Exploiting Anonymous FTP Access and FTP Brute-force
Disclaimer: This information is for educational purpose only. make sure to get permission to perform this attacks on a device that does not belong to you.
What is FTP:
File Transfer Protocol (FTP) is, as the name suggests , a protocol used to allow remote transfer of files over a network. It uses a client-server model to do this, and- as we’ll come on to later- relays commands and data in a very efficient way.
This service can used to establish a communication channel through the CLI or GUI to another remote system to transfer files. to know more about this service and check out this article.
This service can be accessed either with authentication or in guest/Anonymous mode. The later allows you to connect without supplying a “valid” password. A typical nmap scan of systems that have this enable can be seen below:
Connecting to the machine using the command:
ftp [IP-Remote]
when prompted for username enter “anonymous” .Enter any password as this does not matter:
As you can see above we now have access to the machine. A quick inspection of the commands we can run on the machine:
From the list of commands above we can use mput to upload files from your local machine to the remote system. The command mget to download a file from the remote system to your local machine. Depending on the configuration of the connection laid out by the machine’s administrator, uploading files may or may not be possible(security reason obviously).
What can you can with this?
Well ,it is possible that the directory you have access to may contain files with sensitive information that can help you further enumerate the system. such as text files containing notes left by users to remind them to do something etc . The possibilities are endless. However companies now know how dangerous living this feature enabled is and as result they disable it entirely. If they really need enabled for whatever reason, they would implement settings that binds they user to the directory they connect to and restrict some commands deemed dangerous.
With this in mind having an FTP connection that allows to uploads files opens a lot of avenues to you. for example , uploading a reverse shell.
In this CTF, we found file called PUBLIC_NOTICE.txt. Taking a look at it contents:
As you can see, the note was left by the administrator called mike. As you may have suspected, this information could be used to brute-force ftp, ssh or other services that may be running on the system.
In this case we use it o brute-force FTP to get a session with less restrictions. For this we use hydra and a very popular password list rockyou.txt (comes pre-installed in kali linux):
We connect to ftp with the username/password we found:
REMEMBER: This attack will only work if the user has a weak password. This highlights how crucial it is to have good password policies.
With this new session we can upload files:
Thank you for reading this far . Happy hacking and I will see you in the next challenge.
