File Transfer Protocol (FTP)
File Transfer Protocol (FTP) is a widely used protocol to transfer files. It's mostly used externally, unlike SMB or NFS.
ποΈ Ports: 21 (TCP/control), and 20 (TCP/data)
π₯ FTP communications are not encrypted.
π There is a secure version called FTPS (port 990, over SSL/TLS).
$ ftp IP # use current user username
$ ftp username@IP
$ ftp username@IP -p port
ftp> help
If username@IP
doesn't work, you can manually connect:
$ ftp -n IP
ftp> user username
Password: xxx
FTP protocol internals
An FTP request is starting with the server sending USER
, the client answering with a username, the server sending PASS
, and the user answering back with the password.
There are two modes in FTP: active, and passive. The mode determines the port used to transfer data. Data is transferred via the port 20, while in passive mode, a port higher than 1023 will be used.
There are two channels in an FTP connection: a channel to send commands (also called control), and one to transfer data. There is also a transfer mode, which could be ASCII, or binary (default). You can enter type [a|i]
or ascii|binary
to switch.
Once in an FTP shell, here some commands you may use:
ftp> pwd # path to the current folder
ftp> ls folder # list files
ftp> cd folder # move to folder
ftp> put /local/path /remote/dest # upload
ftp> get /remote/path /local/dest # download
ftp> less file # read file
ftp> exit # exit
ftp> bye # same
To download all files:
$ wget -m --no-passive ftp://username:password@IP
And to query information about the server:
ftp> syst # information about the system
ftp> stat # same, but there is the version+ftp client name
ftp> status # same as 'stat'
β‘οΈ If put/get
keep failing, try moving to the target folder first.
FTP Pentester notes β οΈ
FTP may be used by hackers to find interesting files. Remember to check for hidden files. β οΈ
Enumeration
- We can use nmap to run basic scripts
$ nmap -sC -sV -p 21 IP
- We may be able to use FTP bounce to scan for ports
$ nmap [...] -b ftp:username:password@IP INTERNAL_IP
Foothold
- Anonymous users may have been enabled. Try a blank password.
$ ftp anonymous@IP
- The password may be weak and vulnerable to brute force.
$ hydra -L user.list -P password.list ftp://IP -V -f
Well-known CVEs
-
ProFTPD 1.3.5: users could move files from a non-mounted path to the mounted path. You could steal an id_rsa for instance.
-
vsFTPd 2.3.4: has a backdoor as per CVE-2011-2523.
-
CoreFTP 727 (ref): can use PUT to arbitrarily upload files
Additional Notes
-
vsFTPd 3.0.2: the FTP server may have been misconfigured, and allows access to any file on the host using "
cd ..
". -
It's very uncommon but:
ftp> !/bin/bash
Random Notes
Simple FTP Server
You can use pyftpdlib
:
$ sudo apt install python3-pyftpdlib
$ python3 -m pyftpdlib --port 21
$ python3 -m pyftpdlib --port 21 --write
You can use twisted
π»:
$ sudo pip3 install twisted
$ sudo python3 -m twisted ftp -p 21 -r .
π» To-do π»
Stuff that I found, but never read/used yet.
-
ftp -p
(passive mode, may bypass some firewall) -
tftp
- configuration (
/etc/vsftpd.conf
,/etc/ftpusers
=deny FTP access) - hide usernames (
hide_ids=YES
, useftp:ftp
) - nmap
ftp-anon
,ftp-syst