pirate.moo's gitbook
  • 🏴‍☠️pirate.moo's gitbook
  • WEB
    • OWASP TOP 10
    • Notes
    • Lab Write-Ups
      • SQLi in WHERE clause
  • PENTESTING
    • CHECKLIST
    • REPORTING
    • SCRIPTS
  • EXPLOITATION
    • reverse shells
    • dns/subdomain
    • ssl
    • Handy cmds
    • VULNERABILITIES
      • Log4Shell
      • Dirty Pipe
      • Pwnkit
  • CTF
    • CTF Tools
  • CERTIFICATIONS
    • PNPT
    • CPTS
      • 1. Process
      • 2. Getting Started
      • 3. NMAP
      • 4. Footprinting
        • FTP
        • SNMP
        • SMB
        • NFS
        • MySQL/MSSQL
        • Oracle TNS
    • CPTS Machines
      • Nibbles
    • OSCP
    • ISC2-cc
      • 1. Security Principles
      • 2. Incident Response
      • 3. Access Control
      • 4. Network Security
      • 5. Security Operations
  • MOBILE
    • History
    • Forensics
  • MOOSINT
Powered by GitBook
On this page
  1. CERTIFICATIONS
  2. CPTS
  3. 4. Footprinting

FTP

Previous4. FootprintingNextSNMP

Last updated 1 year ago

File Transfer Protocol: Runs on app layer of TCP/IP stack: Same as HTTP/POP

  • Connects through two channels: Client/server establishes control through port 21

    • Client sends cmds to server: Server returns status codes

    • Both participants can establish a data channel on port 20

Channel used exclusively for data transmission

  • If a connection is broken, it's resumed after it's re-established

Client establishes connection: Informs server which client-side port it can transmit responses to

  • If a firewall exists: The server can't reply since external connections are blocked

Server announces a port through which the client establishes a data channel

  • Since the client initiates the connection, the firewall doesn't block it

  • Diff /status codes: List can be found

  • Clear-text: Anonymous logins

Trivial FTP: Simpler: Performs xfers bet client/server processes

  • Doesn't provide user auth

  • FTP uses TCP

  • TFTP uses UDP

connect # sets remote host, port for file xfers
get # xfers file/set of files from remot to local 
put # xfers file/set of files from local to remote
status # shows current status (ascii or bin), time-out val
verbose # displays additional info during file xfer

/etc/ftpusers # used to deny users access 

#anonymous Login
ftp 10.10.10.1
ftp> status
ftp> debug 
ftp> trace # packet tracing on
/etc/vsftpd.conf # location
cat /etc/vsftpd.conf | grep -v "#"

listen=NO # run from inetd or standalone daemon
anonymous_enable=NO # enable anon access
local_enable=YES # allow local user login
dirmessage_enable=YES # AD messages when usrs go into certain dirs
xferlog_enable=YES # logging of uploads/downloads
secure_chroot_dir=/var/run/vsftpd/empty # name of empty dir
pam_service_name=vsftpd # name of PAM service vsftpd will use
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem  
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
dirmessage_enable=YES # show msg when entering a new dir
chown_uploads=YES # change ownership of anon file uplaod
cown_username=username # usr ownership of uploaded anon files
local_enable=Yes # local usr login
chroot_local_usr=YES # put local usrs into home dir
chroot_list_enable=YES # list local usrs placed in home dir
hide_ids=YES # all usr/group info in dir listings displayed as 'ftp'
ls_recurse_enable=YES #recursive listings

hide_ids=YES UID/GUID of the service will be overwritten

  • More difficult to ID which file rights are written/uploaded

  • Allows us to use LFI vulns to make hosts exec cmds: view, download, inspect

    • Attacks possible with logs, leading to RCE 

ftp> get Notes.txt # download a file 
ftp > put testupload.txt # upload a file
wget -m --no-passive ftp://anon:anon@10.10.10.1 #download all files

tree . # heirarchical file structure listed
.
└── 10.10.10.1
    ├── Folder
    │   └── SubFolder
    │       ├── Text.txt 
    │       ├── WordFile.docx
    │       └── Presentation.pptx
    └── AnotherFile.txt
sudo nmap --script-updatedb

# nmap script trace (scan history against a service, with timeouts)
sudo nmap -sV -p21 -sC -A 10.129.14.136 --script-trace

# if server runs tls/ssl openssl instead
openssl s_client -connect 10.10.10.1:21 -starttls ftp

find / -type f -name ftp* 2>/dev/null | grep scripts # find nse scripts
ls /usr/share/nmap/scripts | grep ftp # find nse scripts

ftp-syst.nse
ftp-libopie.nse
ftp-anon.nse
ftp-brute.nse

ftp-syst: executes STAT, which displays server status

# banner grab
nc -nv 10.129.14.136 21
telnet 10.129.14.136 21
cmds
here