21 - FTP - CSPSec

# **Basic Information** According to [HTB Academy](https://academy.hackthebox.com/module/112/section/1066): >In an FTP connection, two channels are opened. First, the client and server establish a control channel through TCP port 21. The client sends commands to the server, and the server returns status codes. Then both communication participants can establish the data channel via TCP port 20. This channel is used exclusively for data transmission, and the protocol watches for errors during this process. If a connection is broken off during transmission, the transport can be resumed after re-established contact. > >A distinction is made between active and passive FTP. In the active variant, the client establishes the connection as described via TCP port 21 and thus informs the server via which client-side port the server can transmit its responses. However, if a firewall protects the client, the server cannot reply because all external connections are blocked. For this purpose, the passive mode has been developed. Here, the server announces a port through which the client can establish the data channel. Since the client initiates the connection in this method, the firewall does not block the transfer. ## vsFTPd ```bash # install vsFTPD sudo apt install vsftpd # view configuration file cat /etc/vsftpd.conf | grep -v "#" # view list of users who CANNOT access FTP server cat /etc/ftpusers ``` # **Enumeration** - Always check if the `anonymous` user is enabled - If directory listings show usernames take note. This information can be used for potential brute force attacks - If file uploads are possible this can be abused to get code execution - For example, a web server synchronizes with a FTP server. Thus uploading a web shell on the FTP server will grant access to the web server - If the FTP server is configured to use TLS/SSL encryption, it is possible to get an email and hostname from the certificate ## **Scanning** ```bash # display NSE scripts find / -type f -name ftp* 2>/dev/null | grep scripts # use default NSE script(s) sudo nmap -sV -p21 -sC -A <target_ip> # trace progress of scritps sudo nmap -sV -p21 -sC -A --script-trace <target_ip> # interact with service nc -nv <target_ip> <target_port> telnet <target_ip> <target_port> # if TLS/SSL encryption is enabled openssl s_client -connect <target_ip>:<target_port> -starttls ftp ``` ## **FTP Commands** ```bash # connect to FTP server # check if the anonymous user is enabled ftp <target_ip> # connect in passive mode, can aid in bypassing firewalls # check if the anonymous user is enabled ftp -p <target_ip> <target_port> # display the server's settings status # display additional information debug trace # list files ls ls -latr # list files recursively ls -R # grab a file get <some_file> # grab all files and view locally wget -m --no-passive ftp://anonymous:anonymous@<target_ip> tree . # upload a file put <some_file> ``` # **References** - [HTB Academy](https://academy.hackthebox.com/module/112/section/1066) - [FTP Return Codes](https://en.wikipedia.org/wiki/List_of_FTP_server_return_codes) # **Practical Application** | Platform | Name | Notes | | -------- | ---- | ----- | | | | |