FTP

FTP

File Transfer Protocol: Runs on app layer of TCP/IP stack: Same as HTTP/POP

• Connects through two channels: Client/server establishes control through port 21

  • Client sends cmds to server: Server returns status codes

  • Both participants can establish a data channel on port 20

Channel used exclusively for data transmission

• If a connection is broken, it's resumed after it's re-established

Active

Client establishes connection: Informs server which client-side port it can transmit responses to

• If a firewall exists: The server can't reply since external connections are blocked

Passive

Server announces a port through which the client establishes a data channel

• Since the client initiates the connection, the firewall doesn't block it

• Diff cmds/status codes: List can be found here

• Clear-text: Anonymous logins

TFTP

Trivial FTP: Simpler: Performs xfers bet client/server processes

• Doesn't provide user auth

• FTP uses TCP

• TFTP uses UDP

FTP Commands

connect # sets remote host, port for file xfers
get # xfers file/set of files from remot to local 
put # xfers file/set of files from local to remote
status # shows current status (ascii or bin), time-out val
verbose # displays additional info during file xfer

/etc/ftpusers # used to deny users access 

#anonymous Login
ftp 10.10.10.1
ftp> status
ftp> debug 
ftp> trace # packet tracing on

vsFTPd

/etc/vsftpd.conf # location
cat /etc/vsftpd.conf | grep -v "#"

listen=NO # run from inetd or standalone daemon
anonymous_enable=NO # enable anon access
local_enable=YES # allow local user login
dirmessage_enable=YES # AD messages when usrs go into certain dirs
xferlog_enable=YES # logging of uploads/downloads
secure_chroot_dir=/var/run/vsftpd/empty # name of empty dir
pam_service_name=vsftpd # name of PAM service vsftpd will use
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem  
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

TFTP

dirmessage_enable=YES # show msg when entering a new dir
chown_uploads=YES # change ownership of anon file uplaod
cown_username=username # usr ownership of uploaded anon files
local_enable=Yes # local usr login
chroot_local_usr=YES # put local usrs into home dir
chroot_list_enable=YES # list local usrs placed in home dir
hide_ids=YES # all usr/group info in dir listings displayed as 'ftp'
ls_recurse_enable=YES #recursive listings

hide_ids=YES UID/GUID of the service will be overwritten

• More difficult to ID which file rights are written/uploaded

• Allows us to use LFI vulns to make hosts exec cmds: view, download, inspect

  • Attacks possible with logs, leading to RCE

ftp> get Notes.txt # download a file 
ftp > put testupload.txt # upload a file
wget -m --no-passive ftp://anon:anon@10.10.10.1 #download all files

tree . # heirarchical file structure listed
.
└── 10.10.10.1
    ├── Folder
    │   └── SubFolder
    │       ├── Text.txt 
    │       ├── WordFile.docx
    │       └── Presentation.pptx
    └── AnotherFile.txt

sudo nmap --script-updatedb

# nmap script trace (scan history against a service, with timeouts)
sudo nmap -sV -p21 -sC -A 10.129.14.136 --script-trace

# if server runs tls/ssl openssl instead
openssl s_client -connect 10.10.10.1:21 -starttls ftp

find / -type f -name ftp* 2>/dev/null | grep scripts # find nse scripts
ls /usr/share/nmap/scripts | grep ftp # find nse scripts

ftp-syst.nse
ftp-libopie.nse
ftp-anon.nse
ftp-brute.nse

ftp-syst: executes STAT, which displays server status

# banner grab
nc -nv 10.129.14.136 21
telnet 10.129.14.136 21