Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson covers how to use a backdoor to access a File Transfer Protocol (FTP) server. Participants learn step by step commands in accessing an FTP server.

Video Transcription

00:04
all right. We also saw that we have very secure FTP 2.3 point four, which was at one point subject to a backdoor. Said someone broke into the repositories for very secure ftp d under place the source with
00:22
a little something extra. It was found on put back. But if you did install during that short time period where it was back toward you could end up with
00:34
short aside, pre owned,
00:36
um,
00:37
code. So we aren't entirely sure just from the version, because there wasn't a virgin number change before, after
00:44
the back door was put in, but are necessary. Seemed to think that it was there, and there's really no reason not to try it.
00:53
We look at the block post about it where it goes through the source count.
00:57
All it's gonna do is if there's a smiley face in the user name,
01:02
it will spawn a back door. So if it doesn't work, what will happen is that you'll just get a bad log in error and the FDP sugar will go on as usual. There's no reason not to try it,
01:14
so I want to you ftp
01:17
to our linear system.
01:21
Georgia smiley face
01:23
the smiley face being the key. And it doesn't want of power and always put in any password.
01:27
And it appears toe hang. Our FTP server doesn't do anything. We opened up another terminal,
01:36
and in the information about this, it said that its bones a Schellas route
01:42
on Fort 6200 TCP.
01:45
So we didn't get anything that said it couldn't connect. But we don't get a prompt either one of you who am I
01:52
route. Well, that was easy.
01:55
Um, so what? My cat out at sea
01:57
shadow,
02:00
I actually added a ton of extra accounts. As you can see, I'm the one that you can download. Just has the Georgia
02:10
user.
02:13
But I added a ton of other ones for our password section, and you could do the same.
02:19
Put in a lot of user names and passwords into it,
02:24
and we'll see if we can crack some of these in the next section will
02:29
do the same thing with windows.
02:35
All right, so this would be good information to save for later.
02:43
Get Georgia as well.
02:45
Used these in the password section
02:47
on exit out of here.
02:52
No, we're
03:04
Posner password.
03:07
That's odd.
03:15
notice like this one here,
03:20
there's Ah, one at the beginning are the rest of these Have a sick. So maybe they're using different algorithms. That might be something
03:27
you wanna check out when we do our password attacks.
03:38
So that was pretty easier. Well, it's also a medicine flight module fist, but our is based on how this works.
03:47
We're not actually gonna do any better
03:53
with this medicine white model. You can try it out if you like.
04:00
We sure payloads on this.
04:03
Actually, the only problem we have is just this command UNIX interact. So all is going to do is connect to that
04:11
6200 port if it's successful.
04:15
So we'll get the exact same thing from this case. Using menace way doesn't even give us
04:19
better option. We could
04:21
once we have root access. Certainly used, like, w gets on and build like an l file
04:30
of our units, my interpreter
04:33
or some other language that
04:36
clinics knows python
04:40
pearl,
04:42
and we could get
04:44
better shell. But we already have root access, and it is
04:48
interactive, so I'm side from not having a prompt. We haven't really lost anything here, so I would say
04:56
this is sufficient. Sir,
04:58
you may run into something like this. I mean, it's possible I have certainly had clients who have been hacked before or thought it would be a good idea to set up some, like, removed administration for themselves. And I leave viene see listening on a non standard port. Or
05:13
worse yet, they download some hack tool, and it's like, Oh, maybe this will let me do all this stuff to it
05:18
on, you know, they just leave it running. It's just kind of a way to remotely control their devices,
05:26
not thinking about the security implications of it.
05:30
I mean, I've certainly been
05:31
guilty of leaving vulnerable software, running around my network of them, doing research on it, or working on new exercises for class and leave vulnerable software and forget about it for a few days just running there. But I always at least try and keep the official machines that don't have any of my
05:50
work stuff on it. So we're not exposing my clients to anything,
05:57
so but you should always look out for things like this. I mean, non centered towards that are listening. Our reserve it working just as easily been some sort of back door from a previous compromise, or
06:11
the user trying to make their life easier

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor