FTP Penetration Testing in Ubuntu

Security on every layer has become mandatory. Port security always make a difference by securing the network as it helps to avoid receiving or sending packets from unknown devices. Using port security, one can limit the number of MAC addresses on a given port or can specify the only IP address that can be connected. This will make all other packets are restricted. You can apply such security measures on every port. In today’s article, we will learn to apply the said security on FTP port.

Table of Content

·         Introduction to FTP

o   Uses of FTP

o   Working of FTP

·         Penetration Testing on FTP

o   Installation of FTP

o   Anonymous Login

o   Disable FTP_banner

o   Switch Port for FTP Service

o   Sniffing FTP Login credential

o   Use SSL Certificate against Sniffing

o   Stop FTP Brute_Force Attack with Fail2ban

·         Conclusion

Introduction to FTP

FTP is a file transfer protocol, used to transfer files between a network using TCO/IP connections via Port 20/21. It is basically a client-server protocol. As it works on TCP, it requires two communication channels between client and server: a command channel and data channel. The command channel is for controlling the conversation between client and server where as data connection is initiated by server to transfer data.

Uses of FTP

·         An FTP site is a web site where users can easily upload or download specific files.

·         FTP by mail allows users without access to the Internet to access and copy files using anonymous FTP by sending an email message to ftpmail@decwrl.dec.com and putting the word help in the body of the text.

·         FTP Explorer is an FTP client based on Windows 95 file manager (Windows 95 Explorer).

·         An FTP server is a dedicated computer which provides an FTP service. This invites hackers and necessitates security hardware or software such as utilizing usernames, passwords and file access control.

·         An FTP client is a computer application which accesses an FTP server. While doing so, users should block incoming FTP connection attempts using passive mode and should check for viruses on all downloaded files.

Working of FTP

FTP works as just like HTTP and SMB protocols. When the FTP server is configured in a network then a specific folder is defined as shared folder in order to share files. Users can access this file server via FTP. FTP is often authenticated by sign-in protocol; however, FTP server may be configured to accept anonymous as login credentials. But now, its mostly FTP with SSL/TLS.

When transferring files through FTP, user’s machine is called local host machine and is connected to internet. Other machine is called the remote host which has FTP running on it and is too connected to internet. Now, in order to transfer the files, local host machine connects to remote host’s IP. Then user must enter username and password. FTP always provides GUI which makes file transfer user-friendly, here, you can transfer files by drag-and-drop method. Otherwise you can simply use FTP commands for the desired transfer.

Penetration Testing on FTP

Requirements:

·         FTP server: Ubuntu

·         Attacking machine: Kali

·         Client machine: Windows

Installation of FTP

Installation FTP is quite easy. To install FTP, open the terminal in ubuntu as root user and type:

apt install vsftpd

Once FTP is installed use nmap to confirm and to do so, type the following command:

nmap -p21 192.168.1.102

As you can see that FTP is working on port 21.

Anonymous Login

As I have mentioned before, that FTP credentials can be set to anonymous and this is found often on many FTP servers. FTP users may authenticate themselves with a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. So, let’s see how it will be done by first configuring it anonymous. Open vsftpd.conf using nano or any other text editor. Find “anonymous_enable=NO” statement as shown in image below:

Change NO to YES to enable anonymous as shown here:

Now let’s check it from nmap by using the following command:

nmap -A -p21 192.168.1.102

As the result shown by nmap you can see that port 21 is open and you some details about it to like its version. Now, let’s try and log in FTP using anonymous as our credentials. Now, let’s try and login:

ftp 192.168.1.102

Enter anonymous as username and password as shown in the image below as you will find you in the ftp server.

Disable FTP_banner

Now if you scan ftp from nmap you will its version:

nmap -sV 192.168.1.102

As this visibility of the version can leave you vulnerable to various exploits lets now learn how you will protect yourself by hiding the banner of ftp. For this, again open vsftpd.conf file using any desired text editor.

In the conf file fond the statement “ ftpd_banner=welcome to blah FTP service”. From this statement remove the # symbol as shown in image below :

Now if you again scan from nmap if will hide the banner. Try it by using following command:

nmap -sV -p21 192.168.1.102

Switch Port for FTP Service

Like this you can add another security layer by changing the port of ftp. You can start the the service of ftp on any port you like. Here, we have shifted the fpt port to 5000. For this, find the statement “listen_port=21” in the ftp conf file. Change the port number to 5000, or any other number as you desire, as shown in the image below:

Save the file and restart the service of ftp. Now if you scan from nmap you will find the port is now on 5000. Applying such layer of security helps to confuse attackers.

Sniffing FTP Login credential

By default, the traffic sent to and received from ftp is not encrypted. An attacker can take help of sniffing tools to sniff the data packet traveling between server and client in a network and retrieve credential. And then use them for unauthorized access. As we have discussed above FTP users may authenticate themselves with a clear-text sign-in protocol for username and password.

