FTP
File Transfer Protocol: Runs on app layer of TCP/IP stack: Same as HTTP/POP
Connects through two channels: Client/server establishes control through port 21
Client sends cmds to server: Server returns status codes
Both participants can establish a data channel on port 20
Channel used exclusively for data transmission
If a connection is broken, it's resumed after it's re-established
connect # sets remote host, port for file xfers
get # xfers file/set of files from remot to local
put # xfers file/set of files from local to remote
status # shows current status (ascii or bin), time-out val
verbose # displays additional info during file xfer
/etc/ftpusers # used to deny users access
#anonymous Login
ftp 10.10.10.1
ftp> status
ftp> debug
ftp> trace # packet tracing on
hide_ids=YES
UID/GUID of the service will be overwritten
More difficult to ID which file rights are written/uploaded
Allows us to use LFI vulns to make hosts exec cmds: view, download, inspect
Attacks possible with logs, leading to RCE
ftp> get Notes.txt # download a file
ftp > put testupload.txt # upload a file
wget -m --no-passive ftp://anon:[email protected] #download all files
tree . # heirarchical file structure listed
.
└── 10.10.10.1
├── Folder
│ └── SubFolder
│ ├── Text.txt
│ ├── WordFile.docx
│ └── Presentation.pptx
└── AnotherFile.txt
sudo nmap --script-updatedb
# nmap script trace (scan history against a service, with timeouts)
sudo nmap -sV -p21 -sC -A 10.129.14.136 --script-trace
# if server runs tls/ssl openssl instead
openssl s_client -connect 10.10.10.1:21 -starttls ftp
find / -type f -name ftp* 2>/dev/null | grep scripts # find nse scripts
ls /usr/share/nmap/scripts | grep ftp # find nse scripts
ftp-syst.nse
ftp-libopie.nse
ftp-anon.nse
ftp-brute.nse
ftp-syst: executes STAT, which displays server status
# banner grab
nc -nv 10.129.14.136 21
telnet 10.129.14.136 21
Last updated