Here you can find a few steps for FTP penetration testing. A small reconnaissance with possible attack types. All this to get connected to the server and gain access to secret data… nah, it is all to learn how to test FTP server security and be able to properly secure it. This is why at the end of this article I will give you some tips how to protect your FTP server for attacks described below.
Scanning
Start with searching for FTP server. Use nmap and perform one of the scan:
Quick scan plus
1 | nmap -sV -T4 -O -F --version-light 192.168.1.10 |
or
Intense scan
1 | nmap -T4 -A -v 192.168.1.10 |
example positive output:
1 | PORT STATE SERVICE VERSION |
Anonymous access
Try to log in with an anonymous account and an empty password. You can also try to check the standard ftp passwords and logins eg. login: anonymous, password: anonymous. You can automate this process using the ready list from the SecList package (in Kali Linux you can simple install it using command apt -y install seclists) and tool THC-Hydra.
Command for Hydra is:
1 | hydra -C /usr/share/seclist/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://192.168.1.10 |
Example of positive results:
1 | [STATUS] 32.00 tries/min, 64 tries in 00:02h, 35 to do in 00:02h, 16 active |
Metasploit also allow to check connection with anonymous account so if you have a big list of FTP servers you do not need to do manually one by one:
1 | use auxiliary/scanner/ftp/anonymous |
Enumeration
Nmap and Metasploit also allows to check FTP version.
In Nmap:
1 | nmap -p 21 -sV 192.168.1.10 |
in Metasploit:
1 | use auxiliary/scanner/ftp/ftp_version |
Sometimes the version is hidden, but if we are lucky we get software version and we can look for an exploit or other bug that can be used to access the ftp server. This type of action is called banner grabbing.
Sniffing
Another option is called sniffing. If we are in the same network we can use Wireshark and sniff for password. FTP users may authenticate themselves with a clear-text sign-in protocol for username and password so if we capture the packets we can easily extract login and password.
Example of captured traffic:
1 | 220- |
You can download captured traffic example and open it in Wireshark to make your own analysis.
Brute force
Here is example how to make brute force attack on FTP Server using Metasploit.
1 | use auxiliary/scanner/ftp/ftp_login |
You can use user and password list provided with Kali Linux or SecList.
FTP hardening
Depends on software you are using for FTP server, specified options can be located in different places and with different names. Check steps below and find guides to configure your specific server software, after every change do not forget to restart your FTP server.
- Disable anonymous login. Open your server configuration and do not allow connection for anonymous login. Only defined users with strong passwords should have access.
- Hide banner. Changes configuration to hide name and version of software you are using.
- Use SSL certificate to prevent credential stealing. SSL stands for Secure Sockets Layer, the protocol which provides secure, encrypted communications between server and client, this encrypt data packets traveling between server-client networks. If hacker will sniff your connection he will be not able to read captured information because entire data will show in the form of cipher text.
- Set a threshold account lockout policy. For example, if within a minute the password is entered incorrectly three times then the account should be locked or if there are 5 incorrect connections from a given IP address within one minute, block the connection from this address for 24 hours. This can be done using firewall rules or software like ufw, portsentry or fail2ban.
- Allow specific IP to connect to FTP server. Just create white-list of addresses which can connect to FTP server and block connections from other locations.
- You can also change default port from 21 to 5021. Vulnerability scanners usually scan the default ports to perform an automatic reconnaissance and analyze a possible attack.