07 Apr, 2023

File Transfer Protocol (FTP)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

FTP stands for “File Transfer Protocol”. It is a standard network protocol used to transfer files from one host to another over a TCP-based network, such as the internet. FTP allows users to upload and download files from a remote server, making it a popular method for publishing content on websites or sharing files between computers. FTP is also used in automated processes, such as software updates and backups. It can be accessed using various FTP clients and is supported by most operating systems.

FTP common ports

Port 21: This is the default port for FTP and is used for control commands.

Port 20: This is used for data transfer in active mode.

Port 990: This is the default port for FTPS (FTP over SSL/TLS) and is used for secure FTP.

Port 989: This is used for data transfer in secure FTP (FTPS) in active mode.

Port 22: This is used for SFTP (Secure File Transfer Protocol) over SSH (Secure Shell).

Standard connection client

ftp 137.30.243.241

69.55.75.122

use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) >set rhosts 192.168.0.106
msf auxiliary(anonymous) >exploit

Recon or Non Standard command

auxiliary/scanner/ftp/anonymous

auxiliary/scanner/ftp/ftp_version

nmap 69.55.75.122 -p21 –script=ftp-syst

Null session connection

ftp -n -v 137.30.243.241

Default passwords list

Usernames: https://drive.google.com/open?id=1fQkr4ieHDEwxeJ_a9YRLsCBXWTASO9u_

Passwords: https://drive.google.com/open?id=1j31h_D0Td9oWB15k39DzwMEGfXjWoZrb 

Bruteforce connection

use auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > set rhosts 192.168.01.106
msf auxiliary(ftp_login) > set user_file /root/Desktop/user.txt
msf auxiliary(ftp_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(ftp_login) > set stop_on_success false
msf auxiliary(ftp_login) > exploit

Tools for using protocol FTP

Manual Tools:

  • FileZilla: A popular FTP client used for manual testing. It allows users to transfer files between a local computer and a server via FTP, SFTP or FTPS.

  • WinSCP: Another popular FTP client that supports SSH and SFTP protocols.

  • Cyberduck: An open-source FTP client for Mac and Windows that supports FTP, SFTP, WebDAV, and Amazon S3 protocols.

  • PuTTY: A free and open-source terminal emulator, serial console, and network file transfer application.

  • FireFTP: A free, cross-platform FTP client for Mozilla Firefox.

  • CuteFTP: A Windows-based FTP client that supports FTP, SFTP, and FTPS protocols.

  • Core FTP: A Windows-based FTP client that supports FTP, SFTP, and FTPS protocols.

  • Transmit: A Mac-based FTP client that supports FTP, SFTP, and WebDAV protocols.

Automated Tools:

  • JMeter: A Java-based tool used for load testing, performance testing, and functional testing of web applications that support FTP.

  • LoadRunner: A performance testing tool used to test FTP servers and other systems.

  • NeoLoad: A performance testing tool that supports FTP testing and other protocols.

  • SoapUI: An open-source web service testing tool that supports FTP testing.

  • TestComplete: A commercial testing tool that supports FTP testing.

  • Selenium: An open-source automated testing tool that supports FTP testing.

  • Appium: An open-source mobile application testing tool that supports FTP testing.

  • Robot Framework: A generic test automation framework that supports FTP testing and other protocols.

Browser Plugins:

  • FireFTP: A free, cross-platform FTP client for Mozilla Firefox.

  • SFTPDrive: A Windows-based utility that allows users to map SFTP and FTP servers as a Windows network drive.

  • WebDrive: A Windows-based utility that allows users to map FTP, SFTP, WebDAV, and Amazon S3 servers as a Windows network drive.

  • Cyberduck: A browser extension for Google Chrome that allows users to transfer files between a local computer and a server via FTP, SFTP, WebDAV, and Amazon S3 protocols.

  • FTPGetter: A browser extension for Google Chrome that allows users to automate FTP and SFTP transfers.

Run exploits

https://www.exploit-db.com/exploits/32798

exploit/unix/ftp/proftpd_modcopy_exec

exploit/unix/ftp/proftpd_133c_backdoor

exploit/windows/ftp/freeftpd_pass

Last five known CVE for FTP

• CVE-2023-27535: An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information. 

• CVE-2023-24042: A race condition in LightFTP through 2.2 allows an attacker to achieve path traversal via a malformed FTP request. A handler thread can use an overwritten context->FileName. 

• CVE-2023-24029: In Progress WS_FTP Server before 8.8, it is possible for a host administrator to elevate their privileges via the administrative interface due to insufficient authorization controls applied on user modification workflows. 

• CVE-2023-22551: The FTP (aka “Implementation of a simple FTP client and server”) project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection. This occurs because malloc is used but free is not.

• CVE-2023-0457: Plaintext Storage of a Password vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U(C) CPU modules all models all versions, FX5UJ CPU modules all models all versions, FX5S CPU modules all models all versions, FX5-ENET all versions and FX5-ENET/IP all versions allows a remote unauthenticated attacker to disclose plaintext credentials stored in project files and login into FTP server or Web server. 

Useful information

– Uses two channels: a data channel and a control channel. The control channel is used for sending commands, while the data channel is used for transferring files.

