OSCP Notes
Search…
FTP

Note

    Sometimes clues are put here.
    Old version of ftp might be vulnerable
    Look at the version
    Search the exploit using Google / Searchsploit / Rapid7
    If you find some credential, try it on SSH / Login page / database

Connection

1
ncftp $ip
2
ftp $ip
Copied!
Many ftp-servers allow anonymous users. anonymous:anonymous

Nmap script enumeration

1
nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip
Copied!

Vulnerability scanning

1
nmap --script=ftp-* -p 21 $ip
Copied!

Bruteforce password known username

1
hydra -l $user -P /usr/share/john/password.lst ftp://$ip:21
Copied!
1
hydra -l $user -P /usr/share/wordlistsnmap.lst -f $ip ftp -V
Copied!
1
medusa -h $ip -u $user -P passwords.txt -M ftp
Copied!

Bruteforce Service Password

    Refer bruteforce note

Enumeration of users

1
ftp-user-enum.pl -U users.txt -t $ip
Copied!
1
ftp-user-enum.pl -M iu -U users.txt -t $ip
Copied!

Command

1
send # Send single file
2
put # Send one file.
3
mput # Send multiple files.
4
mget # Get multiple files.
5
get # Get file from the remote computer.
6
ls # list
7
mget * # Download everything
8
9
binary = Switches to binary transfer mode.
10
ascii = Switch to ASCII transfer mode
Copied!

Configuration Files

1
ftpusers
2
ftp.conf
3
proftpd.conf
Copied!

Vulnerable versions

    ProFTPD-1.3.3c Backdoor
    ProFTPD 1.3.5 Mod_Copy Command Execution
    VSFTPD v2.3.4 Backdoor Command Execution

Exploitation

    Gather version numbers
    Searchsploit
    Default Creds
    Creds previously gathered
    Download the software
Last modified 1yr ago