Ready to Start Your Career?

Anonymous FTP

Author's profile image

January 1, 2016

What all can you do when you find an anon FTP? Just use it as a dropbox for files, or is it possible to upload backdoor code and execute it? I am in Exploitation Part 1 of Advanced Pen Testing, and uploading backdoor PHP code is pretty cool. Can you do anything like that with an FTP server? 1st find out what FTP server and version is running. Take a look at using nmap for this: You can use nmap to scan for the open ports and the versions of the services running on those ports. After that you can use Metasploit in Kali to find any exploits related to FTP service you find. You can also take that information and search for potential exploits on sites such as I hope that helps. As for nmap, also check out the scripts that come with nmap that can check for certain ftp vulnerabilities. You can find a list of all nmap scripts at Johan, thanks so much for that link.i hadn't come across that yet with nmap, still a n00b. But from what ive learned regarding nmap so far in my lan these scripts look like serious effiencies for target recon For a bit more context surrounding johan's recommendation check out the high level overview first. What directory are you allowed to upload to? Is there an HTTP Web Server running on the box? What's stopping you from uploading a Web Shell and browsing to the file? Sure nmap and service related vulnerabilities are something you want to use and check for, but if you're allowed to upload to a web server somewhere, you can absolutely get a shell in most cases. If they were dull enough to allow Anonymous FTP access, wonder what else they were dull enough to do. David, That's more what I was referring to. Yes, lets suppose its a Web Server and they happen to have an anon FTP running as well. What modules could I use in metasploit to upload to the file server? Something similar to the PHP Simple Backdoor Georgia used in Exploitation? some times if the FTP is not configured correctly you and traverse to other directories that will allow you to gather useful data. Yes Two Wolves. However if you don't have permission to attack the web server in the first place, you shouldn't be playing around. Thanks gentlemen. You all just taught me something. I need to dig much deeper. David, that goes without saying. I am working out of VM's, and have a filezilla server operating on XP. Just wondering what the proper method would be to upload something malicious and leverage it, as nothing I've tried yet has worked. most of the topic in advance penetration is not on a video file, can any recommendation be made on that. Can you leverage netcat in this scenario to get a reverse shell? I don't think so, not without code execution. You would have to upload a file with a malicious payload and wait for a user on the FTP server to access it, or (speculation) upload a backdoor like the PHP backdoor shown in the videos and execute code that way. That's what I want more explanation on, if anybody could provide it. How would you upload something to begin executing code or gain a backdoor? Is it heavily dependent on the FTP software/version in play, or is there something that will work on any FTP server if the anonymous account has write privileges? I'm sure I came across this scenario in my travels. I'll dig deeper into this. I'll need to set this scenario up in my lab and try a few things. I'll get back to you. @twowolves - what is the webserver? IIS / Apache? Did you fingerprint the OS? @twowolves - you have write permisions? I assume you do if you are placing a file on the server @cisp - So to be a n00b and not l33t would you mind sharing a techniques to get the shell or reverse shell. I'm looking into it but gotta stop for a bit. I'm not trying to get out of my due dilligence research. I'm just a n00b looking for a tip so that I can work backwards from the exploit to the understanding the pieces and why it worked and how. @twowolves - I gotta bounce for a while. I'll let you know what I find when I jump back in tomorrow. I feel like I should know this and the answer is probably very straight forward. You're target environment from my understanding is: Filezilla server operating on XP If anyone else has a solution for this please post it or post the resources to get to it ;) I'll take a look at the Metasploit modules and see what i find. Check out the first video in Advanced Penetration Testing for the Exploitation section. Georgia's lab has a web server running XAMPP with WebDAV. Using default credentials she uploads a PHP Backdoor and is able to run commands, passing them to the backdoor through the URL. Although our situation is a little different, I want to see if something similar is possible without default creds, but with an anon FTP server (it will have to have write permissions). Is there a similar method to upload a backdoor and gain a foothold? @twowolves- I was unable to get Filezilla to work on XP. Even going back to the last "Supported" version which is 3.8. I understand the question your posing "does a metasploit module exist for deploying a payload on the file system to gain access / can an auxiliary module help one to get a foothold?" is really of a more general nature. My understanding is that there is no magic bullet to get a shell specifically by uploading a file to an FTP server alone, unless the ftp directory is in a folder accessible by the webserver directly through the url (and I may certainly be mistaken). At that point you're back to the PHP backdoor and similar scenarios. Other information that can be gleaned from accessing an FTP server that can be used as part of the bigger picture to exploit the server- for example, the "Shadow" file in linux For windows modules are in usr/share/metasploit-framework/modules/exploits/windows/ftp but I'm sure you're well aware of that as well as using searchsploit in the msfconsole. There are dozens of exploits in Metasploit for windows FTP- some are very specific to the version and FTP server being used. Sorry if someone has mentioned this already as I only skimmed the initial threads but in response to the initial question, what can i do with anonymous FTP. Firstly like a few people have suggested thoroughly Nmap the entire host, get full version scanning and OS detection of the box. If you know what the box is because its in your lab you still might want to do this so as to get into the habit. I also like to double check my findings before going specific paths with at least a second tool to avoid false positives. So for OS detection you could use Xprobe2, and for specific service version detection there is Amap and Banner grabbing which should hopefully back up your findings with Nmap. You didn't mention what OS or any specifics about the box but start off with the usual commands, you can see these normally with help or ? when you have gained access, print the current directory, where have you ended up, list the files where you are. If this is a linux box and you are you in someones home account? can you access the .ssh keys stored in their home directory or grab the bash history file .bash\_history. If you can grab those files that is a good start, can you traverse to a higher directory, usually just cd .. without the slash is enough to go up a directory, if its windows can you get to the repair directory to pull out the SAM and System file? Remember you need both ideally to crack passwords, if this is an XP Pro or 2000 box still using LM Passwords then you got your self a quick win there. If there is one thing I learnt from the OSCP course is enumerate, enumerate and then when you think you have enumerated enough, enumerate some more. When you get inside the box the whole information gathering process starts again.
Schedule Demo