Tech

Pentesting FTP

4 min read
Pentesting FTP

Introduction

The File Transfer Protocol (FTP) is one of the oldest standard protocols used for file transfer between a client and a server over a computer network. Despite its wide adoption, it is a plain-text protocol, meaning the data sent over it isn't encrypted, making it a common target for attackers. FTP operates on port 21 by default and supports two types of connections: Active and Passive. In this blog, we’ll explore the common security challenges and pentesting techniques related to FTP.

Basic FTP Information

FTP is a plain-text protocol that communicates over TCP, utilizing the newline character (0x0d 0x0a) as a delimiter. This makes FTP vulnerable to eavesdropping and various types of attacks. Connections are typically tested with tools like telnet or nc -C.

FTP typically operates on Port 21 and uses plain-text communication, meaning credentials and other data can be easily captured if not encrypted. FTP supports both Active and Passive connections:

  • Active FTP: The client initiates a connection to the server's port 21 for control, and the server initiates the data connection back to the client's port.

  • Passive FTP: The client initiates both control and data connections. This is used when the client is behind a firewall that blocks incoming connections.

FTP Connection

Standard FTP connection

  • ftp <IP>
  • username : anonymous #anonymous login
  • password : anonymous

FTP Banner Grabbing and Enumeration

Command Line Banner Grabbing

Capturing the FTP banner can reveal valuable information about the FTP server version and configuration. Use the following commands to perform banner grabbing:

  • Using Netcat : nc -vn <IP> 21
  • Using Openssl : openssl s_client -connect <IP>:21 -starttls ftp

Automated Banner Grabbing with Nmap

Nmap can automate the enumeration of FTP services, checking for anonymous logins and other vulnerabilities.

Terminal
sudo nmap -sV -p21 -sC -A <IP>

Connection debugging

The FTP commands debug and trace can be used to see how is the communication occurring.

Brute Forcing FTP Credentials

Brute force attacks are common against FTP services that don’t enforce account lockouts. You can use tools like Hydra to attempt multiple username-password combinations.

Terminal
hydra -t 1 -l <username> -P <password_list> -vV <IP> ftp

FTP credentials for brute forcing can be found here.

Vulnerabilty Exploitation

FTP Bounce Attack

An FTP bounce attack occurs when an attacker exploits the PORT command to instruct the server to connect to an arbitrary IP and port. This technique can be used to scan ports on a different server through the FTP server.

Learn more about FTP bounce attack here

Exploiting Misconfigured FTP Servers

Misconfigured FTP servers often allow anonymous login or have poorly configured file permissions, allowing attackers to:

  • Upload files to the server (exploiting directories with write permissions).
  • Download sensitive files.
  • Use the FTP server as a stepping stone for further attacks.

Post-Exploitation

Once access is gained to an FTP server, various post-exploitation techniques can be leveraged:

  • Anonymous File Upload: Check for anonymous file upload permissions in vsftpd.conf:
    • anonymous_enable=YES
    • anon_upload_enable=YES
  • Access Config Files: After gaining access, config files like ftpusers or proftpd.conf can provide insights into user access and further weaknesses.

Common FTP Commands for Pentesters

  • Downloading all files
    • wget -m ftp://anonymous:anonymous@<IP>
  • Recursive file listing
    • LIST -R
  • Uploading files -PUT /tmp/file.txt
  • Retrieving files
    • RETR /path/to/file.txt
  • Opening passive connection
    • PASV

Automation of FTP Pentesting

To automate many of the tests mentioned above, you can use the Nmap FTP scripts:

Terminal
nmap --script ftp-* -p 21 <IP>

These scripts can check for anonymous login, FTP bounce vulnerability, and other known issues.

Vulnerability in FileZilla Server

FileZilla often binds an administrative service to port 14147. If this port is exposed, an attacker could connect without a password and create new users for the FTP service.

Terminal
ssh -L 14147:<IP>:14147 user@<IP>

Conclusion

FTP is a widely used protocol but its inherent lack of security and widespread use makes it a popular target for attacks. Understanding its nuances, from basic enumeration to exploiting vulnerabilities like FTP bounce attacks, is crucial for any penetration tester. Always ensure proper security practices, such as using encrypted alternatives like SFTP or FTPS, and disabling anonymous login.

Want to write a blog?

Unfold your thoughts and let your ideas take flight in the limitless realm of cyberspace. Whether you're a seasoned writer or just starting, our platform offers you the space to share your voice, connect with a creative community and explore new perspectives. Join us and make your mark!

Join
← View all posts

Share

Twitter LinkedIn Facebook Whatsapp

Follow us on social media

Cyber Unfolded Light Logo
Loading status...
Copyright © 2024 CYUN. All rights reserved.
Terms of Use|Privacy Policy
Product of Cyndia