Similarly, if we capture TCP packet through Wireshark for sniffing FTP credential. So, now try and log in to ftp using following commands:

ftp 192.168.1.102 5000

Give the username and password.

Capture the traffic using Wireshark. Now, in Wireshark, if you follow the TCP stream of the packet, you can see the log in credentials in clear text as shown inn following image:

Use SSL Certificate against Sniffing

So, for this, let’s add another security layer for the problem generating above. The solution for this is creating an SSL certificate. SSL stands for Secure Sockets Layer, the protocol which provides secure, encrypted communications between server and client, this encrypted data packet traveling between server-client networks.

Although an attacker can sniff network data packet but will be not able to read fetched information because entire data will show in the form of ciphertext.

Here administrations need to generate their own SSL certificate for secure authentication. Make the directory where the SSL certificate keys will be stored.

Use the following command to create certificate:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/certificates/vsftpd.pem -out /etc/ssl/certificates/vsftpd.pem

Once the above command is executed, open vsftpd.conf file for changing default setting by adding a few lines at the end of the file. Following are the lines to be added:

rsa_cert_file=/etc/ssl/certificates/vsftpd.pem

rsa_private_key_file=/etc/ssl/certificates/vsftpd.pem

ssl_enable=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=NO

require_ssl_reuse=NO

ssl_ciphers=HIGH

Now let’s ensure whether we can connect to FTP server.

Protocol to: FTP

Encryption To: TSL/SSL Explicit encryption

Hostname: IP of the FTP Server

Port: 21

Username and Password: raj: 123

Now the server will send the certificate to an authorized user click on yes to store certificate and continue the encrypted connecting.

Now, when you will establish connection of FTP as shown in the image below:

All the traffic that is sent and received is encrypted which you can check through Wireshark.  It has also shown below:

Stop FTP Brute_Force Attack with Fail2ban

Hydra is often the tool of choice for bruteforce. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, FTP, HTTP, HTTPS, SMB, several databases, and much more. Now, to bruteforce our ftp server we need to choose a word list. As with any dictionary attack, the wordlist is key.

Run the following command to execute bruteforce :

hydra -L user -P pass 192.168.1.102 ftp

As you can see, using hydra we have log in credentials and so are bruteforce attack is successful. But we can protect our ftp server and important files. To be secure against bruteforce, you can use fail2ban tool.  To get a detailed guide on fail2ban tool read our other article from here. 

Once you have limited the bruteforce attack through fail2ban. You can try and use hydra again, but you will get a negative result as shown in image below:

Another security layer that you can apply is blocking all other IPs and allowing your trusted ones. Now open hosts.allow file from inside /etc to allow the valid user to connect with server securely through specific IP. At the end of text file enter specific IP to whom you want to give permission for establishing a connection as shown in the given image.

It quite important that admin should restrict all IPs other than allowed IP (192.168.0.106) to protect the network from establishing connect from unknown IP.

Open /etc/hosts.deny and specify a list of hosts whom you want don’t to allow access into the system.

Now open configure file of vsftpd and add following lines:

# TCP Wrappers

tcp_wrappers=Yes

Now if you connect from the allowed IP to ftp then you will log in as you can see in the image below :

But it will block other IPs as shown below :

Conclusion

FTP was discovered around four decades earlier. And since then, there have been substantial changes as it has developed a lot over the time. These changes have been related to encryption standards and file transfer functionality

FTP Penetration Testing on Windows

Hello friends today we are sharing tips and tricks on FTP attacks and security through FTP penetration testing which will help to secure your server from any kind FTP attack.

FTP stand for File Transfer Protocol used for the transfer of computer files such as docs, pdf, multimedia and etc between a client and server on a computer network via port 21. Port 21 is default port which gets open when FTP is activated for sharing data.

Let’s start!!

Install & Configure FTP Server on Windows 7

Firstly we are going to setup an FTP server on our Windows 7 for sharing file in a LAN. In order to accomplish that we are going to open Control Panel >Programs >Programs and Features >Turn Windows features on or off as shown below.

Here Expand Internet Information Services and check the FTP Server option.

Also, ensure that FTP Extensibility and FTP Service are both checked as show below and click OK to begin Installation.

This Installs the IIS and FTP Service Manager, be Patient it might take some time.

Configure FTP Site in IIS

Now to open IIS, we will open Control Panel after then open System and Security and here we will open Administrative Tools. In Administrative Tools you will find IIS Manager as shown below, open it.

The new window of Internet information IIS Manager will come up; right-click Sites given in left panel under Connections, select Add FTP Site.

This will open a new window as shown below.

Enter the name of your FTP site of your choice, as shown in given image ignite.

Enter the path to the FTP folder you want to use to send and receive files. In our case, we created a folder named ftp in location C:\ftp.

And click next.

Allow following setting in Authentication and Authorization for your FTP site and then click on Finish.

