Network Services part 5

Understanding FTP

FTP session operates using two channels, command/control and data. The command channel is used for commands and replies, while the data channel transfers data. Functions as a client-server protocol. Comes in Active and Passive connections.

  • Active FTP - Client opens port and listens, server required to actively connect to it.
  • Passive FTP - Server opens port and listens passively, client has to connect to it.

Separate command and data channels allows commands to be sent while data is transferring.

Enumerating FTP

Exploiting an anonymous FTP login to see what files can be accessed, and if they have information that can lead to popping a shell is a common pathway in CTF challenges, and mimics real-life careless FTP server implementations. There is also known exploit in some versions of in.ftpd and some other server variants where they respond to the “cwd” command differently for home directories that exist and those that don’t. This allows tracking down user accounts. Mostly a bug in legacy systems, but worth knowing about. (More reading: https://www.exploit-db.com/exploits/20745)

With FTP connection active, use mget to retrieve remote files.

Exploiting FTP

FTP is unencrypted, so all info can be intercepted and read, including passwords. Task’s exploitation will be of weak or default password configs.

Method

  • Known existence of FTP server
  • Have possible username Can use this to try bruteforcing password, in this case using Hydra. Comes by default in Kali and Parrot, but available from GitHub. Syntax for password cracking: hydra -t 4 -l [user] -P [path] -vV [ip address] ftp.
  • -t 4 - number of parallel connections to target (i.e. 4)
  • -l [user] - user account to attack
  • -P [path] - path to dictionary to use (i.e. rockyou.txt)
  • -vV - set verbosity mode to very verbose (shows user+pass combination for each attempt)
  • [ip address] - target IP
  • ftp - sets protocol (isn’t limited to FTP)

The Task

Crack the password and log in to get the flag.

Expanding Your Knowledge

Reccommended reading

  • https://medium.com/@gregIT/exploiting-simple-network-services-in-ctfs-ec8735be5eef
  • https://attack.mitre.org/techniques/T1210/
  • https://www.nextgov.com/cybersecurity/2019/10/nsa-warns-vulnerabilities-multiple-vpn-services/160456/

Tomorrow starts Network Services 2