Checking read and write access to an FTP server

Having an FTP server which others can access is a dangerous thing. Allowing others to have write access is even worse. In most situations, whether anonymous FTP is enabled or not, only a small number of people should actually be able to write to the server. If you want to check if you have read and write access to a particular server I came up with a simple way in Ubuntu 12.04. This is a simple task but I go into detail because I want to definitively find out what kind of access I have, therefore I will be attempting to create a 'test' directory in every directory and based on the results will know my access

I created an FTP server locally using VSFTPD (http://en.wikipedia.org/wiki/Vsftpd). Most of the servers will not be local, so I will use FTPFS (http://en.wikipedia.org/wiki/FTPFS) to mount it locally to make things easier to work with. To do this I installed CurlFtpFS with the command 'sudo apt-get install curlftpfs.' This is the listing of the ftp server before we try writing to it:

Assuming that the FTP server is somewhere else, first we'll mount the server locally:

curlftpfs x.x.x.x ~/local-mount-folder

x.x.x.x is the address of the FTP server, and ~/local-mount-folder is a folder YOU create on your local file system, this is where you will access the FTP server. If you get an ERROR such as "bad mount point : permission denied" try running the command as root.

At this point I can check permissions but what I really want to know is if I have write access in any directory. Additionally I have seen cases where an anonymous ftp server said I had write access everywhere but would deny any write attempts.

For loop to create directory 'created-test-dir' in every existing directory on the server:

cd ftpmount
for k in $(ls -R | grep / | cut -d ":" -f 1); do mkdir $k/created-test-dir; done;

This uses 'ls -R' which gives a recursive listing of all subdirectories and contents, and so on. You will probably see output similar to "mkdir: cannot create directory './ftpmount/created-test-dir': Operation not permitted." This is ok because we know it is attempting to write to the ftp server. With a large ftp server this may take a while but much better than manually checking permissions.

The final step is to check if/where your 'test' directory was created:

cd ftpmount
find . -name created-test-dir

This will find any directories we may have created and also give you a list of where you have write access!

This sort of thing can be very helpful during a penetration test.

Read More

BackTrack and Metasploitable 2 - Brute Forcing FTP

Metasploitable 2 is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. You can download Metasploitable 2 here. I will be using BackTrack 5 R2 to test and exploit the Metasploitable virtual machine.

Getting started is easy. Start your BackTrack and Metasploitable VMs and make sure they can communicate with each other. If they can't ping each other make sure they have the proper addresses (you may need to run 'dhclient' on your BackTrack machine). Now that our machines can talk to each other, let's use BackTrack to see what's running on Metasploitable. We are going to use nmap to get an idea of what is running on the Metasploitable VM. We can use the -sV flag to enable version detection which will give us more information about the found services.

This nmap scan tells us there are a lot of open services. In this post I am going to focus on FTP, and in following posts I will be concentrating on SSH and Telnet. These three services are extremely useful for attackers when trying to gain access to a system. These services should be disabled if not needed or at least strongly protected. Starting with the first service found, let's get access via FTP:

Brute Forcing FTP Using xHydra

Most attackers will usually check if anonymous FTP is enabled before doing anything. In most environments anonymous FTP should be disabled. The next step would be brute forcing an authenticated account. I used xHydra to do this because it provides a nice GUI.
Putting in our target:

Entering our username(s) and password(s), here I am using a small list for testing purposes. Larger lists can be found at Skull Security

The only thing I changed in the Tuning window was the Number of Tasks.
Under the Specific tab the only thing I added was the "http / https url" which is your target IP address.

Start! Because I used small wordlists with credentials I knew would work, it didn't take very long before we got a hit!

Here is the result, logged in using msfadmin:msfadmin
To make things look nice I connected with the same credentials using FireFTP
Done! Using the brute force method does not always work, but if an attacker does their reconnaissance and gets enough information about their target, they can be rather successful.

Read More