– Insecure protocol, as it does not encrypt the data being transferred. FTPS and SFTP are two more secure alternatives to FTP.

– Servers typically listen on port 21, while FTP clients can connect to the server on port 21 or 20.

– Supports various commands, such as LIST (to list the files on the server), GET (to download a file from the server), PUT (to upload a file to the server), and more.

– Anonymous FTP allows users to access a server without providing a username and password, which can be useful for downloading public files.

– Servers can be configured to limit access to certain directories or files, as well as to limit the number of concurrent connections.

– Bounce attack is a type of attack where an attacker uses the FTP server to attack a third-party system by bouncing the connection off the server.

– Brute force attacks involve trying a large number of username and password combinations in order to gain unauthorized access to the FTP server.

– Vulnerable to attacks such as packet sniffing, man-in-the-middle attacks, and FTP bounce attacks.

– Logs can be useful for detecting unauthorized access attempts or suspicious activity on the server.

Known banners

“220 ProFTPD” – ProFTPD FTP server

“220 vsFTPd” – vsFTPd FTP server

“220 FileZilla Server” – FileZilla FTP server

“220 Serv-U FTP Server” – Serv-U FTP server

“220 Microsoft FTP Service” – Microsoft IIS FTP server

Books for studies the File Transfer Protocol (FTP)

FTP: File Transfer Protocol by Santosh Kulkarni: This book provides an in-depth introduction to FTP and covers topics such as FTP commands, modes, and security.

TCP/IP Illustrated, Volume 1: The Protocols by W. Richard Stevens: This classic book covers a wide range of Internet protocols, including FTP, and provides a detailed look at their operation.

Practical UNIX and Internet Security by Simson Garfinkel and Gene Spafford: This book covers a variety of security topics related to UNIX and the Internet, including FTP security.

Beginning PHP and MySQL: From Novice to Professional by W. Jason Gilmore: This book covers the basics of using FTP with PHP and MySQL to build web applications.

Network Security with OpenSSL: Cryptography for Secure Communications by John Viega, Matt Messier, and Pravir Chandra: This book covers a wide range of security topics, including FTPS, and provides practical guidance on using OpenSSL to secure network communications.

The Complete Reference: FTP by Vivek Gite: This comprehensive reference book covers all aspects of FTP, including commands, modes, and security.

Implementing SSH: Strategies for Optimizing the Secure Shell by Himanshu Dwivedi: This book covers the Secure Shell (SSH) protocol and its use with FTP, providing guidance on securing FTP connections using SSH.

Mastering FTP: Complete Series by Alexzander Anthony: This series of books provides a comprehensive guide to FTP, including its operation, security, and best practices.

Web Application Defender’s Cookbook: Battling Hackers and Protecting Users by Ryan C. Barnett: This book provides practical guidance on securing web applications, including using FTP securely.

TCP/IP Sockets in C: Practical Guide for Programmers by Michael J. Donahoo and Kenneth L. Calvert: This book provides a practical guide to using TCP/IP sockets, including using FTP in a C programming environment.

List of Payload for the File Transfer Protocol (FTP)

  • Command injection: This involves injecting malicious commands into the FTP server that can be executed on the server-side, allowing an attacker to execute arbitrary commands and gain unauthorized access.

  • File upload: This involves uploading a malicious file to the FTP server, which can then be executed to gain unauthorized access or cause damage to the server or other systems.

  • Directory traversal: This involves manipulating the file path to access files and directories outside of the FTP root directory, allowing an attacker to access sensitive files or directories on the server.

  • Brute force attacks: This involves trying a large number of username/password combinations in an attempt to gain unauthorized access to the FTP server.

  • FTP bounce attacks: This involves using the FTP server as a proxy to conduct attacks on other systems, such as port scanning or sending malicious payloads.

  • Packet sniffing: This involves intercepting FTP traffic to capture sensitive information such as usernames and passwords or data being transferred.

Mitigation

  1. Whenever possible, use secure versions of FTP such as SFTP (Secure File Transfer Protocol) or FTPS (FTP over SSL/TLS) to encrypt data and authenticate users.

  2. Restrict access to the FTP server by implementing strong access controls, such as limiting the number of users who have access to the server and using strong passwords.

  3. Use firewalls to monitor and control FTP traffic to and from the server, and block unauthorized access attempts.

  4. Regularly update and patch FTP server software to ensure that it is secure and free of known vulnerabilities.

  5. Implement intrusion detection and prevention systems (IDPS) to detect and block malicious activity, such as command injections or file uploads.

  6. Use monitoring tools to track FTP activity and identify suspicious behavior or unauthorized access attempts.

  7. Provide training and awareness programs for users to help them understand the risks associated with FTP and how to use it securely.

Conclusion

FTP (File Transfer Protocol) is a widely used protocol for transferring files over a network, but it comes with security risks that can be exploited by attackers. To mitigate these risks, organizations should implement best practices such as using secure protocols, limiting access, implementing firewalls and IDPS, and monitoring FTP activity. Regular software updates, user training, and awareness programs can also help to reduce the risk of exploitation and improve overall security.

Other Services

Ready to secure?

Let's get in touch