Authentication: Basic

Authorization: specific users (pc7)

Permission: read and write

Binding and SSL Settings, we will bind our IPv4 address to the server by allowing following setting then click on next.

·         Enter IP: 192.168.1.128 and Port: 21.

·         Enable the check box for Start FTP site automatically

·         In SSL option select No SSL and click next.

From given image you can see we had successfully configure FTP server for Ignite. Now let’s try to connect with it for sharing files.

Connect client to FTP Server through WinSCP

WinSCP is free software which is used to access the ftp server. You can download it from here.

Protocol to: FTP

Encryption To: No Encryption

Host name: IP of the FTP Server

Port: 21

Username and Password: Windows login credentials of the user.

Click on login

As you can see I have successfully connected to my ftp server which have a file called demo.txt.

Scanning FTP with nmap

Attacker may take help of nmap to verify whether port 21 is activated or not. For FTP penetration, we are also using nmap in order to scan targeted system (192.168.1.128) for open FTP port.

nmap -p 21 192.168.1.128

If file transfer service is allowed then nmap will show OPEN as state for port 21, as shown in given image.

Version Enumeration on FTP

Now, let’s try to get the FTP version through ftp_version on Metasploit

Open the terminal in your kali Linux and Load metasploit framework now type following command to scan for FTP version.

use auxiliary/scanner/ftp/ftp_version

msf auxiliary(ftp_version) > set rhosts 192.168.1.128

msf auxiliary(ftp_version) > exploit

From given image, you can it is showing target is vulnerable. So, let’s protect it.

Hiding Banner

Open IIS Manger.

Click on Features View given in bottom of window.

A new window for FTP messages will come up where you can change Message Behavior.

·         Enable suppress default banner

·         Enable Show detailed messages for local request

Now let’s check if our FTP version is still visible or not.

You can verify it by executing following command in kali Linux for NMAP version scan.

nmap -p 21 -sV 192.168.1.128

As you can see that our FTP version is no longer visible to anybody.

FTP Brute force Attack

Let’s try to make Brute force attack on our FTP Server using Metasploit.

Open the terminal in your kali Linux and Load metasploit framework now type following command to Brute force FTP login.

use auxiliary/scanner/ftp/ftp_login

msf auxiliary(ftp_login) > set rhosts 192.168.1.128

msf auxiliary(ftp_login) > set user_file /root/Desktop/user.txt

msf auxiliary(ftp_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(ftp_login) > set stop_on_success true

msf auxiliary(ftp_login) > exploit

From given image you can observe that our FTP server is not secure against brute force attack because it is showing matching combination of username and password for login. So let’s protect our FTP server against Brute force.

Secure FTP server against Brute Force Attack

Open IIS Manager

Now open FTP IPv4 Address and Domain Restrictions. Here we are going to allow only a particular IP address to access the FTP server. This will allow only valid IP to get connect with FTP.

Allow specific IP to connect FTP

Now following given below step:

·         Click on FTP IPv4 Address and Domain Restrictions

·         Click on Add Allow Entry from the Actions Tab in right panel

·         Select Specific IP Address and enter the IP address

·         Click OK

Here you can also add range of IPs of your network.

Restrict IPs to connect FTP

Now repeat the step with some changes to restrict other IPs for denying to access FTP services. 

Now following given below step:

·         Click on FTP IPv4 Address and Domain Restrictions

·         Click on Add deny Entry from the Actions Tab in right panel

·         Select Specific IP Address and enter the IP address

·         Click OK

Hence if any other user or attacker finds out credential for ftp login he cannot able to connect with server.

Let’s verify above setting by Brute force again in the same way we did before. From given image you can observe though it is showing incorrect combination for correct credential also.

FTP Port Forwarding

You can forward port 21 on another port for increasing server security although to perform this you need to open IIS

Now click on the Bindings on Actions Tab.

It will open a window as shown below where it is showing that FTP service is activated on port 21, now click on edit to replace this port into another.

From given image you can see we have are now using port 5000 for FTP services.

Now let’s check using nmap

nmap -p 5000 -sV 192.168.1.128

As you can see the FTP service have been shifted to port 5000

Now to verify if the service is actually running on port 5000 let’s login into FTP server using WinSCP and this time using port 5000 as shown below

Great!!! We are successfully connected with FTP server via port5000

FTP Log Monitoring  

In IIS Manager we can also manage Logs of our FTP Server.

Here, we can Schedule the Logging and also manage the size of logs and Location of Logs

For monitoring ftp log follow given below steps:

Open FTP Logging in the Features View.

·         Format of log file: click on W3C field and then select desired option such as date, time, client IP and etc.

·         Directory: browse a location where you want to save the logs

·         Schedule: Daily

Now if you want to view logs of FTP server you can open the directory which you have browsed for saving logs i.e. C:\inerpub\logs\Logsfiles

From given below image you can observe logs for FTP login.