Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3527] No subject

Browse source
This commit is contained in:
CPol 2022-10-02 18:09:01 +00:00 committed by gitbook-bot
parent f85f16cd0e
commit 1b51a9d571
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 63 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

104
network-services-pentesting/pentesting-ftp/README.md
View file

@ -4,15 +4,11 @@
<summary><strong>Support HackTricks and get benefits!</strong></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
@ -28,6 +24,20 @@ PORT STATE SERVICE
21/tcp open ftp
```
### Connections Active & Passive
In **Active FTP** the FTP **client** first **initiates** the control **connection** from its port N to FTP Servers command port port 21. The **client** then **listens** to port **N+1** and sends the port N+1 to FTP Server. FTP **Server** then **initiates** the data **connection**, from **its port M to the port N+1** of the FTP Client.
But, if the FTP Client has a firewall setup that controls the incoming data connections from outside, then active FTP may be a problem. And, a feasible solution for that is Passive FTP.
In **Passive FTP**, the client initiates the control connection from its port N to the port 21 of FTP Server. After this, the client issues a **passv comand**. The server then sends the client one of its port number M. And the **client** **initiates** the data **connection** from **its port P to port M** of the FTP Server.
Source: [https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/](https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/)
### Connection debugging
The **FTP** commands **`debug`** and **`trace`** can be used to see **how is the communication occurring**.
## Enumeration
### Banner Grabbing
@ -51,6 +61,12 @@ lftp 10.10.10.208:~> login username Password
### Unauth enum
With **nmap**
```bash
sudo nmap -sV -p21 -sC -A 10.10.10.10
```
You can us the commands `HELP` and `FEAT` to obtain some information of the FTP server:
```
@ -64,6 +80,7 @@ HELP
214-APPE REST ABOR USER PASS ACCT* REIN* LIST
214-NLST STAT SITE MLSD MLST
214 Direct comments to root@drei.work
FEAT
211-Features:
PROT
@ -83,18 +100,11 @@ FEAT
MFMT
SIZE
211 End
STAT
#Info about the FTP server (version, configs, status...)
```
### Connections
In **Active FTP** the FTP **client** first **initiates** the control **connection** from its port N to FTP Servers command port port 21. The **client** then **listens** to port **N+1** and sends the port N+1 to FTP Server. FTP **Server** then **initiates** the data **connection**, from **its port M to the port N+1** of the FTP Client.
But, if the FTP Client has a firewall setup that controls the incoming data connections from outside, then active FTP may be a problem. And, a feasible solution for that is Passive FTP.
In **Passive FTP**, the client initiates the control connection from its port N to the port 21 of FTP Server. After this, the client issues a **passv comand**. The server then sends the client one of its port number M. And the **client** **initiates** the data **connection** from **its port P to port M** of the FTP Server.
Source: [https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/](https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/)
### Anonymous login
_anonymous : anonymous_\
@ -123,6 +133,20 @@ Anon login and bounce FTP checks are perform by default by nmap with **-sC** opt
nmap --script ftp-* -p 21 <ip>
```
### Post-Exploitation
The default configuration of vsFTPd can be found in `/etc/vsftpd.conf`. In here, you could find some dangerous settings:
* `anonymous_enable=YES`
* `anon_upload_enable=YES`
* `anon_mkdir_write_enable=YES`
* `anon_root=/home/username/ftp` - Directory for anonymous.
* `chown_uploads=YES` - Change ownership of anonymously uploaded files
* `chown_username=username` - User who is given ownership of anonymously uploaded files
* `local_enable=YES` - Enable local users to login
* `no_anon_password=YES` - Do not ask anonymous for password
* `write_enable=YES` - Allow commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE
### Shodan
* `ftp`
@ -147,19 +171,21 @@ wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 #Download all
## Some FTP commands
* `USER username`
* `PASS password`
* `HELP` The server indicates which commands are supported
* `PORT 127,0,0,1,0,80`This will indicate the FTP server to establish a connection with the IP 127.0.0.1 in port 80 (_you need to put the 5th char as "0" and the 6th as the port in decimal or use the 5th and 6th to express the port in hex_).
* `EPRT |2|127.0.0.1|80|`This will indicate the FTP server to establish a TCP connection (_indicated by "2"_) with the IP 127.0.0.1 in port 80. This command **supports IPv6**.
* `LIST` This will send the list of files in current folder
* `APPE /path/something.txt` This will indicate the FTP to store the data received from a **passive** connection or from a **PORT/EPRT** connection to a file. If the filename exists, it will append the data.
* `STOR /path/something.txt` Like `APPE` but it will overwrite the files
* `STOU /path/something.txt` Like `APPE`, but if exists it won't do anything.
* `RETR /path/to/file` A passive or a port connection must be establish. Then, the FTP server will send the indicated file through that connection
* `REST 6` This will indicate the server that next time it send something using `RETR` it should start in the 6th byte.
* `TYPE i` Set transfer to binary
* `PASV` This will open a passive connection and will indicate the user were he can connects
* **`USER username`**
* **`PASS password`**
* **`HELP`** The server indicates which commands are supported
* **`PORT 127,0,0,1,0,80`**This will indicate the FTP server to establish a connection with the IP 127.0.0.1 in port 80 (_you need to put the 5th char as "0" and the 6th as the port in decimal or use the 5th and 6th to express the port in hex_).
* **`EPRT |2|127.0.0.1|80|`**This will indicate the FTP server to establish a TCP connection (_indicated by "2"_) with the IP 127.0.0.1 in port 80. This command **supports IPv6**.
* **`LIST`** This will send the list of files in current folder
* **`LIST -R`** List recursively (if allowed by the server)
* **`APPE /path/something.txt`** This will indicate the FTP to store the data received from a **passive** connection or from a **PORT/EPRT** connection to a file. If the filename exists, it will append the data.
* **`STOR /path/something.txt`** Like `APPE` but it will overwrite the files
* **`STOU /path/something.txt`** Like `APPE`, but if exists it won't do anything.
* **`RETR /path/to/file`** A passive or a port connection must be establish. Then, the FTP server will send the indicated file through that connection
* **`REST 6`** This will indicate the server that next time it send something using `RETR` it should start in the 6th byte.
* **`TYPE i`** Set transfer to binary
* **`PASV`** This will open a passive connection and will indicate the user were he can connects
* **`PUT /tmp/file.txt`** Upload indicated file to the FTP
![](<../../.gitbook/assets/image (227).png>)
@ -260,14 +286,10 @@ Entry_7:
<summary><strong>Support HackTricks and get benefits!</strong></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>