /usr/share/legion/wordlists/ftp-betterdefaultpasslist.txt | cut -d':' -f2 > passwords.txt
hydra -V -f -L users.txt -P passwords.txt ftp://10.10.10.46 -u -vV
# try also nmap
nmap -p21 10.10.10.46 --script ftp-brute
Downloading files #
# Make sure turn on binary mode on files such as
# executables
ftp> binary
200 Type set to I.
ftp> mget *
mget chatserver.exe? y
# using wget
wget -m --no-passive ftp://anonymous:anonymous@access.htb
# Recursive - sometimes this hangs, so just retry again
wget -r ftp://user:pass@server.com
wget -r --no-passive ftp://user:pass@server.com/
wget -r ftp://user:pass@server.com/etc
Uploading files #
- When a web server resources are hosted also on FTP, try to upload a reverse shell and access that reverse shell on the website
Finding Exploits #
# via expoitdb
searchsploit vsftpd
Troubleshooting #
- This error appeared in HTB Carrier. Type
passive
to resolve it.
Connected to 10.120.15.10.
220 (vsFTPd 3.0.3)
Name (10.120.15.10:root):
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
500 Illegal PORT command.
ftp: bind: Address already in use
ftp>