FTP Enumeration Demo

00:01

All right. More hands on demos here.

00:03

So we're gonna use end map against this host I identified port 21 21 open which is not our default port for FTp. But it's like port 21. So hopefully this will also be an FTP server. You can notice I'm also doing my default S VSc, which I always like to do.

00:19

And you can see those default scripts with the S. C. Flag shows us. Um that FTp is in fact on port 21 21 with a quantum computer server. It's gonna become important here a little bit later. We also see that anonymous logins are allowed and that we have some writable permissions. Now I could do more enumeration with end map scripting engine

00:40

but because I can log in anonymously let's just go ahead and see what we can do from here. So I'm gonna use the FTP client in Cali and I'm going to specify port 21 21 I'm just gonna make my user name anonymous.

00:56

I'll enter whatever password I want.

00:58

And we can see here that we're using binary mode which is the mode we want to use. If you wanted to switch to ask me which I don't recommend. You can type in a ski but let's stick to binary mode.

01:07

So let's see what we can find here. You can do directory, you can do L. S. You can also type help and see what commands are available to you.

01:15

So if I wanted to get something let's say I want to get

01:19

uh index at html. M

01:22

I could type that and we can see that uh that we now have index dot. HTM.

01:29

I can also try to put files on the server. So

01:33

we created that web shell back in SMB I've renamed that web shell to FTp shell.

01:38

So

01:38

not that we're in the web route. Um but let's see if we could just put a file here into,

01:45

let's see where we are. Program files X 86 4 metre shared. Let's see if we can just put a file in here. So put

01:52

uh route

01:53

desktop, FTp Shell,

01:57

we'll name it FTp Shell,

02:00

that S p

02:02

Mhm.

02:04

And we noticed that we got a permissions denied.

02:07

So that's to say perhaps the anonymous user doesn't have the right permissions.

02:10

So let's get out of here.

02:14

And

02:19

so let's do some further enumeration on familiar. And I'm gonna use search split

02:23

for familiar

02:24

and we can see we have a whole bunch of different vulnerabilities here for directory traversal. So maybe we can break out of this uh shared folder and go in enumerate the file system. But let's try to figure out if we have more permissions as as perhaps the admin user. So if you just google

02:45

um default ftp credentials

02:52

should even spell right,

02:53

We can see the account admin as a password of password. So let's try that.

03:00

So we'll go back

03:02

ftp,

03:05

admin

03:07

password.

03:08

And sure enough, we're now logged in as the admin user.

03:12

So let's try to leverage this directory, traversal vulnerability

03:15

and like we could do change directory dot dot and go back a directory. Um Let's try that with directory to see if we can enumerate this uh this windows box

03:25

so we can see here that we did go back and um we can go to users,

03:31

we can go to admin

03:38

and we see that there's a flag here.

03:39

So if we we could try we could try to get this and see if it works

03:46

and we can see that it didn't find it. So let's try to figure out if we can put things on this server now.

03:52

So I told you we have that FTp show which we made before the SMB block. So let's see if I can put

04:01

that file on the is web server. So we're putting

04:09

root desktop,

04:12

FTp shell

04:14

on

04:18

I net

04:20

pub

04:21

dub, dub, dub route

04:26

and we'll just call it ftp shell

04:30

here.

04:33

So it looks like we're able to put that file on there and when one way we can verify it, of course, as we want to get our listener ready.

04:45

So I'm going to set our listener up

04:48

with MSF console

04:51

already setting on my options here.

04:56

You see the payload, the host, the port, just like the SMB module. Now we're just using that same uh same a sp shell.

05:05

So because I put this in the web root as ftp to sp

05:10

let's give that a try.

05:13

So ftp shell dot sp.

05:17

And we see in fact, that that material recession opened

05:23

so we can then interact with that session says info

05:28

and drop into a shell if we want.

05:31

I also want to show you another thing with directory traversal over here, so I can do D. I. R dot dot slash that slash that slash.

05:40

And you might go, well, how do I get program files? Well, we can try quotations and see if that works. But there's also short names and Windows. So what you do is in the first six letters a tilde

05:50

And one. So that should give us program files.

05:57

I should check my math here.

06:00

Six. And there we go. We can see program files. Now, we're gonna say Clint. There's program files. X 86. Well,

06:06

let's try math again here. Program too.

06:11

And now we see program files. X 86. So that's a little trick that you can use, uh, to use short file names on windows hosts when you have something like a directory traversal vulnerability that you're trying to exploit.