From 1b51a9d5717c768592d4215783a1994a913ef406 Mon Sep 17 00:00:00 2001 From: CPol Date: Sun, 2 Oct 2022 18:09:01 +0000 Subject: [PATCH] GitBook: [#3527] No subject --- .../pentesting-ftp/README.md | 104 +++++++++++------- 1 file changed, 63 insertions(+), 41 deletions(-) diff --git a/network-services-pentesting/pentesting-ftp/README.md b/network-services-pentesting/pentesting-ftp/README.md index 722a33d6d..96dca9e1a 100644 --- a/network-services-pentesting/pentesting-ftp/README.md +++ b/network-services-pentesting/pentesting-ftp/README.md @@ -4,15 +4,11 @@ Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** @@ -28,6 +24,20 @@ PORT STATE SERVICE 21/tcp open ftp ``` +### Connections Active & Passive + +In **Active FTP** the FTP **client** first **initiates** the control **connection** from its port N to FTP Servers command port – port 21. The **client** then **listens** to port **N+1** and sends the port N+1 to FTP Server. FTP **Server** then **initiates** the data **connection**, from **its port M to the port N+1** of the FTP Client. + +But, if the FTP Client has a firewall setup that controls the incoming data connections from outside, then active FTP may be a problem. And, a feasible solution for that is Passive FTP. + +In **Passive FTP**, the client initiates the control connection from its port N to the port 21 of FTP Server. After this, the client issues a **passv comand**. The server then sends the client one of its port number M. And the **client** **initiates** the data **connection** from **its port P to port M** of the FTP Server. + +Source: [https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/](https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/) + +### Connection debugging + +The **FTP** commands **`debug`** and **`trace`** can be used to see **how is the communication occurring**. + ## Enumeration ### Banner Grabbing @@ -51,6 +61,12 @@ lftp 10.10.10.208:~> login username Password ### Unauth enum +With **nmap** + +```bash +sudo nmap -sV -p21 -sC -A 10.10.10.10 +``` + You can us the commands `HELP` and `FEAT` to obtain some information of the FTP server: ``` @@ -64,6 +80,7 @@ HELP 214-APPE REST ABOR USER PASS ACCT* REIN* LIST 214-NLST STAT SITE MLSD MLST 214 Direct comments to root@drei.work + FEAT 211-Features: PROT @@ -83,18 +100,11 @@ FEAT MFMT SIZE 211 End + +STAT +#Info about the FTP server (version, configs, status...) ``` -### Connections - -In **Active FTP** the FTP **client** first **initiates** the control **connection** from its port N to FTP Servers command port – port 21. The **client** then **listens** to port **N+1** and sends the port N+1 to FTP Server. FTP **Server** then **initiates** the data **connection**, from **its port M to the port N+1** of the FTP Client. - -But, if the FTP Client has a firewall setup that controls the incoming data connections from outside, then active FTP may be a problem. And, a feasible solution for that is Passive FTP. - -In **Passive FTP**, the client initiates the control connection from its port N to the port 21 of FTP Server. After this, the client issues a **passv comand**. The server then sends the client one of its port number M. And the **client** **initiates** the data **connection** from **its port P to port M** of the FTP Server. - -Source: [https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/](https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/) - ### Anonymous login _anonymous : anonymous_\ @@ -123,6 +133,20 @@ Anon login and bounce FTP checks are perform by default by nmap with **-sC** opt nmap --script ftp-* -p 21 ``` +### Post-Exploitation + +The default configuration of vsFTPd can be found in `/etc/vsftpd.conf`. In here, you could find some dangerous settings: + +* `anonymous_enable=YES` +* `anon_upload_enable=YES` +* `anon_mkdir_write_enable=YES` +* `anon_root=/home/username/ftp` - Directory for anonymous. +* `chown_uploads=YES` - Change ownership of anonymously uploaded files +* `chown_username=username` - User who is given ownership of anonymously uploaded files +* `local_enable=YES` - Enable local users to login +* `no_anon_password=YES` - Do not ask anonymous for password +* `write_enable=YES` - Allow commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE + ### Shodan * `ftp` @@ -147,19 +171,21 @@ wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 #Download all ## Some FTP commands -* `USER username` -* `PASS password` -* `HELP` The server indicates which commands are supported -* `PORT 127,0,0,1,0,80`This will indicate the FTP server to establish a connection with the IP 127.0.0.1 in port 80 (_you need to put the 5th char as "0" and the 6th as the port in decimal or use the 5th and 6th to express the port in hex_). -* `EPRT |2|127.0.0.1|80|`This will indicate the FTP server to establish a TCP connection (_indicated by "2"_) with the IP 127.0.0.1 in port 80. This command **supports IPv6**. -* `LIST` This will send the list of files in current folder -* `APPE /path/something.txt` This will indicate the FTP to store the data received from a **passive** connection or from a **PORT/EPRT** connection to a file. If the filename exists, it will append the data. -* `STOR /path/something.txt` Like `APPE` but it will overwrite the files -* `STOU /path/something.txt` Like `APPE`, but if exists it won't do anything. -* `RETR /path/to/file` A passive or a port connection must be establish. Then, the FTP server will send the indicated file through that connection -* `REST 6` This will indicate the server that next time it send something using `RETR` it should start in the 6th byte. -* `TYPE i` Set transfer to binary -* `PASV` This will open a passive connection and will indicate the user were he can connects +* **`USER username`** +* **`PASS password`** +* **`HELP`** The server indicates which commands are supported +* **`PORT 127,0,0,1,0,80`**This will indicate the FTP server to establish a connection with the IP 127.0.0.1 in port 80 (_you need to put the 5th char as "0" and the 6th as the port in decimal or use the 5th and 6th to express the port in hex_). +* **`EPRT |2|127.0.0.1|80|`**This will indicate the FTP server to establish a TCP connection (_indicated by "2"_) with the IP 127.0.0.1 in port 80. This command **supports IPv6**. +* **`LIST`** This will send the list of files in current folder + * **`LIST -R`** List recursively (if allowed by the server) +* **`APPE /path/something.txt`** This will indicate the FTP to store the data received from a **passive** connection or from a **PORT/EPRT** connection to a file. If the filename exists, it will append the data. +* **`STOR /path/something.txt`** Like `APPE` but it will overwrite the files +* **`STOU /path/something.txt`** Like `APPE`, but if exists it won't do anything. +* **`RETR /path/to/file`** A passive or a port connection must be establish. Then, the FTP server will send the indicated file through that connection +* **`REST 6`** This will indicate the server that next time it send something using `RETR` it should start in the 6th byte. +* **`TYPE i`** Set transfer to binary +* **`PASV`** This will open a passive connection and will indicate the user were he can connects +* **`PUT /tmp/file.txt`** Upload indicated file to the FTP ![](<../../.gitbook/assets/image (227).png>) @@ -260,14 +286,10 @@ Entry_7: Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**