Press "Enter" to skip to content

Infraestructure hacking: FTP Protocol

This is the first post in the new section of the website where I will explain in detail a protocol in contrast and show examples of different ways to exploit different vulnerable implementations. To make these posts I have used as example implementations that can be found in the hackthebox.eu platform, as well as the Ippsec videos.

The File Transfer Protocol (FTP) is a network protocol for transferring files between systems connected to a TCP (Transmission Control Protocol) network, based on the client-server architecture.

image: geeksforgeeks.org

One of the characteristics of this protocol is that it is not encrypted. Therefore, if we obtain an FTP trace, we can open it with wireshark to see all the traffic, including the user and password:

Using the Wireshark program it is easy to follow the TCP trace and discover the username and password:

Access

It is possible to access this service by indicating the host or IP and the port (default is port 21). For example, to access the ftp of this website (if you have it activated) you would only need to write on the terminal ftp hackinglethani.com

Anonymous Access

It is possible to access an ftp server anonymously if anonymous access is enabled. In the following image we can see how nmap reveals that anonymous access is active:

To access, you must enter “anonymous” and any password.

Connection modes

In active mode the server will send the data through port 20:

In passive mode the server indicates the random data port it will use to make the connection.

If there is a firewall on your computer it may reject connections, so you should use the passive mode.

Let’s look at some examples of nmap:

Nmap indicates an error in the FTP, “Can’t get directory listing”. This error indicates that the service has not been configured when changing the IP, so the passive mode will probably not work correctly.

In this other example we see again that the passive mode has failed, so we will not be able to use it:

This can give problems if for example we want to download all the files with wget:

In this case it would be solved by using the flag –no-passive-ftp. (Note: the –no-passive command would also work)

File Transfer

Ascii mode
To transfer files that contain only printable characters. You can modify line breaks and other file information.
Binary mode
To transfer binaries. The file is sent byte by byte without modification.

FTP Basic Commands

?to request help or information about the FTP commands
asciito set the mode of file transfer to ASCII
(this is the default and transmits seven bits per character)
binaryto set the mode of file transfer to binary
(the binary mode transmits all eight bits per byte and thus provides less chance of a transmission error and must be used to transmit files other than ASCII files)
byeto exit the FTP environment (same as quit)
cdto change directory on the remote machine
closeto terminate a connection with another computer
 close brubeckcloses the current FTP connection with brubeck,
  but still leaves you within the FTP environment.
deleteto delete (remove) a file in the current remote directory (same as rm in UNIX)
getto copy one file from the remote machine to the local machine
 get ABC DEFcopies file ABC in the current remote directory to (or on top of) a file named DEF in your current local directory.
 get ABCcopies file ABC in the current remote directory to (or on top of) a file with the same name, ABC, in your current local directory.
helpto request a list of all available FTP commands
lcdto change directory on your local machine (same as UNIX cd)
lsto list the names of the files in the current remote directory
mkdirto make a new directory within the current remote directory
mgetto copy multiple files from the remote machine to the local machine;
  you are prompted for a y/n answer before transferring each file
 mget *copies all the files in the current remote directory to your current local directory, using the same filenames. Notice the use of the wild card character, *.
mputto copy multiple files from the local machine to the remote machine;
  you are prompted for a y/n answer before transferring each file
opento open a connection with another computer
 open brubeckopens a new FTP connection with brubeck;
  you must enter a username and password for a brubeck account
      (unless it is to be an anonymous connection).
putto copy one file from the local machine to the remote machine
pwdto find out the pathname of the current directory on the remote machine
quitto exit the FTP environment (same as bye)
rmdirto to remove (delete) a directory in the current remote directory

 

Multiple file download

To download all the files in a directory we can use the command mget * . It will show us each file one by one and ask us if we want to download it.

Another option for multiple file downloads is to use the following command:

wget –mirror ‘ftp://ftp_user:Passw0rd@10.10.10.10’

Listing hidden files

Maybe with a dir you won’t find anything, but with a dir you will be able to see the hidden files.

Local Server Time

In the following image we can see how the server time indicates us. This could be used to geoposition it.

FTP via IPv6

However, we do not know the IPv6 address. To find out, we will use the vulnerability known as FTP Bounce Attack.

 FXP & IPv6
FXP is a method for passing files between FTP servers without using a client. It is vulnerable to FTP Bounce Attack, an attack by which you can send PORT commands to make the server connect to some port, and make port scans
 

Let’s look at a server that allows FXP:

We can connect via netcat to execute FTP commands by typing them directly.

To do this we will use the EPRT command, as indicated by the RFC 2428:

 
EPRT | [1-2] | IP | PORT
 
The second value is 1 for IPv4 and 2 for IPv6.
 
If our IPv6 is dead:beef:2::1000, the command would be as follows

We have to listen first. In order to listen to IPv6 we must use ncat:

If we now use the LIST command, it shows us the files, but it also shows us the IPv6 address of the machine: dead:beef::250:56ff:fe8f:5e5f

Now you can do an nmap to that address and maybe it will show accessible open ports that were not accessible before.

Symlink

If, when the ? command is executed, the symlink option appears, perhaps we can create a symbolic link to the root directory.

symlink / test

By accessing /test on the website, we will be accessing the root directory of the server.

We can also see the content of php files, for example:

symlink /var/www/html/index.php /index.txt

FTP version

We can see the version in the header if we connect via netcat:

FTP vulnerable version: vsftpd 2.3.4

There is a version of FTP that is vulnerable, it has a backdoor. It is the version vsftpd 2.3.4

The vulnerability is that if you enter a smiley face 🙂 at the end of the username, you get command execution.

SSH Access

If we can create folders and upload files in a user’s home, we can create a .ssh folder, generate the RSA keys and connect to that user via ssh without knowing the password:

I hope you liked this first post where I showed you some of the most common ways to take advantage of the FTP protocol. In the next few weeks I will be uploading entries in which I will analyse the rest of the protocols.

Lethani.

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *