Cheat sheet and tricks for the File Transfer Protocol (FTP).
FTP is insecure as it uses clear text to send credentials. See Telnet for other examples.
Nmap scripts
ls -la /usr/share/nmap/scripts/ftp*nmap -Pn --script "ftp* and not brute" -p 21 $IP -oA nmap-ftpIP=x.x.x.x
WL=/usr/share/wordlists/rockyou.txt
USERS=/usr/share/seclists/Usernames/top-usernames-shortlist.txt
nmap -Pn --script ftp-brute -p 21 $IP --script-args userdb=${USERS},passdb=$WL -oA nmap-ftp-bruteDirectory Traversal
See this exploit for common paths.
dir ./../../../../../../../../FileZilla
filezillaDownload all files locally and search for interesting information.
grep -Ril "flag" .
grep -Ri "password" .
grep -Ri "key" .
grep -Ri "sessionkey" .
grep -Ri "admin" .FTP Client
TIP: When having problems with “Entering Passive Mode”, type “pass” or “passive” quickly after entering the user’s password.
Installation
sudo apt install ftpConnect to ftp server (port 21)
ftp $IPftp anonymous@${IP}ftp anonymous@${IP} 21# Anonymous (guest)
ftp $IP
Name: anonymous
Password: (enter password, try anonymous, or just press Enter without providing a password)Login
user myuser1Help / Display available commands
helpPrints the names of the files and subdirectories in the current directory on the remote computer
lsTry to escape the chrooted environment
ls ../../../../../../..//etcChange directory
cd directorycd ..File transfer – ASCII mode
This changes to ascii mode for transferring text files.
asciiFile transfer – Binary mode
This command changes to binary mode for transferring all files that are not text files
binaryFile transfer – Download files
Warning: If there already is a file on the local computer with the same name, it is overwritten.
This downloads the file passwd from the remote computer to the local computer.
get <file on FTP server> <file on client machine>get /etc/passwd /home/kali/passwd# Downloads all files that end with ".jpg"
mget *.jpgFile transfer – Upload files
Warning: If there already is a file on the remote computer with the same name, it is overwritten.
Uploads the file test.txt from the local computer to the remote computer.
put <file on client machine> <file on FTP server>put /home/kali/test.txt test.txt# Uploads all the files that end with ".jpg"
mput *.jpgDelete files
# Deletes all files that end with ".jpg"
mdelete *.jpgInteractive mode
Turns interactive mode on or off so that commands on multiple files are executed without user confirmation.
promptExit the ftp client
quitNon-interactive mode – Windows
To confirm 😉
ftp.txt
open x.x.x.x 21
username
password
ftp@ftp.com
dir
byeRun FTP commands from ftp.txt
type ftp.txtftp -s:ftp.txtNon-interactive mode – Linux
The FTP command shell on Linux does not have the “-s” option. Build a shell script to execute the FTP commands.
ftp.sh
#!/bin/bash
ftp -n x.x.x.x <<END_SCRIPT
quote USER myusername
quote PASS mypassword
prompt
dir
bye
END_SCRIPTchmod u+x ftp.sh
./ftp.shFTP Server
Python
pip install pyftpdlibUsing the anonymous user
python -m pyftpdlib -p 21 -wftp anonymous@x.x.x.xftp.py – authenticated
#!/usr/bin/python
from pyftpdlib.authorizers import DummyAuthorizer
from pyftpdlib.handlers import FTPHandler
from pyftpdlib.servers import FTPServer
authorizer = DummyAuthorizer()
authorizer.add_user("ftpuser", "<PASSWORD>", "/home/ftpuser", perm="elradfmwMT")
handler = FTPHandler
handler.authorizer = authorizer
server = FTPServer(("127.0.0.1", 21), handler)
server.serve_forever()mkdir /home/ftpuser
sudo groupadd ftpgroup
sudo useradd -g ftpgroup -d /home/ftpuser -s /etc ftpuser
chown ftpuser: ftpuser
./ftp.pyftp ftpuser@127.0.0.1
<PASSWORD>Pure-FTPd
Installation
sudo apt install pure-ftpdConfiguration
sudo groupadd ftpgroup
sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser
sudo pure-pw useradd pureuser -u ftpuser -d /ftphome
sudo pure-pw mkdb
cd /etc/pure-ftpd/auth/
sudo ln -s ../conf/PureDB 60pdb
sudo mkdir -p /ftphome
sudo chown -R ftpuser:ftpgroup /ftphome/
sudo systemctl restart pure-ftpdUncomment this line in /etc/pure-ftpd/pure-ftpd.conf
UnixAuthentication yes