Exploiting Port 21 – vsFTPd
The FTP service can potentially be exploited in several ways. You should try them all.
Brute forcing vsFTPd using Hydra
Users can access the Metasploitable VM by logging into the FTP server with a valid set of credentials. Therefore, it is a good idea to try some of the most commonly used combinations and try to brute force the access to the FTP server. Kali Linux has a number of wordlists that can be used for this purpose. Let’s use Hydra to launch an attack:
hydra -L [users file] -P [passwords file] [IP] [service]
This will take a very long time because the tool will try every password for each user. And it might not return any good results unless you use carefully selected wordlists.
This is an example of successful results obtained with custom created wordlists:
Once you have found a valid credential set, you can use it to login to the remote FTP server:
Brute forcing vsFTPd using Metasploit
Metasploit has an auxiliary module that can also be used to brute FTP force passwords just like Hydra did.
Using the custom wordlists previously created will produce the same results:
Using Metasploit has a major advantage over Hydra because the credentials found are automatically added to the database:
Opening the backdoor manually
Version 2.3.4 of vsFTPd contained a backdoor that was slipped into the servers hosting the source code by an unknown person. The particular version of vsFTPd included on the Metasploitable VM contains a vulnerability that opens a backdoor shell. If a client attempts to connect using a username that ends in a smiley :), it opens a backdoor shell listening on port 6200 (kind of like 2600 - get it?).
This allows the user to obtain a root shell, view the contents of files, modify things, etc., all by attempting to login with a username ending in :). (Note that the login attempt DOES NOT have to be successful!)
Opening the backdoor
The procedure for opening a backdoor on port 6200 with vsFTP is as follows:
- We begin by scanning the Metasploitable VM to show that port 6200 is closed:
- Now, in another window, we open the backdoor (notice the smiley at the end of the username):
- You can close that window - you're done with it.
- Now take a look at the same port 6200 with Nmap. It’s open!
Exploiting the backdoor
To use the backdoor, connect to port 6200 with a Telnet client. Then you can execute normal shell commands by running:
command_name args;
- For example, to dump the contents of the /etc/shadow file:
- You can even grab SSH key information (authorized_keys, known_hosts, private and public keys)
Because this vsFTPd technique opens a backdoor whenever we want on port 6200, it is a convenient method for connecting and executing commands on the remote victim machine. However, other connection techniques may be more useful - for example, using SCP without a password to deliver a payload to the victim machine.
Once you have disconnected from the remote shell on port 6200, the port will close again. You can always re-open it using the same method outlined above.
Opening the backdoor with Metasploit
Search for an exploit for vsFTPD 2.3.4 using Searchsploit:
Search inside Metasploit and select for use:
Set the options and run the exploit module to get a shell:
Check privileges:
No comments:
Post a Comment