FTP

Enumeration

Nmap default scripts -sC includes the ftp-anon Nmap script which checks if a FTP server allows anonymous logins.

Anonymous Authentication

$ ftp <IP>

Connected to 192.168.2.142.
220 (vsFTPd 2.3.4)
Name (192.168.2.142:kali): anonymous

enter empty password

Protocol Specifics Attacks

Bruteforcing

There are many different tools to perform a brute-forcing attack. Let us explore one of them, Medusa.

With Medusa, we can use the option -u to specify a single user to target, or you can use the option -U to provide a file with a list of usernames.

The option -P is for a file containing a list of passwords.

We can use the option -M and the protocol we are targeting (FTP) and the option -h for the target hostname or IP address.

medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h 10.129.203.7 -M ftp

Although we may find services vulnerable to brute force, most applications today prevent these types of attacks. A more effective method is Password Spraying.

FTP Bounce Attack

An FTP bounce attack is a network attack that uses FTP servers to deliver outbound traffic to another device on the network. The attacker uses a PORT command to trick the FTP connection into running commands and getting information from a device other than the intended server.

The Nmap -b flag can be used to perform an FTP bounce attack:

nmap -Pn -v -n -p80 -b anonymous:password@<FTP_IP> <INTERNAL_IP>

Modern FTP servers include protections that, by default, prevent this type of attack, but if these features are misconfigured in modern-day FTP servers, the server can become vulnerable to an FTP Bounce attack.

PreviousAttacking Common Services NextSMB

Last updated 17 hours ago