FTP Enumeration Demo

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:01
All right. More hands on demos here.
00:03
So we're gonna use end map against this host I identified port 21 21 open which is not our default port for FTp. But it's like port 21. So hopefully this will also be an FTP server. You can notice I'm also doing my default S VSc, which I always like to do.
00:19
And you can see those default scripts with the S. C. Flag shows us. Um that FTp is in fact on port 21 21 with a quantum computer server. It's gonna become important here a little bit later. We also see that anonymous logins are allowed and that we have some writable permissions. Now I could do more enumeration with end map scripting engine
00:40
but because I can log in anonymously let's just go ahead and see what we can do from here. So I'm gonna use the FTP client in Cali and I'm going to specify port 21 21 I'm just gonna make my user name anonymous.
00:56
I'll enter whatever password I want.
00:58
And we can see here that we're using binary mode which is the mode we want to use. If you wanted to switch to ask me which I don't recommend. You can type in a ski but let's stick to binary mode.
01:07
So let's see what we can find here. You can do directory, you can do L. S. You can also type help and see what commands are available to you.
01:15
So if I wanted to get something let's say I want to get
01:19
uh index at html. M
01:22
I could type that and we can see that uh that we now have index dot. HTM.
01:29
I can also try to put files on the server. So
01:33
we created that web shell back in SMB I've renamed that web shell to FTp shell.
01:38
So
01:38
not that we're in the web route. Um but let's see if we could just put a file here into,
01:45
let's see where we are. Program files X 86 4 metre shared. Let's see if we can just put a file in here. So put
01:52
uh route
01:53
desktop, FTp Shell,
01:57
we'll name it FTp Shell,
02:00
that S p
02:02
Mhm.
02:04
And we noticed that we got a permissions denied.
02:07
So that's to say perhaps the anonymous user doesn't have the right permissions.
02:10
So let's get out of here.
02:14
And
02:19
so let's do some further enumeration on familiar. And I'm gonna use search split
02:23
for familiar
02:24
and we can see we have a whole bunch of different vulnerabilities here for directory traversal. So maybe we can break out of this uh shared folder and go in enumerate the file system. But let's try to figure out if we have more permissions as as perhaps the admin user. So if you just google
02:45
um default ftp credentials
02:52
should even spell right,
02:53
We can see the account admin as a password of password. So let's try that.
03:00
So we'll go back
03:02
ftp,
03:05
admin
03:07
password.
03:08
And sure enough, we're now logged in as the admin user.
03:12
So let's try to leverage this directory, traversal vulnerability
03:15
and like we could do change directory dot dot and go back a directory. Um Let's try that with directory to see if we can enumerate this uh this windows box
03:25
so we can see here that we did go back and um we can go to users,
03:31
we can go to admin
03:38
and we see that there's a flag here.
03:39
So if we we could try we could try to get this and see if it works
03:46
and we can see that it didn't find it. So let's try to figure out if we can put things on this server now.
03:52
So I told you we have that FTp show which we made before the SMB block. So let's see if I can put
04:01
that file on the is web server. So we're putting
04:09
root desktop,
04:12
FTp shell
04:14
on
04:18
I net
04:20
pub
04:21
dub, dub, dub route
04:26
and we'll just call it ftp shell
04:30
here.
04:33
So it looks like we're able to put that file on there and when one way we can verify it, of course, as we want to get our listener ready.
04:45
So I'm going to set our listener up
04:48
with MSF console
04:51
already setting on my options here.
04:56
You see the payload, the host, the port, just like the SMB module. Now we're just using that same uh same a sp shell.
05:05
So because I put this in the web root as ftp to sp
05:10
let's give that a try.
05:13
So ftp shell dot sp.
05:17
And we see in fact, that that material recession opened
05:23
so we can then interact with that session says info
05:28
and drop into a shell if we want.
05:31
I also want to show you another thing with directory traversal over here, so I can do D. I. R dot dot slash that slash that slash.
05:40
And you might go, well, how do I get program files? Well, we can try quotations and see if that works. But there's also short names and Windows. So what you do is in the first six letters a tilde
05:50
And one. So that should give us program files.
05:57
I should check my math here.
06:00
Six. And there we go. We can see program files. Now, we're gonna say Clint. There's program files. X 86. Well,
06:06
let's try math again here. Program too.
06:11
And now we see program files. X 86. So that's a little trick that you can use, uh, to use short file names on windows hosts when you have something like a directory traversal vulnerability that you're trying to exploit.
06:26
So in summary. Now, we should understand what FTP is used for, and we can now demonstrate how to enumerate FTP.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By