[Beginner Guide] Attacking and Defending FTP Server | PART 1/2
From this post, we will learn how an attacker is able to target the FTP Server and what steps should be taken by the administrator to secure the same.
This is the first post of the series. Make sure you read the full post to have a comprehensive understanding, and in case of any doubt drop me a note.
Introduction:
Many organizations usages FTP service exposed to their clients so that, they can send over huge files. Later, be it a legacy server or when the business use of this service is over, the administrator tends to leave the server open knowingly or unknowingly.
Does not matter whether the FTP server is exposed to the internet or is internally hosted, the attack vector and defense are equally important. Here, I am not going to walk you through how to set up an FTP server but instead, I have already installed vsftp on my local server and considering ftp.exploit-writeup.com as our target machine for the demonstration.
What is FTP, I have never heard about it?
File Transfer Protocol aka FTP is one of the popular network protocols used for the transfer of files between client and server. The default port for FTP is 21. We can connect to the FTP service either using nc, telnet, or ftp command.
Being said that, let's get started.
Step 1: Port Scanning
The default port for the FTP server is 21.
Attacker: Once the target server is identified, use nmap or any other port scanning tool/technique to find out whether the FTP port is opened or not. The command for port scanning is shown in the below image. If the FTP service is open, we will see the STATE marked as OPEN, if not then it might be CLOSED/FILTERED.
Defender: If the FTP server is not being used for any reason, I strongly recommend uninstall the service, or at least disable or stop the FTP service from running.
Workaround: In case you still cannot do any of the above, I recommend restricting the FTP connection to specific IP, and changing the port from default to random port to force the attacker to guess the usage of the service.
Step 2: Banner Grabbing
The FTP service installed is always associated with its corresponding version.
Attacker: Use telnet/nc/ftp to connect to the target server or any other enumeration technique to find the FTP version. Here the FTP version is vsFTPd 3.0.3
Once, the version is identified, the attacker can use a public exploit database to search for the vulnerability. If the FTP server is outdated or has a 0-day exploit available for it, then using that payload, one can attack the server. My personal preference for the database is Exploit-DB. The CLI version for the same is searchsploit which can be installed on the attacker’s machine. A quick search for vsftpd exploit show numerous exploit.
Luckily, for the current server, there is no exploit available, but who knows by the time you read this post one available be available.
Defender: It is never a good idea to expose the service version. This might give a heads up to the attacker for easy exploit. So I highly recommend hiding the FTP banner. To do the same follow the below steps.
- find vsftpd.conf file and edit
- uncomment ftpd_banner and change the text to anything you want or leave it blank to hide the version.
Step 3: Anonymous Login
By default, FTP services are not configured to allow anonymous login, but if the administrator has forcefully configured this then the user/attacker can login to the server.
Attacker: The most common default username is anonymous and the password is blank. We can use ftp command to login to the server.
In case this does not work, we can use a public wordlist for the FTP username and password to find a valid combination. To do the same, here I am using hydra to brute-force the credentials which might be time confusing but effective if the server has does not have any kind of protection in place.
Defender: Disable anonymous login for FTP server by editing the FTP configuration file and commenting out anonymous_enable line or change the attribute to no from yes.
Step 4: Brute force FTP credentials
Attacker: One of the ways to login to the FTP server is to brute force the credentials. If the attacker knows the valid username by any means then, the task is easy and the attacker just has to find the password. Or else, both have to be brute-forced which might take a long time to find a valid combination. We can use hydra to achieve the same. The below image illustrates it.
Defender: The best way to deal with this issue is to implement Fail2ban. Fail2bain is a popular tool to protect the internet exposed service from brute-force and automated attacks. It works by analyzing the service logs and usages regular expressions to ban the malicious user IP using the system firewall. Below images shows, when the connection is refused when the attacker tried to brute force the FTP service.
Step 5: Sniffing
FTP is a plain text protocol that means if anyone is intercepting the request on the network, they can see the content in clear-text.
Attacker: Setup Wireshark to sniff the local network and if anyone connects to FTP where encryption is not implemented then the attacker can capture the credentials.
Defender: SSL/TLS should be implemented to ensure the communication is encrypted between server and client and the attacker cannot read the ciphertext.
Below are the steps to implement SSL.
- openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
- edit vsftpd.conf file and add below lines: ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=YES ssl_ciphers=HIGH rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
Part 1 ends here. Upcoming next part with more techniques.
Disclaimer:
This post is only for educational purposes. All views, information, or content expressed herein are my own and do not represent any entity whatsoever with which I have been, am now, or will be affiliated. Methods described and tools listed herein may now be proven dangerous or even illegal. Any action or activities you take upon the information here is strictly at your own risk and I will not be held responsible for the misuse in any form.
DockerHub Link
To try out a demo environment for different vulnerabilities, you can visit our DockerHub repository here https://hub.docker.com/u/pawanjswal
Video Tutorial
Video tutorials for exploiting vulnerabilities are available here https://www.youtube.com/@OpenExploit
Originally published at https://www.openexploit.in
